A cybercrime group has launched a scam using fake job offers and a malicious meeting app called GrassCall to steal crypto from unsuspecting victims. The scam involved a fraudulent company, fake job listings, and a malware-infected app designed to steal personal information and drain crypto wallets.
According to a report by BleepingComputer on Feb. 26, the scheme has now been abandoned, with websites and LinkedIn accounts linked to the scam taken down.
BleepingComputer reported that scammers set up a fake company and posted job listings on LinkedIn and other Web3 job platforms. Source: XHowever, before exposure, the scam successfully targeted hundreds of job seekers, some of whom reported losing their crypto after downloading the GrassCall app.
Russia-Based Cybercrime Group ‘Crazy Evil’ Behind the Crypto Job Scam
The cybercrime group behind this operation is “Crazy Evil,” a Russia-based organization specializing in social engineering attacks. This group is known as a “traffer team”—a term used for cybercriminal groups that focus on stealing cryptocurrency through deception.
A report by cybersecurity firm Recorded Future linked Crazy Evil to more than ten scams targeting the crypto industry. The group uses spear-phishing tactics, where victims are tricked into revealing sensitive information through personalized and deceptive messages.
One of their earlier scams, Gatherum, was nearly identical to the GrassCall scheme. Gatherum masqueraded as a legitimate meeting app, using the same branding and logo.
A side-by-side comparison of Gatherum and VibeCall’s X accounts. Source: XAdditionally, an X account named “VibeCall” appeared with the same branding as Gatherum and GrassCall. The account became active in mid-February, despite being created in June 2022, suggesting it was repurposed for the scam.
Fake Company ‘Chain Seeker’ Used to Post Crypto Job Ads
To make the scam seem legitimate, Crazy Evil created a fake crypto company called “Chain Seeker.” The group set up social media accounts and posted job listings on LinkedIn and popular Web3 job boards, including CryptoJobsList and WellFound.
The scam began when job seekers applied for positions at Chain Seeker after seeing its listings online. After submitting applications, they received an email from the company instructing them to contact its so-called “marketing chief” on Telegram. Once on Telegram, the scammer told them to download the GrassCall app from a website controlled by the group. This website, appearing professional, tricked victims into believing they were accessing a legitimate meeting tool. However, once installed, the GrassCall malware immediately stole crypto wallet details from the infected devices.
You May Also Like: Crypto Investors Lose $5.5 Billion to Pig Butchering Scams in 2024
Victims Speak Out: ‘The Scam Was Extremely Well-Orchestrated’
LinkedIn user Cristian Ghita, who applied for a role at Chain Seeker, described the scam as “extremely well-orchestrated.” He noted that the fraudulent company had a professional-looking website, LinkedIn and X profiles, and listed employees, making it appear legitimate from all angles.
Even the GrassCall app had a seemingly believable online presence, which tricked many victims into downloading it.
As the scam became widely exposed, LinkedIn and job boards took down most of Chain Seeker’s listings. However, one remained active on LinkedIn at the time of reporting.
Wallet drainer links have been sent to job seekers. Source: XA website for Chain Seeker previously listed individuals such as Chief Financial Officer (CFO) Isabel Olmedo and HR Manager Adriano Cattaneo, but their LinkedIn pages have been deleted. However, another LinkedIn profile under the name Artjoms Dzalbs, claiming to be Chain Seeker’s CEO, was still active.
Experts Warn Crypto Traders and NFT Users to Stay Vigilant
In a report last month, Recorded Future warned that crypto traders, NFT investors, and gaming professionals are prime targets for these types of scams. The firm advised job seekers to be cautious of job offers that require downloading unknown software.
Many security experts and social media users advised anyone affected by GrassCall malware to change their passwords immediately and transfer their crypto assets to a new wallet using an uninfected device. With the scam now exposed, BleepingComputer reports that Crazy Evil has likely abandoned this specific operation. However, cybersecurity experts warn that similar schemes could emerge under different names.
The post Crypto Job Scam Exposed: Fake ‘GrassCall’ App Drains Wallets appeared first on Coinchapter.
%%featured_image%%
