Scammers Create Fake Conference Software to Steal Cryptocurrency
Cybersecurity experts at Recorded Future have uncovered a cross-platform attack targeting cryptocurrency users. Scammers are promoting malware disguised as conference software on social media, which is then used to steal victims’ information and cryptocurrency.
How the Scam Works
As part of this campaign, scammers advertise virtual meeting software—Vortax and 23 other applications—that serve as delivery tools for malware such as Rhadamanthys, StealC, and Atomic macOS Stealer (AMOS). According to the experts, “This campaign primarily targets cryptocurrency users, highlights the significant growth of threats for macOS, and demonstrates an extensive network of malicious applications.”
Building a False Sense of Legitimacy
One key aspect of this operation is the scammers’ effort to make Vortax appear legitimate on social media and the internet. To achieve this, hackers run a dedicated Medium blog filled with articles that appear to be AI-generated, and they have even created a verified X (formerly Twitter) account with a gold checkmark.
How Victims Are Targeted
To download the malicious application, victims must obtain a RoomID—a unique invitation code for a meeting. This code can be acquired through replies on the Vortax account, direct messages, or various cryptocurrency-related channels on Discord and Telegram.
When a user enters the required Room ID on the Vortax website, they are redirected to Dropbox or an external site that supposedly hosts the software installer. Ultimately, this leads to the deployment of an infostealer on the victim’s system.
Attack Infrastructure and Tactics
Recorded Future reports, “The attacker behind this campaign, whom we have identified as markopolo, uses shared hosting and management infrastructure for all builds. This suggests the attacker prefers convenience and ensures campaign flexibility, quickly abandoning scams if they are detected or yield little profit, and switching to new methods.”
Possible Connections to Other Attacks
Researchers note that this campaign may be linked to previously discovered malicious activity targeting Web3 game users, possibly orchestrated by the same attacker. Additionally, Recorded Future believes that markopolo may also be connected to a large-scale credential harvesting campaign, with stolen data potentially being sold on darknet marketplaces such as Russian Market and 2easy Shop.