Hackers are deploying sophisticated tactics to target Web3 professionals, using malware disguised as legitimate video conferencing applications to compromise cryptocurrency assets and sensitive user data. The malicious campaign, which has been active since September 2024, primarily impacts users operating on Windows and macOS platforms.
The fraudulent operation revolves around a deceptive meeting platform named “Meeten,” as identified by cybersecurity experts at Cado Security Labs. The malware employed, dubbed “Realst,” is designed to steal cryptocurrency wallets, browser credentials, and banking information. Meeten’s branding frequently changes to avoid detection, with earlier versions appearing under names like “Clusee,” “Cuesee,” and “Mentone.” These platforms mimic authentic meeting applications, leveraging convincing websites and social media profiles populated with AI-generated content to enhance their legitimacy.
How the Attack Works
On macOS systems, victims encounter a file named “CallCSSetup.pkg.” When executed, the malware prompts users to input their system passwords, granting the attackers elevated privileges. Once installed, Realst extracts critical information such as browser cookies, autofill credentials, Telegram account details, and wallet information from popular cryptocurrency management tools like Ledger Live and Trezor Suite. The stolen data, along with system metadata, is then transmitted to a remote command-and-control server.
To further obscure its activity, the malware displays an error message reading, “Cannot connect to the server. Please reinstall or use a VPN,” while continuing to exfiltrate data unnoticed.
For Windows users, the malware is delivered via an executable file named “MeetenApp.exe.” This version is particularly dangerous due to its use of a stolen digital certificate, which complicates detection by security software. The malware also modifies the Windows registry to ensure persistence, allowing it to remain active even after the system reboots.
Adding to the threat, the Meeten websites are embedded with malicious JavaScript code capable of draining connected cryptocurrency wallets directly. This makes interacting with these platforms doubly risky for Web3 professionals, whose activities often involve digital assets and blockchain technologies.
Impact and Scope of the Campaign
The campaign underscores the increasing sophistication of cyberattacks targeting the Web3 ecosystem, where social engineering tactics are often employed to deceive users. Fake meeting apps like Meeten exploit the trust users place in video conferencing tools, which have become indispensable in professional and collaborative environments. By mimicking real platforms and using AI-generated content, the attackers create a veneer of authenticity that lowers the guard of unsuspecting victims.
Data from the Federal Bureau of Investigation (FBI) reveals that 98% of all cybercrimes stem from social engineering tactics. This campaign exemplifies how attackers exploit human vulnerabilities alongside technical flaws to achieve their objectives.
Mitigation Measures
To protect against such threats, Web3 professionals and users at large are advised to:
- Avoid Downloading Unverified Software: Refrain from installing applications recommended through unsolicited messages or unfamiliar channels.
- Utilize Trusted Antivirus Solutions: Always scan downloads using reputable antivirus platforms such as VirusTotal to identify potential threats.
- Be Vigilant About Social Engineering: Understand common social engineering tactics to recognize and avoid suspicious links, requests, or prompts.
- Secure Cryptocurrency Wallets: Use hardware wallets and ensure no unverified software has access to wallet credentials.
The cybersecurity firm’s investigation continues as they work to dismantle the infrastructure supporting this malicious campaign. In the meantime, heightened awareness and stringent cybersecurity practices are the best defenses against such evolving threats.
As the Web3 space continues to grow, the importance of proactive security measures becomes ever more critical. Professionals operating in this sector must remain vigilant, as the cost of a single breach can be catastrophic both financially and reputationally.