The GrassCall malware campaign is a sophisticated cyberattack targeting job seekers in the Web3 space, draining cryptocurrency wallets through fake job interviews. This campaign uses social engineering to lure victims into downloading a malicious meeting application called GrassCall, disguised as a legitimate video conferencing tool. Once installed, this app deploys malware designed to steal sensitive data, including cryptocurrency wallet information. This advanced crypto-targeted malware has affected hundreds of people, leaving many with empty crypto accounts.

The Cybercrime Group Behind GrassCall: Crazy Evil

The GrassCall malware campaign was orchestrated by a Russian-based cybercrime group known as Crazy Evil, a social engineering specialist team often referred to as a “traffer team.” This group is notorious for targeting the cryptocurrency sector with tailored spearphishing tactics. In January, cybersecurity researchers linked over ten active scams on social media to Crazy Evil, identifying their focus on exploiting vulnerabilities within the cryptocurrency space.

Crazy Evil’s earlier scam, Gatherum, was notably similar to GrassCall, using the same logo and branding to deceive users. They even operated under different aliases, including an X account named VibeCall, which shared identical branding with Gatherum and GrassCall. The VibeCall account became active in mid-February despite being created in June 2022, showing the group’s strategic planning and persistence in targeting cryptocurrency users. These previous campaigns served as blueprints for the more advanced GrassCall operation.

Fake Company and Elaborate Recruitment Scam

Crazy Evil created an entirely fictitious company called ChainSeeker.io, complete with a professional-looking website and active social media profiles to appear legitimate. This fake company was portrayed as a Web3 startup, helping the attackers gain credibility among job seekers. By posting high-paying job listings on popular platforms like LinkedIn, WellFound, and CryptoJobsList, the scammers attracted numerous applicants eager to work in blockchain-related roles.

The listings advertised remote positions such as Social Media Manager, NFT Artist, and Blockchain Analyst, drawing in professionals looking for lucrative opportunities in the Web3 industry. The fraudulent postings were detailed enough to appear genuine, which reduced the chances of applicants suspecting any malicious intent.

Once applicants showed interest, they were invited to a fake job interview with ChainSeeker’s Chief Marketing Officer via Telegram. The fake CMO would then instruct candidates to download the GrassCall meeting app from a controlled website. This app was promoted as a revolutionary AI-powered communication tool, making it seem authentic. However, once downloaded, the crypto-targeted malware began its malicious activities.

Malware Payload: How GrassCall Drains Crypto Wallets

Once installed, the GrassCall malware unleashed a bundle of harmful software, including a remote access trojan (RAT) and an information-stealing malware. These malicious programs were designed to:

• Log keystrokes to capture sensitive data like passwords and recovery phrases for crypto wallets.
• Extract saved passwords and authentication cookies from web browsers.
• Steal cryptocurrency wallet keys and recovery phrases, enabling attackers to drain digital wallets.

The malware was specifically crafted to target cryptocurrency wallets, making it one of the most advanced forms of crypto-targeted malware to date. The stolen information was then uploaded to remote servers controlled by the attackers, who organized the data for quick exploitation.

Financial Impact and Criminal Organization

This highly lucrative campaign used a commission-based model to reward cybercriminals who successfully tricked victims into installing the GrassCall app. In some cases, victims lost tens of thousands of dollars from compromised wallets. Internal communications revealed that the cybercrime group’s members were rewarded handsomely for each successful compromise, further motivating them to continue their activities.

Crazy Evil’s organized structure, combined with their focus on cryptocurrency users, made the GrassCall malware campaign particularly dangerous. By leveraging their previous scams like Gatherum and VibeCall, they perfected their social engineering tactics, maximizing their financial gains.

How to Protect Yourself from GrassCall and Crypto-Targeted Malware

To safeguard yourself against GrassCall and similar crypto-targeted malware, consider the following measures:

1. Verify Job Offers and Company Legitimacy: 
   • Always research companies offering remote Web3 jobs. Confirm their legitimacy by checking for official websites and authentic social media profiles.
   • Avoid interacting with companies that exclusively communicate through messaging apps like Telegram or WhatsApp.
2. Be Cautious with Meeting Apps: 
   • Refuse to download unfamiliar meeting applications like GrassCall. Legitimate interviews typically use well-known platforms such as Zoom, Google Meet, or Microsoft Teams.
   • If pressured to install third-party software, request to use a recognized platform instead.
3. Check Download Links and Websites: 
   • Be vigilant about URLs and domain names. Fake websites like the GrassCall landing page are designed to look professional but often have suspicious domain structures.
   • Scan all downloaded files with reputable antivirus tools before installation.
4. Protect Your Cryptocurrency Wallets: 
   • Never input your wallet’s seed phrase or private keys into any application, especially during job interviews.
   • Use hardware wallets to store your cryptocurrency securely, as they keep private keys offline, away from malware.
5. Strengthen Security on Devices: 
   • Install reliable anti-malware and antivirus programs to detect and remove crypto-targeted malware like GrassCall.
   • Regularly update your operating system and all installed software to protect against emerging threats.
6. Monitor Financial Accounts and Wallets: 
   • If you suspect malware infection, immediately change passwords and enable two-factor authentication (2FA) on your cryptocurrency exchanges and wallets.
   • Check for unauthorized transactions and secure your financial accounts with strong, unique passwords.
7. Stay Informed and Vigilant: 
   • Keep up with the latest cybersecurity news related to crypto-targeted malware and phishing scams.
   • Educate yourself on how advanced malware campaigns like GrassCall operate to better recognize and avoid such threats.

These specific measures are tailored to counter the tactics used in the GrassCall malware campaign and other advanced crypto-targeted malware attacks. By implementing these security practices, you can significantly reduce the risk of becoming a victim of cryptocurrency theft.

Protecting Your Digital Assets

The GrassCall malware campaign serves as a stark reminder of how cybercriminals are evolving their tactics, especially in targeting cryptocurrency users. By creating a fake company and leveraging social engineering, the attackers managed to bypass victims’ suspicions, leading to substantial financial losses. This campaign highlights the importance of vigilance when applying for jobs in the Web3 space and the need for robust cybersecurity practices.

As cryptocurrency continues to grow in popularity, so do the threats targeting digital wallets. Stay informed, be cautious of too-good-to-be-true job offers and always prioritize security when dealing with cryptocurrency-related activities. With the right knowledge and precautions, you can protect your digital assets from advanced crypto-targeted malware campaigns like GrassCall. 

References

1. https://www.recordedfuture.com/research/crazy-evil-cryptoscam-gang
2. https://www.infosecurity-magazine.com/news/crazy-evil-crypto-scam-influencers/
3. https://www.cointrust.com/market-news/fake-job-interviews-used-to-spread-crypto-stealing-malware
4. https://thehackernews.com/2025/02/crazy-evil-gang-targets-crypto-with.html