A notorious Russian-speaking cybercrime group known as Crazy Evil is behind a series of social media-based scams aimed at stealing cryptocurrency and other digital assets. Leveraging a range of malware like StealC, Atomic macOS Stealer (AMOS), and Angel Drainer, this group has targeted both Windows and macOS users in the decentralized finance ecosystem.
Crazy Evil’s Sophisticated Tactics
According to Recorded Future’s Insikt Group, Crazy Evil is known for its identity fraud operations and the deployment of information-stealing malware. The group has been running a coordinated network of traffers, social engineering experts responsible for redirecting legitimate traffic to malicious phishing websites. This campaign is designed to steal cryptocurrency, payment card details, and online banking credentials, impacting tens of thousands of users globally.
The group’s well-developed operations have been active since at least 2021. It primarily functions as a traffer network, redirecting traffic to malicious landing pages managed by other criminal groups. Crazy Evil operates on Telegram under the alias @AbrahamCrazyEvil, running a channel with over 4,800 subscribers (@CrazyEvilCorp).
“Traffers generate high-quality traffic that avoids detection by security vendors,” said Sekoia, a French cybersecurity firm. “They essentially generate leads for other cybercriminals, often working with botnet operators to compromise users.”
Malware Arsenal for Cryptocurrency Theft
Crazy Evil’s malware campaign has been linked to multiple crypto scams. The group’s malware arsenal, including StealC, AMOS, and Angel Drainer, is designed to target both Windows and macOS systems, emphasizing cryptocurrency theft and fraud. By delivering spear-phishing lures, the group specifically targets the cryptocurrency community, ensuring maximum financial gain.
Crazy Evil is notorious for using diverse strategies, including fraudulent job offer scams and fake investment schemes to distribute its malicious software. These scams have already resulted in over $5 million in illicit revenue.
Traffers and Affiliated Scams
The cybercriminal group is divided into six sub-teams—AVLAND, TYPED, DELAND, ZOOMLAND, DEFI, and KEVLAND—each focusing on specific scams that lead victims to install malware disguised as legitimate software.
- AVLAND: Uses job offer scams to spread StealC and AMOS via a fake Web3 communication tool called Voxium.
- TYPED: Distributes AMOS under the guise of an AI software named TyperDex.
- DELAND: Propagates AMOS as a community platform called DeMeet.
- ZOOMLAND: Uses fake Zoom and WeChat scams to distribute AMOS.
- DEFI: Targets victims with AMOS under the pretense of a digital asset management platform, Selenium Finance.
- KEVLAND: Distributes AMOS disguised as an AI virtual meeting software called Gatherum.
This vast network of scams showcases the group’s ability to adapt and evolve in its malware delivery techniques, posing significant threats to the cryptocurrency and digital asset sectors.
Rising Threat to Crypto Ecosystem
As Crazy Evil continues its operations, the group’s success has inspired similar cybercriminals to emulate its tactics. According to Recorded Future, security teams must remain vigilant to prevent widespread breaches in the cryptocurrency, gaming, and software sectors, as the group’s reach continues to grow.
Crypto Drainer Malware and TAG-124 TDS
In addition to its own campaigns, Crazy Evil shares infrastructure with other threat groups, such as Rhysida and Interlock ransomware. A new Traffic Distribution System (TDS) called TAG-124 is used to distribute malware through compromised WordPress sites. These sites display fake Google Chrome update landing pages that ultimately lead to malware infections.
The TDS is also linked to malware campaigns distributing Remcos RAT and CleanUpLoader, used to deploy ransomware like Rhysida and Interlock.
Malware Distribution via GitHub and Other Platforms
Security researchers have identified that threat actors are increasingly using GitHub repositories to distribute malware such as Lumma Stealer, SectopRAT, and Cobalt Strike Beacon. This new tactic exploits the trust associated with legitimate platforms to distribute malicious payloads.
“The malware-as-a-service (MaaS) model allows cybercriminals to execute complex cyberattacks more easily,” explained Trend Micro researchers, drawing parallels with the Stargazer Goblin group, which also uses GitHub for malware distribution.
Conclusion
As Crazy Evil and other cybercriminal groups continue to innovate, cybersecurity teams and cryptocurrency users must stay on high alert. The threat of malware, phishing scams, and digital asset theft remains ever-present, making proactive defense strategies essential for mitigating risk.
By understanding and recognizing the signs of crypto-draining malware and phishing attacks, users can better protect their digital assets and secure their online presence.
