How scammers used the ‘GrassCall’ meeting app to drain crypto wallets

Crypto scammers targeted unsuspecting professionals with fake job offers and a malicious meeting application dubbed GrassCall to deploy data-stealing malware designed to drain cryptocurrency wallets.

According to a recent report from BleepingComputer, the sophisticated social engineering scam was orchestrated by the Russia-based cybercrime group Crazy Evil.

However, the scheme has now been abandoned, with associated websites and LinkedIn accounts taken down after numerous victims came forward.

Yet, when active, the scam managed to trick hundreds of job seekers, with some reporting that their crypto wallets were drained after downloading the malicious GrassCall app.

How did GrassCall drain crypto wallets?

The scheme revolved around a fake crypto firm called Chain Seeker, which set up convincing job listings on LinkedIn and Web3 job boards like CryptoJobsList and WellFound. 

Applicants would receive emails directing them to the company’s “marketing chief” on Telegram.

From there, the scammers social-engineered them to download GrassCall from a website under their control, which has now been taken down.

The malicious application was available for both Windows and Mac systems and once installed, it deployed information-stealing malware and remote access trojans (RATs) designed to harvest sensitive data and drain cryptocurrency wallets.

On Windows, the app installed a RAT alongside infostealers like Rhadamanthys, allowing attackers to log keystrokes, maintain persistence, and deploy seed phishing attacks targeting hard wallets.

Meanwhile, Mac users unknowingly downloaded Atomic (AMOS) Stealer, which scraped passwords stored in Apple Keychain, browser authentication cookies, and crypto wallet files.

According to G0njxa, a cybersecurity researcher cited in the report, the stolen data was uploaded to the operation’s servers, with details about compromised accounts and wallets shared in Telegram channels used by the scam group. 

If a crypto wallet was detected, passwords were brute-forced, funds were drained, and the scammer who lured the victim was rewarded with a cut of the stolen assets.

Multiple iterations of GrassCall

Cybersecurity firm Recorded Future had previously linked Crazy Evil to over ten active social media scams, noting that the group specializes in targeting crypto users through custom spearphishing attacks. 

Notably, the GrassCall scam is a successor to an earlier scheme called Gatherum, which operated under the same branding and logo.

Despite the takedown, traces of the operation remain. Investigators found an X (formerly Twitter) account named VibeCall, using the same branding as GrassCall and Gatherum.

Though created in June 2022, the account only became active in mid-February, leading experts to believe it may have been repurposed for the scam.

On the contrary, Chain Seeker’s online presence has mostly vanished.

Its website once listed executives like Isabel Olmedo (CFO) and Adriano Cattaneo (HR manager), both of whom had LinkedIn profiles that have since been wiped. 

However, an account under the name Artjoms Dzalbs, identifying as the company’s CEO, remained active at the time of reporting.

Although the bad actors may have abandoned the scheme, the experts urged anyone who may have installed the malicious application to change their passwords, passphrases, and authentication tokens.

Crypto scammers on GitHub

As previously reported by INvezz, cybersecurity firm Kaspersky recently warned of another scheme that involves threat actors creating fake repositories on GitHub filled with malicious code that infects users’ devices upon download.

Like GrassCall, the malware in these repositories deployed info-stealers, remote access trojans, and clipboard hijackers once downloaded.

The post How scammers used the ‘GrassCall’ meeting app to drain crypto wallets appeared first on Invezz