Web3 workers are being targeted by a campaign that uses fake meeting apps to inject malware and steal credentials to websites, apps and crypto wallets, Cado Security Labs warned.
Scammers are using artificial intelligence to generate and fill out websites and social media accounts to appear as legitimate companies before contacting potential targets to prompt them to download a meeting app, Cado’s threat research lead Tara Gould wrote in a Dec. 6 report.
The app is called “Meeten” but it’s currently going by the name “Meetio” and regularly changes names. In the past, it has used Clusee.com, Cuesee, Meeten.gg, Meeten.us and Meetone.gg.
The app contains a Realst info stealer and, once downloaded, will hunt for sensitive items such as Telegram logins, banking card details and information on crypto wallets to send back to the attackers.
The stealer can also search for browser cookies and autofill credentials from applications like Google Chrome and Mircosoft Edge, along with info on Ledger, Trezor and Binance Wallets.
The scheme can involve social engineering and spoofing. One user reported being contacted on Telegram by someone they knew who wanted to discuss a business opportunity but was later outed as an impersonator.
“Even more interestingly, the scammer sent an investment presentation from the target’s company to him, indicating a sophisticated and targeted scam,” Gould said.
Others have reported “being on calls related to Web3 work, downloading the software and having their cryptocurrency stolen,” Gould added.
To help gain credibility, the scammers set up a company website with AI-generated blogs, product content and accompanying social media accounts, including X and Medium.
“While much of the recent focus has been on the potential of AI to create malware, threat actors are increasingly using AI to generate content for their campaigns,” Gould said.
“Using AI enables threat actors to quickly create realistic website content that adds legitimacy to their scams and makes it more difficult to detect suspicious websites.”
The fake websites where users are prompted to download the malware-riddled software also contain Javascript to steal crypto stored in web browsers, even before installing any malware.
The scammers have created both a macOS and Windows variant. Gould says the scheme has been active for about four months.
Other scammers have also been actively using these tactics. In August, onchain sleuth ZackXBT said he found 21 developers, probably North Koreans, working on various crypto projects involving fake identities.
In September, the FBI issued a warning about North Korean hackers targeting crypto companies and decentralized finance projects with malware disguised as employment offers.