Crypto Professionals in the Firing Line as ClickFix Scam Spreads
June 2024 – A wave of sophisticated “ClickFix” campaigns is targeting crypto developers, investors and other industry insiders, prompting renewed calls for vigilance across the sector.
New attack vectors hit crypto talent
A cybersecurity briefing released Monday by Moonlock Lab details two fresh ClickFix‑style operations that have been directed at crypto professionals. In the first campaign, threat actors masquerade as venture‑capital firms – notably fictitious entities named SolidBit, MegaBit and Lumax Capital – and use LinkedIn to reach out with partnership or funding proposals. The conversation is then shifted to bogus Zoom or Google Meet sessions. When the victim clicks the meeting link, they are redirected to a counterfeit event page that mimics a Cloudflare “I’m not a robot” challenge. Selecting the checkbox copies a malicious shell command to the clipboard and prompts the user to open a terminal window and paste the code as a “verification” step. The command runs locally, bypassing conventional endpoint protections because the execution is performed by the victim themselves.
Moonlock Lab identified a LinkedIn profile operating under the name Mykhailo Hureiev, listed as a co‑founder of the fictional SolidBit Capital, as a primary point of contact during the initial outreach stage. Users on X (formerly Twitter) have reported receiving similar suspicious messages from accounts bearing that name. The researchers note that the infrastructure behind the operation is built to rotate personas quickly, making attribution and takedown more challenging.
The second vector centers on a hijacked Chrome extension. QuickLens, an add‑on that integrates Google Lens search directly into the browser, changed ownership on 1 February and, within two weeks, a new version appeared on the Chrome Web Store containing hidden malicious scripts. According to John Tuckner, founder of Annex Security, the compromised extension was downloaded by roughly 7,000 users before it was delisted. The malicious code carried out ClickFix attacks and also deployed a suite of information‑stealing modules. Among the data harvested were cryptocurrency wallet addresses, seed phrases, Gmail inbox contents, YouTube channel details and login credentials entered on web forms.
Why ClickFix is gaining traction
ClickFix exploits a classic social‑engineering principle: the victim becomes the execution vehicle. By forcing users to paste and run a command themselves, attackers sidestep the need for exploit code, phishing attachments, or suspicious downloads that modern antivirus and endpoint detection platforms are designed to flag. As Moonlock Lab put it, “the technique turns the victim into the final execution mechanism, effectively neutralizing many of the controls security vendors have invested in over the past decade.”
The method is not limited to the crypto space. Microsoft Threat Intelligence warned in August 2023 that ClickFix campaigns were targeting thousands of enterprise devices daily. Unit42, the threat‑research arm of Palo Alto Networks, previously documented the technique’s spread across manufacturing, retail, government and energy sectors. Its popularity surged after 2023, as adversaries recognized the low‑cost, high‑success profile of socially‑engineered command execution.
Impact on the crypto ecosystem
Crypto professionals are an especially attractive target for several reasons:
- Financial incentive – Successful extraction of seed phrases or private keys can yield immediate, high‑value payouts.
- Access to networks – Individuals working for or with VC firms often hold privileged contacts and can be leveraged for further social‑engineering attacks.
- Technical fluency – Professionals accustomed to using terminal commands may be less hesitant to follow “verification” instructions, especially when presented in a seemingly legitimate context.
The QuickLens incident also illustrates the danger of third‑party tooling. Browser extensions that integrate directly into the user’s workflow can operate with elevated permissions, granting attackers a broad view of browsing activity and the ability to inject malicious code into any visited site.
Analyst perspective
“ClickFix is a reminder that human factors remain the weakest link in any security chain,” says Dr. Elena Marquez, senior threat analyst at CipherTrace. “Even the most hardened wallets can be compromised the moment a user runs a single line of code they believe is innocuous. Organizations need to shift focus from purely technical controls to robust user education and strict verification processes for any command‑execution request.”
Security firms recommend a multi‑layered approach:
- Verify contacts – Always confirm the identity of anyone claiming to be a VC representative through independent channels before engaging in any discussion.
- Limit extension permissions – Review the permissions requested by browser add‑ons and install only from reputable developers. Periodically audit installed extensions for changes in ownership or code.
- Disable clipboard auto‑paste – Configure operating systems to prevent automatic pasting of copied content into terminals without explicit user confirmation.
- Use hardware wallets – Store private keys and seed phrases offline whenever possible to reduce exposure to software‑based theft.
Key takeaways
| • | What happened | Implications |
|---|---|---|
| 1 | Scammers impersonated VC firms on LinkedIn, luring crypto professionals into fake video calls. | Social‑engineering attacks can now masquerade as legitimate funding opportunities. |
| 2 | Victims were directed to a counterfeit “I’m not a robot” page that copied a malicious command to their clipboard. | The ClickFix method turns the user into the execution point, bypassing traditional security tools. |
| 3 | A popular Chrome extension, QuickLens, was compromised after a change of ownership, delivering ClickFix payloads and data‑stealing scripts. | Third‑party browser tools remain a high‑risk avenue for credential and wallet theft. |
| 4 | The ClickFix technique is now observed across multiple industries, not just crypto. | The broader adoption signals a need for cross‑sector awareness and training. |
Looking ahead
As threat actors refine their ClickFix playbooks, the crypto community must anticipate a shift from pure technological defenses to heightened user awareness. The convergence of social engineering with compromised software supply chains creates a potent threat matrix that can undermine even the most secure wallets and protocols.
While the immediate impact of the two campaigns appears limited to a few thousand users, the potential for rapid scaling is high. Continuous monitoring of extension repositories, diligent verification of outreach from “investment” contacts, and reinforcing best practices around command‑line usage will be crucial steps in curbing the spread of ClickFix attacks in the crypto space.
Cointelegraph is committed to independent, transparent journalism. This article follows the outlet’s Editorial Policy and aims to provide accurate, timely information. Readers are encouraged to verify details independently. For full policy see https://cointelegraph.com/editorial-policy.
Source: https://cointelegraph.com/news/crypto-fake-vc-clickfix-attack-chrome-extension-hijack?utm_source=rss_feed&utm_medium=feed&utm_campaign=rss_partner_inbound
