Full Report
A Russian-speaking cybercrime gang known as Crazy Evil has been linked to over 10 active social media scams that leverage a wide range of tailored lures to deceive victims and trick them into installing malware such as StealC, Atomic macOS Stealer (aka AMOS), and Angel Drainer. "Specializing in identity fraud, cryptocurrency theft, and information-stealing malware, Crazy Evil employs a
Analysis Summary
# Threat Actor: Crazy Evil
## Attribution & Identity
**Identification:** A Russian-speaking cybercrime gang specializing in social media scams and cryptocurrency theft.
**Aliases/Associations:** Known on Telegram as **@AbrahamCrazyEvil**. Operates a large Telegram channel (@CrazyEvilCorp) with over 4,800 subscribers. Allegedly functions as a "traffer team" (traffic redirection specialists).
**Structure:** Comprises six reported sub-teams: AVLAND (also AVS | RG or AVENGE), TYPED, DELAND, ZOOMLAND, DEFI, and KEVLAND.
## Activity Summary
Crazy Evil has been active since at least 2021. They specialize in identity fraud, cryptocurrency theft, and information-stealing malware, often through social media scams leveraging tailored lures. They generate illicit revenue by monetizing traffic redirected to malicious landing pages operated by other criminal crews. The group is estimated to have generated over **$5 million in illicit revenue** and compromised tens of thousands of devices globally. They gained prominence following the exit scams of groups like Markopolo and CryptoLove, which were previously associated with the ClickFix campaign. They focus on stealing digital assets, including **NFTs, cryptocurrencies, payment cards, and online banking accounts**.
## Tactics, Techniques & Procedures
- **Social Engineering:** Executes over 10 active social media scams utilizing tailored lures.
- **Traffic Redirection ("Traffing"):** A core function involves redirecting legitimate traffic to malicious phishing/landing pages to generate leads for botnet operators.
- **Bespoke Spear-Phishing:** Explicitly victimizes the cryptocurrency space using custom-made spear-phishing lures.
- **Reconnaissance:** Traffers sometimes dedicate days or weeks for reconnaissance to scope operations and identify targets.
- **Malware Distribution:** Orchestrates attack chains delivering information stealers and wallet drainers.
- **Affiliate & Instructional Model:** Claims to offer instruction manuals, guidance for taffers, and crypter services for malicious payloads, boasting an affiliate structure.
- **Platform Exploitation (Telegram):** Centralizes operations around Telegram, using a custom bot to direct affiliates to private channels for payments, attack logs (`Logbar`), and technical updates (`Info`).
- **Disguised Distribution:** Propagates malware by presenting malicious tools as legitimate software via phony websites.
## Targeting
**Sectors:** Cryptocurrency ecosystem, Decentralized Finance (DeFi).
**Geography:** Global (tens of thousands of devices compromised globally).
**Victims:** Users of Windows and macOS systems susceptible to cryptocurrency theft, NFT/crypto asset theft, and banking credential compromise. Specific operations linked to sub-teams target users falling for investment/job scams revolving around specific applications.
## Tools & Infrastructure
**Malware Families Used:**
- StealC
- Atomic macOS Stealer (AMOS)
- Angel Drainer
- Lumma Stealer
- SectopRAT
- Vidar Stealer
- Cobalt Strike Beacon
**Infrastructure:**
- **Phony Websites:** Used to trick victims into downloading malware (e.g., **voxium\[.\]com** used by AVLAND for the Voxium lure).
- **GitHub:** Used to host malicious installers for payload deployment (overlaps with Stargazer Goblin techniques).
- **Compromised WordPress Sites:** Over 10,000 compromised sites used for client-side attacks distributing AMOS and SocGholish via injected JavaScript iframes.
## Implications
Crazy Evil poses a significant, evolving threat to the decentralized finance ecosystem due to its dual focus on Windows and macOS users. Their operation as a sophisticated "traffer" team makes them an enabler for other criminal operations, providing high-quality, clean traffic for malicious campaigns. Their use of diverse, modern stealers (e.g., StealC, AMOS) and reliance on sophisticated social engineering and infrastructure diversity (websites, Telegram, GitHub) indicates a professional and resilient criminal enterprise.
## Mitigations
- **Traffic Monitoring:** Implement client-side security monitoring to detect suspicious JavaScript loading or iframe creation on trusted websites (like compromised WordPress sites).
- **Security Awareness:** Train users, especially in crypto/DeFi spaces, to be highly skeptical of unsolicited social media contact and job/investment offers related to Web3 tools that require downloading executables.
- **Endpoint Protection:** Utilize robust endpoint detection and response (EDR) solutions capable of detecting common information stealers (StealC, AMOS, Lumma) across Windows and macOS.
- **Payload Verification:** Scrutinize software downloaded from unexpected sources or developer collaboration platforms like GitHub, especially if they promise communication tools or updates.
- **Telegram Monitoring:** Security teams monitoring insider threats should be aware of the command and control structure utilized via Telegram bots for affiliate management and exfiltration auditing.