A sophisticated cybercriminal group known as Crazy Evil has orchestrated an elaborate scheme to target job seekers in the Web3 industry, tricking them into downloading wallet-draining malware.
The hackers posed as a legitimate blockchain company, “ChainSeeker.io,” advertising job openings on platforms such as LinkedIn, WellFound, and CryptoJobsList. Applicants were then funneled into a carefully designed phishing campaign that ultimately compromised their cryptocurrency wallets.
The fraudulent job listings appeared credible, featuring standard Web3 roles such as Blockchain Analyst and Social Media Manager. Once candidates applied, they received an email from a supposed chief human resources officer, directing them to communicate with a fake chief marketing officer (CMO) on Telegram. The CMO then instructed applicants to download “GrassCall,” a fake virtual meeting software, and input a code before proceeding with an interview. This software, once installed, deployed information-stealing malware, granting hackers access to stored crypto wallets, passwords, and authentication cookies.
A Well-Executed Cyber Heist
Cybersecurity analysts report that the GrassCall software, offered through a website cloned from a previously used malware campaign, was tailored for both Windows and Mac users. The malware operated by installing remote access trojans (RATs) and information stealers such as Rhadamanthys on Windows and Atomic (AMOS) Stealer on macOS. Once executed, the software searched the infected device for crypto-related files, Apple Keychain credentials, and stored browser passwords.
Those who unknowingly installed the software often discovered their cryptocurrency holdings wiped within hours. According to cybersecurity researcher g0njxa, stolen credentials and wallet seed phrases were uploaded to servers controlled by the cybercrime operation, where they were quickly monetized. “If a wallet is found, passwords are brute-forced, assets are drained, and a payment is issued to the user who made the victim download the fake software,” said g0njxa. Screenshots from Telegram channels associated with Crazy Evil indicate that members of the group have collectively earned millions of dollars from similar schemes since 2021.
Victims and Industry Response
Cristian Ghita, a freelance UX developer, was among those targeted by the scam. In a LinkedIn post, he described the fraud as “extremely well-orchestrated,” noting that even the fake video-conferencing tool had a convincing online presence. Ghita and other victims have since formed a support group on Telegram to help those affected remove malware and secure their remaining digital assets.
CryptoJobsList, one of the platforms used by the attackers, has since removed the fraudulent listings and issued warnings to applicants. “The attackers will likely regroup under a different name,” Ghita cautioned. “Web3 job scams are getting more sophisticated. Always verify companies and interviewers before clicking links.”
Ongoing Threats in the Web3 Job Market
This is not the first time Crazy Evil has used social engineering to exploit the crypto industry. A 2024 report from Recorded Future linked the group to at least ten other phishing campaigns targeting decentralized finance (DeFi) professionals. These past attacks used similar methods, including fake job offers, fraudulent investment platforms, and malicious software disguised as legitimate applications.
The broader crypto sector continues to be a prime target for cybercriminals. In January, SentinelLabs identified a North Korean hacking group using email updates on DeFi trends and bitcoin prices to distribute malware disguised as PDF reports. These persistent threats highlight the need for increased vigilance and robust cybersecurity measures among professionals in the space.
For job seekers, cybersecurity experts recommend verifying prospective employers through official company websites, avoiding unfamiliar video conferencing tools, and scrutinizing unexpected requests for software downloads. The end of this specific campaign does not mean the threat has passed—attackers are likely to return under new disguises, targeting the next wave of unsuspecting applicants.
