A sophisticated cybercrime campaign is preying on Web3 job seekers through fraudulent job interviews, distributing the ‘GrassCall’ malware to steal cryptocurrency wallets. The Russian-speaking hacking group, Crazy Evil, is behind this operation, using fake job listings and a deceptive video conferencing app to compromise victims’ devices.
The attack, orchestrated by Crazy Evil’s subgroup ‘kevland,’ involved creating a fake blockchain-focused company, ChainSeeker.io. To gain credibility, the scammers developed a seemingly legitimate website and social media presence. They then posted high-profile job listings targeting blockchain professionals on platforms such as LinkedIn, WellFound, and CryptoJobsList.
Applicants who responded were contacted via email and instructed to reach out to a fake Chief Marketing officer through Telegram. The victims were then directed to download the ‘GrassCall’ meeting software from grasscall[.]net, which required a unique code provided by the scammer before installation.
“The website offered downloads for both Windows and Mac, and required users to enter a code provided by the scammer before proceeding,” said security researcher Anka Markovic Borak.
Upon execution, the software deployed malware designed to harvest sensitive data. On Windows devices, it installed a remote access trojan (RAT) along with an infostealer like Rhadamanthys, while Mac users were infected with the Atomic Stealer (AMOS) malware. These malicious tools enabled attackers to collect stored credentials, authentication tokens, passwords, and cryptocurrency wallet data.
Additionally, researchers found that keyloggers were deployed to capture keystrokes, further compromising victims’ systems.
Hundreds of victims have reported financial losses, with many gathering in a Telegram support group to assist one another in removing the malware from their devices. The stolen data was uploaded to cybercriminal-controlled servers, with notifications send to private Telegram channels managed by the hacking group.
Attackers then attempted to brute-force cryptocurrency wallets and drain funds, with individual scammers earning a commission based on the value of stolen assets.
Following the exposure, CryptoJobsList took down the fraudulent job postings and issued warnings to affected applicants, urging them to scan their devices for malware. The GrassCall website has also been taken offline, but cybersecurity experts suspect that the criminals have already relaunched the scheme under a new guise, using another fake video conferencing app called ‘VibeCall.’
Fake job scams are on the rise. Recently, a malicious OpenAI job scam targeted workers in Bangladesh via Telegram. In India, fake Food Corporation of India (FCI) job scam was used as a lure to deliver Xelera ransomware.
Last year, reports came out that Iran used fake job scams to hack aerospace institutions in Israel, UAE, and Turkey.
Experts have recommended users enable two-factor authentication (2FA), use strong and unique passwords, avoid downloading apps from untrusted sources, and verify the legitimacy of job postings before applying.
In the News: Iranian hackers attack UAE aviation via compromised Indian firm’s email
