Crypto Scam Targets Web3 Workers with Fake Meeting Apps

Last updated:

Journalist

Hassan Shittu

Journalist

Hassan Shittu

About Author

Hassan, a Cryptonews.com journalist with 6+ years of experience in Web3 journalism, brings deep knowledge across Crypto, Web3 Gaming, NFTs, and Play-to-Earn sectors. His work has appeared in…

Last updated:

Why Trust Cryptonews

For over a decade, Cryptonews has covered the cryptocurrency industry, aiming to provide informative insights to our readers. Our journalists and analysts have extensive experience in market analysis and blockchain technologies. We strive to maintain high editorial standards, focusing on factual accuracy and balanced reporting across all areas – from cryptocurrencies and blockchain projects to industry events, products, and technological developments. Our ongoing presence in the industry reflects our commitment to delivering relevant information in the evolving world of digital assets. Read more about Cryptonews

Ad Disclosure

We believe in full transparency with our readers. Some of our content includes affiliate links, and we may earn a commission through these partnerships.

Web3 workers are being targeted by a sophisticated phishing scam that uses fake meeting apps to steal sensitive information and crypto.

According to a report by Cado Security Labs, the attackers employ AI to craft convincing websites, blogs, and social media profiles for fictitious companies.

These platforms are then used to lure victims into downloading malware-infected applications under the guise of legitimate business opportunities.

The malware, known as the Realst info-stealer, operates on macOS and Windows systems and steals credentials, financial details, and crypto wallet information.

Web3 Workers at Risk: How Are They Being Targeted?

The attackers behind this campaign have created an elaborate façade of legitimacy by establishing fake companies with names like “Meeten” and “Meetio.”

Crypto Scam Targets Web3 Workers with Fake Meeting Apps: Cado Security
Source: Cado Security

These entities change their branding frequently, cycling through domains such as “Clusee.com” and “Meeten.us.”

The scammers use AI to generate detailed websites filled with blog posts, product descriptions, and social media accounts to appear credible. These platforms mimic the professionalism of real businesses, making it challenging for victims to distinguish between legitimate and malicious actors. Once a target is identified, the attackers initiate contact through various methods, including direct messages on Telegram.

In many cases, they impersonate individuals known to the victim, using stolen personal details to bolster their claims.

For instance, some victims reported receiving messages from what appeared to be colleagues or professional acquaintances, only to discover later that the accounts were fake.

In one notable case, a victim was shown an investment presentation from their own company, which the attackers had stolen and repurposed to lend credibility to the scam.

After securing the victim’s trust, the scammers direct them to a well-designed website where they can download the purported meeting application. Unbeknownst to the victim, the software contains the Realst info-stealer, which immediately begins extracting sensitive information from the user’s device.

Even before the malware is installed, the fraudulent websites deploy malicious JavaScript to siphon crypto stored in web browsers.

How the Malware Steals Data

The Realst info-stealer is a sophisticated piece of malware that operates on both macOS and Windows systems, with versions tailored to each platform.

Crypto Scam Targets Web3 Workers with Fake Meeting Apps: Cado Security
Source: Cado Security

Once installed, it combs through the victim’s device to extract a wide range of data, including Telegram credentials, browser cookies, banking details, and cryptocurrency wallet information.

The malware targets popular browsers such as Google Chrome, Brave, and Microsoft Edge and wallet services like Ledger, Trezor, and Binance.

The malware disguises itself on macOS as a legitimate package file, often called CallCSSetup.pkg. When executed, it prompts the user for their system password under the pretence of resolving an error. It then uses this access to collect and exfiltrate sensitive data. The stolen information is compressed into a zip file and sent to remote servers controlled by the attackers.

The Windows variant, on the other hand, uses an Electron framework-based application called MeetenApp.exe. This version employs advanced obfuscation techniques, such as Bytenode-compiled JavaScript, to evade detection. Like its macOS counterpart, it collects system information and sensitive data before transmitting it to the attackers.

Both malware versions have high technical sophistication, with features designed to ensure persistence on the victim’s device and evade security tools checks.

Notably, a similar technical attack happened to the Solana ecosystem earlier this month.

A critical vulnerability was discovered in the Solana/web3.js library that can leak private keys through seemingly legitimate CloudFlare headers.

You May Also Like