A Russian-speaking cybercrime gang known as Crazy Evil has been linked to over 10 active social media scams that leverage a wide range of tailored lures to deceive victims and trick them into installing malware such as StealC, Atomic macOS Stealer (aka AMOS), and Angel Drainer.”Specializing in identity fraud, cryptocurrency theft, and information-stealing malware, Crazy Evil employs a well-coordinated network of traffers — social engineering experts tasked with redirecting legitimate traffic to malicious phishing pages,” Recorded Future’s Insikt Group said in an analysis.The use of a diverse malware arsenal cryptoscam group is a sign that the threat actor is targeting users of both Windows and macOS systems, posing a risk to the decentralized finance ecosystem.Crazy Evil has been assessed to be active since at least 2021, functioning primarily as a traffer team tasked with redirecting legitimate traffic to malicious landing pages operated by other criminal crews. Allegedly run by a threat actor known on Telegram as @AbrahamCrazyEvil, it serves over 4,800 subscribers on the messaging platform (@CrazyEvilCorp) as of writing.”They monetise the traffic to these botnet operators who intend to compromise users either widely, or specifically to a region, or an operating system,” French cybersecurity company Sekoia said in a deep-dive report about traffer services in August 2022.”The main challenge facing traffer is therefore to generate high-quality traffic without bots, undetected or analysed by security vendors, and eventually filtered by traffic type. In other words, traffers’ activity is a form of lead generation.”Unlike other scams that revolve around setting up counterfeit shopping sites to facilitate fraudulent transactions, Crazy Evil focuses on the theft of digital assets involving non-fungible tokens (NFTs), cryptocurrencies, payment cards, and online banking accounts. It is estimated to have generated over $5 million in illicit revenue and compromised tens of thousands of devices globally.It has also gained newfound prominence in the wake of exit scams involving two other cybercrime groups Markopolo and CryptoLove, both of which were previously identified by Sekoia as responsible for a ClickFix campaign using fake Google Meet pages in October 2024.”Crazy Evil explicitly victimizes the cryptocurrency space with bespoke spear-phishing lures,” Recorded Future said. “Crazy Evil traffers sometimes take days or weeks of reconnaissance time to scope operations, identify targets, and initiate engagements.”Besides orchestrating attack chains that deliver information stealers and wallet drainers, the group’s administrators claim to offer instruction manuals and guidance for its taffers and crypter services for malicious payloads and boast of an affiliate structure to delegate the operations.Crazy Evil is the second cybercrime group after Telekopye to be exposed in recent years, and it centers its operations around Telegram. Newly recruited affiliates
Lun. Feb 3rd, 2025
