In the ever-evolving landscape of cryptocurrency security, a new wave of sophisticated attacks is emerging, with hackers impersonating venture capital firms and hijacking browser extensions to steal digital assets. According to a recent report by cybersecurity firm Moonlock Lab, these scammers are leveraging the ‘ClickFix’ technique to bypass traditional security measures and defraud users.
The ClickFix method is particularly insidious because it tricks users into executing the malicious payload themselves, often through seemingly legitimate means. In the latest campaigns, hackers are posing as reputable venture capital firms such as SolidBit, MegaBit, and Lumax Capital, reaching out to potential victims on LinkedIn with offers of partnerships and investment opportunities.
Impersonating VCs: The LinkedIn Bait
Once a target expresses interest, the hackers direct them to fake Zoom and Google Meet links. Clicking these links leads users to a page that mimics a Cloudflare ‘I’m not a robot’ checkbox. When the user clicks the checkbox, a malicious command is copied to their clipboard. The scam culminates when the user is prompted to paste this command into their computer’s terminal, unknowingly executing the attack.
“The ClickFix technique is what makes the final step so effective. By turning the victim into the execution mechanism—having them paste and run the command themselves—the attackers sidestep the very controls the security industry has spent years building,” said the Moonlock Lab team.
Hijacking QuickLens: A Malicious Extension
Meanwhile, the ClickFix technique has also been employed in the hijacking of a popular Chrome extension, QuickLens. This extension, which allows users to perform Google Lens searches directly from their browser, was compromised in February. After a change in ownership, a new version of QuickLens was released containing malicious scripts designed to steal crypto wallet data, seed phrases, and other sensitive information.
John Tuckner, founder of cybersecurity firm Annex Security, reported that the compromised extension had around 7,000 users. The hijacked QuickLens extension not only targeted crypto wallets but also scraped contents of Gmail inboxes, YouTube channel data, and other login credentials or payment information entered into web forms.
The Broader Impact of ClickFix Attacks
The ClickFix technique has gained popularity among threat actors since last year, according to Moonlock Lab, due to its effectiveness in bypassing standard security tools. Security researchers have been tracking its use since at least 2024, with targets spanning a wide range of industries, including manufacturing, wholesale and retail, state and local governments, and utilities and energy.
Microsoft Threat Intelligence and cyber threat intelligence company Unit42 have both issued warnings about the growing threat of ClickFix attacks. These campaigns are targeting thousands of devices globally every day, highlighting the need for increased vigilance and more robust security measures.
Looking Forward: Enhanced Security and User Awareness
As the sophistication of these attacks continues to rise, the crypto community must remain vigilant. Users should be cautious when engaging with unsolicited offers and should verify the legitimacy of links and requests. Additionally, developers and security firms need to stay ahead of these threats by continuously updating security protocols and educating users about the latest phishing techniques.
The battle against crypto scams is ongoing, and the ClickFix technique is just one of the many challenges the industry faces. By staying informed and proactive, both users and security experts can work together to mitigate the risks and protect the integrity of the crypto ecosystem.
About the Author
