Cybercriminals are getting smarter, and their latest scheme targets job seekers in the Web3 space. A sophisticated social engineering campaign has been uncovered where fake job interviews were conducted via a malicious meeting app called “GrassCall.” The end goal? Stealing cryptocurrency wallets from unsuspecting victims.
As reported by BleepingComputer, the campaign was carried out by a Russian-speaking cybercriminal group known as “Crazy Evil.” These scammers have been actively deploying social engineering attacks, luring victims with fake job opportunities and tricking them into installing malware-laden software.
The attackers created a fake company called “ChainSeeker.io.” and have also made a professional-looking website along with social media profiles on LinkedIn and X (formerly Twitter). They even paid for premium job listings on well-known platforms like LinkedIn, WellFound, and CryptoJobsList to make the scam look entirely legitimate.
Once job seekers applied, they received an email inviting them for an interview. However, the catch was that they had to communicate via Telegram with a supposed Chief Marketing Officer (CMO). The fake CMO then directed them to download the “GrassCall” video meeting app from the website grasscall[.]net. Depending on whether the visitor was using a Windows or Mac device, the site served them a malicious package of the application.
Also see: Best Password Managers
Upon downloading and executing the software, victims unknowingly installed information-stealing malware. On Windows, the malware included a Remote Access Trojan (RAT) alongside the Rhadamanthys infostealer. On Macs, it installed the Atomic (AMOS) Stealer.
These tools were designed to:
- Log keystrokes to steal passwords.
- Extract cryptocurrency wallet data.
- Exfiltrate browser-stored authentication cookies and credentials.
- Gain persistent access to the victim’s machine.
Cybersecurity researcher g0njxa, who has been tracking this campaign, explained to BleepingComputer that if a wallet was found, the attackers attempted to brute-force passwords, drain the funds, and reward the “traffer” (the person responsible for infecting the victim). Telegram logs reveal that scammers involved in this operation can make tens or even hundreds of thousands of dollars per successful attack.
A Telegram group has been created to help victims of this attack remove the malware from their Windows and macOS devices. Additionally, CryptoJobsList took swift action by removing the fraudulent job postings and warning applicants about the scam.
With the scam gaining public attention, the GrassCall website has now been taken down. However, the criminals have already pivoted to a new campaign called VibeCall, using the same website template and modus operandi.
If you suspect you have been targeted by this scam, take these immediate steps:
- Change all passwords: Update login credentials for websites, exchanges, and crypto wallets.
- Enable Two-Factor Authentication (2FA): Use an authentication app rather than SMS-based 2FA.
- Scan your system: Run a malware scan on your device using security tools.
- Be cautious of job offers: Legitimate companies conduct interviews on widely used platforms like Zoom or Google Meet—not unknown apps.
This attack highlights how cybercriminals keep trying different ways to target users across the globe. This time, they turned into companies looking for candidates. With professional-looking websites, premium job listings, and fake corporate profiles, these scams are harder than ever to spot. Always verify job opportunities directly with company websites and remain cautious about downloading software from unknown sources.
