AI-Driven Scammers Target Web3 Professionals with Malware-Laced Apps

Web3 professionals are facing serious threats from sophisticated malware campaigns, with scammers using AI-generated websites and social profiles to distribute fake meeting apps like "Meetio."

Compromised computer

The fake apps are embedded with Realst info-stealing malware. These attacks target sensitive data, including crypto wallet credentials. It is expected that the apps may be North Korea-linked, just like the $50 million exploit of Radiant Capital. Meanwhile, authorities made some progress with the arrest of Dmitry V., former head of WEX, which is a crypto exchange tied to fraud and money laundering.

Web3 Workers Under Threat

Web3 professionals are being targeted by a sophisticated malware campaign that uses fake meeting applications to steal sensitive information, including credentials for websites, applications, and crypto wallets. According to a report by Cado Security Labs, scammers employ artificial intelligence to create legitimate-looking websites and social media profiles for fraudulent companies. 

They use these platforms to lure targets into downloading a malicious meeting app. The app was named "Meeten," but now goes by "Meetio" and it frequently changes its branding. It also previously operated under domains like Clusee.com, Meeten.gg, and Meetone.gg.

The application contains Realst info-stealing malware that is designed to extract critical information, including Telegram logins, banking details, and crypto wallet credentials, which are then sent to the attackers. The malware can also harvest browser cookies, autofill credentials from web browsers like Google Chrome and Microsoft Edge, and even access data related to hardware wallets like Ledger and Trezor, as well as Binance Wallets.

The campaign also employs social engineering tactics, as scammers sometimes impersonate known contacts to build trust. In one instance, a target reported being approached on Telegram by someone posing as a colleague and receiving an investment presentation stolen from their own company. Other victims shared experiences of being on calls related to Web3 projects, downloading the malicious software, and subsequently losing their cryptocurrency.

Fake app example

Fake meeting app (Source: Cado Security)

To boost their credibility even more, scammers established company websites populated with AI-generated blogs, product descriptions, and social media accounts on platforms like X and Medium. This use of AI allows them to produce very convincing content very quickly, which makes their fraudulent operations appear legitimate and harder to detect. In some cases, their fake websites include JavaScript capable of stealing crypto stored in web browsers even before the malware is downloaded.

The campaign is targeting both macOS and Windows users and has been active for close to four months. Similar scams have been observed in the crypto space. On-chain investigator ZackXBT uncovered a group of 21 developers, believed to be North Koreans, working on projects using fake identities. In September, the FBI also issued a warning about North Korean hackers deploying malware disguised as employment offers to target crypto companies and decentralized finance platforms.

North Korean Group Behind Radiant Capital Breach

Radiant Capital revealed that the $50 million hack on its decentralized finance (DeFi) platform in October was orchestrated by a North Korea-linked hacker who infiltrated the platform using malware distributed through Telegram. The attacker posed as a trusted ex-contractor, and sent a zip file to a Radiant developer on Sept. 11 under the pretense of seeking feedback on a new project. Cybersecurity firm Mandiant, contracted by Radiant, confirmed with high confidence that the attack was carried out by a Democratic People’s Republic of Korea (DPRK)-affiliated threat actor.

The malicious zip file appeared legitimate because of its routine nature in professional settings, and was shared among developers. This allowed the malware to infect multiple devices. 

The attackers then gained control of private keys and smart contracts, which forced Radiant to halt its lending markets on Oct. 16. The malware also spoofed the contractor’s legitimate website, deceiving the developers even more. While traditional checks and transaction simulations showed no irregularities, the attackers manipulated the front-end interface to display benign transaction data while executing malicious transactions in the background.

The threat actor was identified as “UNC4736” or “Citrine Sleet,” and is associated with North Korea’s Reconnaissance General Bureau and may be a sub-group of the notorious Lazarus Group. After the attack, $52 million of the stolen funds were moved by the hackers on Oct. 24. According to Radiant, even more advanced security measures, including hardware wallets, simulation tools like Tenderly, and industry-standard SOPs, were not good enough against such a sophisticated threat.

Radiant TVL

Radiant TVL (Source: DefiLlama)

This incident was the second major compromise for Radiant this year, and happened after a $4.5 million flash loan exploit in January. A crypto flash loan attack is a type of exploit in DeFi platforms where an attacker takes advantage of flash loans to manipulate market conditions or exploit vulnerabilities in smart contracts

Flash loans are uncollateralized loans that must be borrowed and repaid in a single blockchain transaction. Attackers use these loans to execute complex sequences of actions that can, for example, manipulate the price of assets, trick smart contracts into releasing funds, or drain liquidity pools. Because the loan and repayment happen almost instantaneously, the attacker can profit without risking their own capital. 

The series of hacks seriously impacted the platform’s standing, with its total value locked plummeting from over $300 million at the end of last year to just $6.07 million as of Dec. 9, according to DefiLlama.

Polish Authorities Detain Ex-WEX Head Dmitry V.

Although crypto crime is still an issue, authorities are working hard to bring these criminals to justice. Polish authorities arrested Dmitry V., the former chief of the Russia-based crypto exchange WEX, in Warsaw after an extradition request from the United States Department of Justice. 

Dmitry V’s full name was withheld due to local laws, and he is accused of fraud and money laundering during his management of WEX, which was the successor to BTC-e. The arrest was confirmed by a Polish police spokesperson, who stated that Dmitry V. is in custody and awaiting extradition proceedings. If extradited to the U.S., he could face charges carrying a maximum prison sentence of 20 years.

Dmitry V. has a history of arrests and releases across multiple countries. In August of 2021, he was detained in Poland but released after 40 days. He was arrested again in Croatia in 2022 by Interpol at Zagreb Airport after an extradition request from Kazakhstan. In 2019, Italian authorities arrested him, but he was later released when errors in the extradition request were discovered.

WEX collapsed in 2018, which left approximately $450 million unaccounted for. The platform was often described as a “dark” exchange, and was notorious for its lack of identity verification and its involvement in laundering funds from high-profile crypto hacks, including the Mt. Gox breach. At its peak, WEX handled more than $9 billion in transactions from more than a million users, including many from the United States.

This latest WEX arrest happened after developments with Alexander Vinnik, the former head of BTC-e, WEX’s predecessor. Vinnik was nicknamed “Mr. Bitcoin,” and pleaded guilty to conspiracy to commit money laundering for activities between 2011 and 2017. He was arrested in Greece in 2017, and was later extradited to the U.S. in 2022 after serving two years in a French prison.