Crazy Evil's GrassCall scam tricks crypto job seekers

A cybercrime group named "Crazy Evil" is reportedly using fake job offers and a malicious application called "GrassCall" to deploy information-stealing software that targets and drains cryptocurrency wallets.

This scheme has impacted numerous job seekers in the Web3 space.

The group, identified as a Russia-based "traffer team," specialises in social engineering tactics to trick individuals into downloading malware.

Cybersecurity firm Recorded Future reported that Crazy Evil has been linked to over ten active scams on social media, explicitly targeting the cryptocurrency sector.

One of their earlier scams, Gatherum, was a similar meeting app with the same branding as GrassCall.

Crazy Evil created a fake crypto firm called "Chain Seeker," complete with social media accounts and job listings on LinkedIn, CryptoJobsList, and WellFound.

Applicants were contacted via email and asked to connect with the "Chief Marketing Officer" on Telegram.

The fake CMO then instructed the job seekers to download the malicious GrassCall app from a website under their control.

LinkedIn user Cristian Ghita noted the scam was well-orchestrated, with a professional website, LinkedIn and X profiles, and listed employees.

The GrassCall software, hosted on a website, offered Windows and Mac versions depending on the visitor's browser.

Once installed, the software deployed information-stealing malware, such as the Rhadamanthys RAT on Windows and the Atomic (AMOS) Stealer on Macs.

This malware steals passwords, authentication cookies, and cryptocurrency wallets.

Stolen data is then uploaded to the attackers' servers.

Cybersecurity researcher g0njxa stated that the RAT is used to gain persistent access to the infected machine, install a keylogger, and initiate phishing attempts to steal seed phrases from crypto wallets.

Victims are advised to use an uninfected device to change passwords and move their crypto to new wallets.

CryptoJobsList has removed the fraudulent job listings.

The website is no longer active due to the public attention to the scam.