Sophisticated cybercriminal operation targets cryptocurrency users and Web3 employees
Malware delivered through fake Electron applications disguised as legitimate tools
Uses extensive infrastructure of 80+ domains across multiple campaigns
Employs advanced social engineering with elaborate fake company ecosystems
Shared infrastructure suggests links to multiple traffer groups including "Marko Polo", "CrazyEvil", and "Wagmi"
Documented earnings of at least $2.4 million from cryptocurrency theft
Hybrid Analysis has identified a sophisticated cybercriminal operation targeting cryptocurrency users and Web3 employees. This threat actor is part of an organized "traffer gang" – an organized cybercriminal operation with hierarchical structures that specialize in delivering malware through convincing social engineering lures for financial gain. It has evolved from basic phishing to highly targeted attacks using fake companies, sophisticated malware, and elaborate social engineering techniques. The campaign shows clear signs of Russian-speaking threat actors, based on code comments and operational patterns.
A Hybrid Analysis Perspective
As we can see in the Hybrid Analysis report, the process drops multiple compressed files, namely app-64.7z and app.asar.
 |
| Figure 1 – Multiple encrypted or compressed files are dropped |
The malware also creates multiple executables and DLLs, some of them being dependencies for Electron applications (Figure 2).
 |
| Figure 2 – Dependencies and other suspicious executables are created by the malware |
As we can see in the process tree, the process spawns a new executable called Opulous Client.exe and queries the registry for the machine GUID value:
 |
| Figure 3 – Process tree |
A Deeper Dive
In the first part of the analysis, we analyze a malicious Electron-based application called “Opulous”. The application asks a user to register or login in the main window:
 |
| Figure 4 – Malicious application’s main window |
 |
| Figure 5 – Content of the app.asar archive after extraction |
The JS file main.original.js is a leftover by the threat actor that contains the unobfuscated JavaScript code, and the main.js file is the obfuscated version. We continue with the analysis of the unobfuscated script.
Figure 6 reveals the command-and-control (C2) server opulous-app[.]live and a series of comments in Russian. The malware can specify command line arguments such as “novm” or “disablechecks”, which skips the verification of the VM and Server detection.
 |
| Figure 6 – The original script highlights the C2 server and has comments in Russian |
First, the malware calls a function named sendClientName() that extracts many details of the machine. It creates a payload based on this info and exfiltrates data to the “/client-name” URI on the C2 server:
 |
| Figure 7 – Extract system information and exfiltrate it to the C2 server |
The extracted information includes the following (Figure 8):
Private and public IP address
CPU model and RAM size
OS version
Hostname and Username
GPU information
Installed antivirus software
Language and country extracted from the public IP
Whether the machine is a virtual machine or a server
 |
| Figure 8 – Collect information about the infected machine |
The malware extracts the local IP address by calling the networkInterfaces function. The public IP address is retrieved using a list of four legitimate websites, as highlighted below.
 |
| Figure 9 – Private and public IP addresses are retrieved by the malware |
The malicious process obtains GPU information using three methods displayed in Figure 10.
 |
| Figure 10 – Obtain information about the GPU |
The executable is looking for registry keys, services, and processes associated with multiple antivirus vendors:
 |
| Figure 11 – Antivirus detection |
Even if the initial executable is a Windows PE file, we’ve identified JavaScript code that suggests Linux machines could be a target as well. As we can see below, the process verifies the presence of multiple AV processes and services on Linux OS:
 |
| Figure 12 – Linux antivirus processes and services |
The malware verifies whether the current host is a virtual machine by checking information against a list of machine GUIDs, processes, services, and so on. We’ve identified a GitHub repository containing the same characteristics of the sandboxes used by VirusTotal dynamic analysis feature.
 |
| Figure 13 – VM detection based on known artifacts |
For server detection, the malware verifies if the OS version contains a list of keywords and the presence of strings in the hostname that could indicate a Cloud or Enterprise environment. It also verifies if the role of the current machine in the workgroup is 2 (“StandaloneServer”):
 |
| Figure 14 – Verify if the infected host is a server |
The process listens to multiple channels such as “process-auth-data”, “submit-email”, “get-system-detail”, and others. When new messages arrive, a specific function would be executed. For the first channel we mentioned, the process generates an email address based on the input username in the app and exfiltrates the system information to the C2 server, requesting a file that would be downloaded, decrypted, and executed on the local machine:
 |
| Figure 15 – Generate an email based on the username and execute the downloaded file |
The email generation function combines the username with known email domains (see Figure 16).
 |
| Figure 16 – Email address generation |
The file specified by the C2 server is Base64-decoded and decrypted using AES256, with the key being transmitted by the server, and IV is composed of NULL bytes. The newly-created executable is saved as tradingview.exe and spawned by the process:
 |
| Figure 17 – Decrypt the content using the AES256 algorithm and run the newly-created file |
The second Electron-based downloader we have identified needs a token to run properly. This token can be extracted from the command line arguments or the App Launcher’s URL and is validated with the C2 server:
 |
| Figure 18 – A token is mandatory for a successful execution |
The process displays a fake verification screen while the verification is in progress:
 |
| Figure 19 – Verification screen is displayed to the unsuspecting user |
The malware sends the token along with system information such as OS version, username, CPU name, RAM size, MAC address, and GPU information:
 |
| Figure 20 – Data to be exfiltrated to the C2 server |
The malware acts as a downloader by downloading and running executable and MSI files based on two fields called “link1” and “link2”, specified by the C2 server (Figure 21).
 |
| Figure 21 – Download and execute .exe and .msi files |
The binary can also run Python scripts using the Python executable disguised as a different executable name:
 |
| Figure 22 – Run Python scripts |
According to previous campaigns and our analysis, the second stage can be an information stealer such as Rhadamanthys and Lumma on Windows and Amos/Atomic Stealer on MacOS.
Mapping the infrastructure
From July 2024 through June 2025, a series of sophisticated cryptocurrency-focused social engineering campaigns emerged, targeting Web3 developers and project teams. Beginning in summer 2024, attackers utilized fake websites, GitHub repositories, and social media presence to distribute malware through seemingly legitimate applications. By September 2024, researchers identified 'Marko Polo', a financially motivated traffer team managing a Traffic Distribution System (TDS) responsible for over 30 social media scams using multiple malware families. December 2024 saw the emergence of the 'Meeten campaign' targeting Web3 employees with fake meeting software. Early 2025 brought an expansion of the fake company ecosystem, with threat actors adopting verification badges on social media platforms. By spring 2025, the NexVoo campaign demonstrated refined two-stage social engineering tactics and implemented invitation codes distributed through social apps to avoid detection. April 2025 research revealed the Wagmi traffer team's operations, which generated $2.4 million between June 2023 and March 2025 through sophisticated cryptocurrency targeting. By June 2025, the campaign had evolved to include numerous fake companies, leading to the revocation of a legitimate certificate from Paperbucketmdb ApS due to malicious usage.
Our investigation identified over 80 domains in this campaign, showing how these operations have evolved from basic phishing to targeted attacks against Web3 users. The malware analyzed in the previous section represents the initial infection vector that compromises machines, profiles them, and can execute additional second stage payloads. We present the evolution of activities below.
September-October 2024: We observe new infrastructure with the same AI-themed productivity tools. Domains like klast[.]ai (registered 2024-07-16), slaxai[.]app, swox[.]ai, and dexis[.]io emerged, again with shared web template similarities. Threat actors pivoted to using Electron apps for malware delivery, conducting exfiltration through JavaScript. C2 infrastructure included cnfreund[.]com, hojosy[.]com, and sumachpress[.]com.
Figure 23 – Various lures with “AI-powered productivity apps” theme.
November-December 2024: Operation evolved to target crypto investors with fake Web3 gaming projects. New domains included metatoy[.]io, primalverse[.]io (impersonating Cavemen Club game), and streamyard variants. Technical sophistication increased with NSIS installer abuse (90MB+ signed executables) to avoid detection. Malware samples contained Russian comments ("Собираем информацию о системе", "Перехватываем сообщения из консоли").
May-July 2025: We observed further infrastructure expansion with lapeai[.]io (registered May 9, 2025), scoil[.]ai, scoil[.]cc, and speeka.ai variants, all cloning https[:]//affine[.]pro/ web template and its Github repo README.md template. Threat actors created elaborate fake team structures with 35+ "core members" to enhance legitimacy. From these, only some of the accounts actively promoted the projects while others were purchased/compromised accounts with crypto-themed usernames or otherwise valid accounts with bios and posts related to web3/crypto.
July-November 2025: Latest evolution includes vixcall domains and expanded C2 infrastructure (pelletibor[.]com, dloutstanding[.]com, itmab[.]com, mrajhhosdoahjsd[.]com, solus[.]today, and solus-app[.]digital).
September-October 2025: Significant pivot to airdrop-themed infrastructure observed with the creation of multiple domains targeting DeFi users. Infrastructure analysis revealed a shared hosting pattern with eight malicious domains (asterdex-drop[.]eu, asterdrop[.]run, fluencedrop[.]digital, aster-dex[.]eu, asterdrop[.]digital, sunperp[.]icu, meteoradrop[.]com, and fluencedrop[.]eu) all hosted on the same IP address (62.60.226[.]16) as the previously identified solus-app[.]digital and solus[.]today domains. These new domains – created between September 24 and October 7, 2025 – showed high detection rates by security vendors (11 malicious detections for asterdex-drop[.]eu at the time of writing), indicating a coordinated campaign shift toward exploiting airdrop FOMO in the crypto community.
Our investigation uncovered an extensive network of 80+ domains associated with this campaign, revealing a more complex picture of the threat actors' infrastructure than previously documented. The malware contained distinctive Russian comments in the code, including "Функция для генерации случайной строки" (Function for generating random strings) and "Перехватываем сообщения из консоли" (Intercepting console messages), providing potential attribution indicators. Beyond the domains mentioned in published reports, we discovered additional C2 infrastructure including macattic[.]com, woaihuanbao[.]com, addonsystem[.]com, shedegei[.]com, and tmcxchem[.]com, as well as previously undocumented distribution sites like flowus variants, talkon variants, yovox domains, and zynce[.]org. The September 2025 pivot to airdrop-themed domains (created between September 24 and October 7) represents a significant tactical shift, suggesting the threat actors are adapting to target the growing interest in token airdrops following major DeFi protocol launches.
We have identified the following accounts promoting the malicious apps on Social Media:
SpeekaAI (Telegram, X)
NexBeeAI (Telegram, X)
CryptalixAI (X)
AppScoil (X)
ScoilApp (GitHub, GitBook, linktr.ee)
SlaxApp (GitHub, Telegram, GitBook, linktr.ee)
SolusApp (X, GitBook, Telegram, linktr.ee)
FlowUsApp (X)
Yovox (X, Medium, GitBook)
VocaLinkLive (X)
NexVoo (GitHub,Telegram)
TalkOn_AI (X)
Technical Evolution
Initial Delivery: Evolved from simple malicious downloads to sophisticated signed executables (certificates from "IT POLONIA SP Z O O", "Richester Business Network Inc.", "HAM AND FIRKIN LIMITED", "Jiangyin Fengyuan Electronics Co., Ltd.", and "Paperbucketmdb ApS"). The TRAC Labs research revealed that traffer groups like Wagmi systematically abuse code signing certificates, cycling through multiple GlobalSign EV certificates after each revocation, demonstrating a persistent pattern of certificate abuse across the ecosystem.
Malware Capabilities: Progressed from basic fingerprinting to comprehensive system profiling:
Username, CPU model, processor count, RAM, OS version, MAC address, GPU information
Anti-analysis techniques including file size randomization (0.2-2MB of random data)
Random directory creation for evasion
Anti-VM/sandbox detection for macOS (checks for QEMU, VMWare, Docker-OSX)
Social Engineering: Advanced from opportunistic phishing to highly targeted approaches:
Initial: Generic productivity tool lures
Mid-stage: AI-powered applications targeting tech enthusiasts
Current: Customized approaches based on victim profiles with just-in-time infrastructure
Latest: Fake conference presentations with photoshopped images (e.g., Eternal Decay)
Automated victim identification tools like the "Wagmiscapper" that collects cryptocurrency wallet addresses from Twitter to identify high-value targets
Legitimacy Building: Increasingly sophisticated methods to appear genuine:
GitHub repositories with fake contributors and inflated metrics
AI-generated Medium blog posts and documentation
Fake team structures with purchased/compromised social media accounts
Merchandise sections on websites (conveniently already sold-out) to enhance credibility
Notion pages for product roadmaps and employee details
Fake company registration information linking to legitimate but unrelated businesses
Detailed fake "Staff Guidance Manuals" and "FAQ" documents to build trust with victims
Platform Targeting: Expanded from Windows-only to cross-platform attacks:
Windows: Electron applications with Python components for stealer functionality, evolving to use HijackLoader to deliver Rhadamanthys and Lumma stealers
macOS: DMG files containing Amos/Atomic Stealer with persistence via LaunchAgent
The malicious binaries cannot be downloaded without registration codes – given by the social media group admins – to limit analysis exposure
Browser-based attacks including wallet drainers targeting Phantom wallet users
Infrastructure Sharing: Evidence of template and infrastructure sharing between different traffer groups:
Vixcall template reused by Wagmi for their Splare meeting software
Common API paths for payload delivery across different campaigns
Shared hosting infrastructure between different scam operations
Domains with similar naming conventions/themes created after previous domains are taken down
Standardized victim tracking using build IDs in Telegram logs
There is a clear evolution from opportunistic phishing to highly targeted attacks against the Web3/crypto ecosystem, with threat actors continuously adapting their technical capabilities and social engineering techniques to evade detection and maximize success rates. The operation has clearly grown from isolated incidents to a sophisticated ecosystem of interconnected fake companies, mimicking the "CrazyEvil" TPPs documented in previous research, a traffer group that has reportedly generated millions in revenue from cryptocurrency theft. While definitive attribution to CrazyEvil or associated teams cannot be indisputably confirmed, the tactical patterns align closely.
We assess with moderate confidence that there is a connection between the Marko Polo and Wagmi traffer operations. This assessment is based on multiple converging indicators, including: shared website design patterns and information architecture; parallel operational pivots from AI productivity applications to crypto/web3 themes; concurrent domain registration timeframes; similar legitimacy-building tactics; consistent naming conventions (nexvoo, nexbee, swox, dexis, yovox, slax, klast); distribution of identical malware families (HijackLoader and AMOS); comparable domain replacement agility when facing blocks; and preference for similar TLDs (.app, .io, .ai). While each indicator individually provides weak correlation, their convergence suggests shared infrastructure, methodology, or coordinated operations.
This operation showcases the extensive effort threat actors invest in establishing legitimate-appearing companies, combined with their use of increasingly evasive malware to target cryptocurrency holders.
Indicators of Compromise
C2 servers
Distribution/Malicious websites
SHA256
References
