Cybercriminals attacked cryptocurrency community through fake job postings and GrassCall app

Reportedly, scammers sent fake job offers and a new app called GrassCall to install malware that stole user data, including cryptocurrency wallets.

Exposure of the fraud scheme 

BleepingComputer reported on February 26 that the fraudulent scheme was shut down: related websites and LinkedIn accounts were removed after hundreds of victims spoke out. Some of them claimed they lost their crypto wallets after downloading GrassCall.

According to the investigation, the cybercriminal group Crazy Evil was behind the scam. This is a team of social engineering specialists, also known as the "trader team," which specializes in cryptocurrency theft.

Previous scams by the group

Cybersecurity firm Recorded Future reported that it linked Crazy Evil to "more than ten active fraudulent schemes on social media." According to its data, the group "deliberately targets the cryptocurrency community using specially crafted spear-phishing baits."

One of Crazy Evil's previous scams, called Gatherum, was likely an early version of GrassCall, as it masqueraded as a similar meeting app with the same logo and branding.

How did the GrassCall scheme work?

In its latest scheme, Crazy Evil used a fake cryptocurrency company, Chain Seeker, which had social media accounts and posted job listings on LinkedIn, as well as on popular job search sites like CryptoJobsList and WellFound.

Candidates were sent emails asking them to contact the company's "marketing director" on Telegram. During communication, victims were encouraged to download the malicious GrassCall app from a website controlled by the group.