Full Report
Crazy Evil, a group of crypto scammers, exploit NFTs and cryptocurrencies with malware targeting influencers and tech professionals
Analysis Summary
# Threat Actor: Crazy Evil
## Attribution & Identity
The threat actor is a well-known Russian crypto scamming group. It operates as a collective of social engineering specialists known as a 'traffer team.' The organization comprises six identified subteams: AVLAND, TYPED, DELAND, ZOOMLAND, DEFI, and KEVLAND. The group maintains a presence on low-tier dark web forums and operates a public Telegram channel with over 3,000 followers, alongside private channels for operations.
## Activity Summary
Active since 2021, Crazy Evil specializes in social engineering attacks targeting the cryptocurrency, NFT, smart contract, and Web3 sectors. Their primary objective is digital asset theft, identity fraud, and spreading infostealers by redirecting traffic to malicious landing pages. The group is estimated to have generated over $5 million in illicit revenue and infected tens of thousands of devices globally. Their activity has potentially increased due to scams originating from other exited crypto scam gangs like 'Marko Polo' and 'CryptoLove.' They actively recruit affiliates via a Telegram bot.
## Tactics, Techniques & Procedures
- Social engineering via fake services promoted on social media leading to malicious downloads.
- Use of phishing pages managed by subteams associated with specific scams.
- Traffers conduct extensive reconnaissance ("days or weeks of time to scope operations").
- Infecting devices through malicious payloads delivered under the guise of legitimate-looking software/services (e.g., fake communication tools, games, productivity software).
- Targeting DeFi, DApps, and other blockchain-based projects.
## Targeting
- Sectors: Cryptocurrencies, Non-Fungible Tokens (NFTs), Smart Contracts, Web3 projects, Gaming accounts, Online banking/financial targets.
- Geography: Worldwide (infected tens of thousands of devices worldwide).
- Victims: High-value victims such as tech influencers, gaming influencers, and crypto influencers.
## Tools & Infrastructure
- Malware families used: Stealc (Windows infostealer), Rhadamanthys (infostealer), Atomic macOS Stealer (AMOS) (macOS infostealer), Angel Drainer.
- Infrastructure: Public and private Telegram channels for communication and organization.
- Specific Scams/Fake Services Used: Voxium, Rocket Galaxy (formerly Rocket Legacy), TyperDex, DeMeet, Zoom and WeChat impersonators, Selenium Finance, Gatherum.
- Note: Specific malicious domains and IPs were not provided/defanged in the source text.
## Implications
Crazy Evil poses a significant, enduring threat to the Web3 ecosystem and personal data security due to its large scale, sophisticated tooling for both Windows and macOS, organizational structure (six subteams), and proven ability to generate millions in revenue. Their resilience is attributed to robust obfuscation, alliances with malware developers, and their presence on dark web forums.
## Mitigations
- Deploy advanced Endpoint Detection and Response (EDR) solutions to monitor for and block execution of known associated malware families: Rhadamanthys, Stealc, and AMOS.
- Deploy robust web filtering solutions to block access to known malicious domains and suspicious downloads, particularly those related to cracked or 'freemium' software.
- Regularly integrate threat intelligence feeds with the latest Indicators of Compromise (IoCs) related to Crazy Evil.
- Enhance security awareness training to include specific modules on cryptocurrency-targeted attacks and social engineering scams utilized by the group.