A cybercrime gang known as Crazy Evil, operating primarily in Russian-speaking circles, has been implicated in more than 10 ongoing social media scams designed to deceive and defraud victims. These scams utilize a variety of tactics to trick individuals into unwittingly installing malicious software, including well-known malware like StealC, Atomic macOS Stealer (also known as AMOS), and Angel Drainer.
Recorded Future’s Insikt Group conducted an analysis of Crazy Evil’s activities and discovered that the group specializes in identity theft, cryptocurrency theft, and the distribution of information-stealing malware. The gang employs a network of “traffers,” or social engineering experts, to redirect legitimate web traffic to malicious phishing pages. This diverse arsenal of malware suggests that Crazy Evil targets both Windows and macOS users, posing a threat to the decentralized finance ecosystem.
Crazy Evil has been operational since at least 2021 and primarily operates as a traffer team focused on redirecting legitimate web traffic to malicious landing pages controlled by other criminal organizations. The group is purportedly led by a threat actor known as @AbrahamCrazyEvil on Telegram, with over 4,800 subscribers on the messaging platform at the time of writing. Sekoia, a French cybersecurity company, highlighted the monetization of traffic by Crazy Evil, with botnet operators using the redirected traffic to compromise users’ devices.
Unlike other scams that involve setting up fake online stores to facilitate fraudulent transactions, Crazy Evil’s scams revolve around the theft of digital assets such as non-fungible tokens (NFTs), cryptocurrencies, payment cards, and online banking accounts. The group is estimated to have generated over $5 million in illicit revenue and compromised tens of thousands of devices worldwide.
The recent exposure of Crazy Evil comes in the wake of exit scams perpetuated by other cybercrime groups such as Markopolo and CryptoLove. These groups were previously involved in a ClickFix campaign using fake Google Meet pages. Crazy Evil specifically targets the cryptocurrency space with tailor-made spear-phishing tactics, investing significant time in reconnaissance to identify and engage with potential targets.
In addition to orchestrating sophisticated attack chains that deploy information-stealing malware and wallet-draining software, Crazy Evil’s administrators offer instruction manuals, guidance for traffickers, and crypter services for malicious payloads. The group boasts an affiliate structure to delegate operations efficiently.
Crazy Evil’s operations are intertwined with the use of Telegram, with newly recruited affiliates directed by a Telegram bot to various private channels for different purposes. The group comprises six sub-teams, each specializing in a specific scam aimed at deceiving victims into installing malicious tools from counterfeit websites.
As Crazy Evil continues to expand its criminal activities, it is likely that other cybercrime entities will adopt similar tactics, necessitating constant vigilance from security teams to prevent widespread breaches across various sectors. The group’s use of compromised WordPress sites and other distribution channels underscores the need for robust cybersecurity measures to protect against evolving threats posed by such groups.