Focus Mode
Threat Research

“Crazy Evil” Cryptoscam Gang: Unmasking a Global Threat in 2024

RecordedFuture
“Crazy Evil” Cryptoscam Gang: Unmasking a Global Threat in 2024
The “Crazy Evil” cryptoscam gang has become a leading threat in the cybercriminal landscape since 2021, focusing on cryptocurrency theft and identity fraud through sophisticated phishing and malware tactics. The group operates through six subteams, employing advanced tools and social engineering to target specific victim profiles, particularly in the cryptocurrency sector. Affected: cryptocurrency users, social media platforms

Keypoints :

  • The “Crazy Evil” gang has been active since 2021, specializing in identity fraud and cryptocurrency theft.
  • They employ a network of traffers to redirect traffic to phishing pages.
  • The group consists of six subteams: AVLAND, TYPED, DELAND, ZOOMLAND, DEFI, and KEVLAND.
  • Over ten active scams have been identified, including Voxium and Rocket Galaxy.
  • They utilize advanced malware tools like Stealc and AMOS for cross-platform attacks.
  • Specific phishing tactics target cryptocurrency influencers and users.
  • Mitigations include enhancing endpoint protection, web filtering, and user awareness training.
  • Collaboration and information sharing with industry peers and law enforcement are recommended.
  • Staying compliant with regulatory requirements is crucial for organizations.
  • Using Recorded Future Malware Intelligence can help identify malicious indicators associated with Crazy Evil.

MITRE Techniques :

  • Phishing (T1566) – The gang uses tailored phishing lures to deceive victims, particularly in the cryptocurrency space.
  • Credential Dumping (T1003) – Tools like Stealc are employed to extract sensitive information from compromised systems.
  • Exploitation of Remote Services (T1210) – Malware payloads are designed for cross-platform infection, targeting vulnerabilities in remote services.
  • Command and Control (T1071) – The group utilizes C2 infrastructure to maintain communication with compromised devices.
  • Malware (T1203) – Advanced malware tools such as AMOS are used for executing attacks on victim systems.

Indicator of Compromise :

  • [domain] example1.com
  • [domain] example2.com
  • [url] http://malicious-site.com
  • [file name] malicious_file.exe
  • [tool name] Stealc
  • Check the article for all found IoCs.

Full Research: https://www.recordedfuture.com/research/crazy-evil-cryptoscam-gang

Tags: WINDOWS, MONITOR, EDR, MACOS, TOOL, SOCIAL ENGINEERING, CREDENTIAL, PHISHING