Cybercriminals are using fake AI and gaming firms to trick cryptocurrency users into installing malware. These fake companies use professional websites, social media presence, and direct outreach to convince victims to download what they claim is “beta software”. But it’s actually malware designed to steal wallet credentials and other sensitive data.
The campaign, active since early 2024 and still growing, highlights the evolving tactics attackers use to bypass user skepticism and target digital asset holders.
How the Scam Works
The attackers behind this campaign have created dozens of fake firms, related to AI and gaming. They use names like Eternal Decay, BeeSync, Pollens AI, Slax, and Swox. Each has a convincing online presence:
- Sleek websites with product descriptions
- GitHub repositories with seemingly active code
- LinkedIn-style team profiles and fake endorsements
- Even whitepapers to add a sense of legitimacy
Once the facade is in place, the attackers reach out to potential victims through platforms like Telegram, Discord, and X. The message usually involves an offer to test out new AI or gaming software in exchange for cryptocurrency.
This type of approach leverages social engineering and flattery, tapping into users’ curiosity and interest in the Web3 space.
Malware Targets Both Windows and macOS Users
The malware delivery process is tailored depending on the victim’s operating system.
Windows
Users are directed to download an “Electron-based” app, which runs a Cloudflare check, profiles the system, and silently downloads an MSI installer. This second-stage payload installs a Realst-style info-stealer, which targets browser credentials, crypto wallets, and more.
macOS
Victims are given a DMG file that installs Atomic macOS Stealer (AMOS). Once active, AMOS can extract browser data, steal crypto wallet information, and search for sensitive documents. It also creates persistence through macOS Launch Agents and transmits collected data to attacker-controlled servers.
Who’s Behind It?
The operation shares similarities with tactics used by a threat group known as Crazy Evil, previously linked to multiple malware campaigns targeting crypto users across platforms.
Notably, the group doesn’t rely on phishing emails or malicious ads. Instead, they build convincing businesses from scratch, complete with social proof and branding. In some cases, they’ve even inserted themselves into online forums and conferences using faked screenshots and doctored event appearances.
Why This Campaign Is So Dangerous
What makes this campaign particularly dangerous is the high level of professionalism involved. The fake companies created by the attackers have websites that could easily pass for legitimate startups. From polished branding to fabricated whitepapers, these operations appear credible at first glance.
Beyond the design, the attackers speak the language of the Web3 community fluently. Their messaging mimics how real developers and founders communicate online, making it harder for users to detect red flags. In some cases, attackers have even used compromised or verified social media accounts to boost their credibility further.
The threat isn’t limited to one platform or device, either. By targeting both Windows and macOS users with tailored malware, the operation casts a wide net. The offer to test software in exchange for crypto feels familiar and harmless, especially among users already involved in crypto or gaming communities. That false sense of trust is what allows these attackers to bypass suspicion and gain access to sensitive data.
How to Protect Yourself
Avoiding this type of scam requires a mix of caution, verification, and strong cybersecurity practices.
Think Before You Click
Even if a message seems friendly or casual, never download software from direct messages. Especially on platforms like Telegram or Discord. Just because someone shares a link doesn’t mean it’s safe, even if it comes from a verified account.
Stick to Official Sources
If you’re interested in trying out new apps or tools, always seek them out through official app stores or repositories. Trustworthy developers don’t usually distribute software privately via chat apps.
Use Proper Security Tools
A robust antivirus or endpoint protection tool can help detect and block info-stealers like Realst and AMOS before they can do damage. Regular scans and system monitoring add another layer of defense.
Safeguard Your Crypto Assets
If you own cryptocurrency, store it in a hardware wallet rather than on the same machine you use for browsing or communication. Separating your assets from everyday use devices reduces the risk of wallet theft.
Verify Everything
When approached by someone claiming to represent a company, especially a lesser-known AI or gaming firm, do your research. Look for third-party validation, community mentions, or warnings from security sources before engaging further.
Final Thoughts
The rise of fake AI gaming firms pushing malware is a warning sign for the crypto community. Attackers are no longer relying solely on phishing emails or shady ads. They’re now mimicking real startups, building full websites, and infiltrating social platforms to catch victims off guard.
As cryptocurrency and Web3 technologies grow, so too do the risks. Stay skeptical, verify everything, and never download software from untrusted sources, especially when it promises easy money.
