Fri. Feb 14th, 2025

Exposing a sophisticated phising crypto scam

Incident Report: Social Engineering, Trojan Malware, and Cryptocurrency Theft from near-empty DeFi wallet

Date of Incident: January 2025
Targeted Wallet: 0x71eea80b3be0ccc720847e86e799a7edcbce15be


I, Steven Hatzakis, hear about scams like this almost daily on a first-hand basis from consumers, and imposters (read more scammers who impersonate me here), but I was quickly humbled after I also became a victim myself, after letting my guard down during a recent incident that I am sharing below to help spread awareness and for the record. Also because it was one of the most sophisticated coordinated phishing attacks that I have seen, and got to experience it first-hand, helping to raise my awareness even more on the almost endless attack vectors that creative scammers can exploit. Below is the story of how it went down:

Excerpt:

Incident Overview In January 2025, I became the target of a sophisticated phishing scam that exploited social engineering, Trojan malware, and weaknesses in local storage security via MetaMask. The attack led to the theft of cryptocurrency worth over $200. This post documents the incident to raise awareness and help others protect their digital assets.

Social Engineering Tactics The attacker impersonated Luna Schmid from Google Ventures, leveraging a verified Twitter account to gain credibility. They invited me to participate in a podcast titled “Theory and Practice,” using the email address [email protected]. This domain redirected to the official Google Ventures website, adding a deceptive layer of legitimacy.

Overview of the Incident

This report details a recent cybersecurity attack that combined sophisticated social engineering tactics, malware deployment, and exploitation of weak local storage security. The attacker impersonated Luna Schmid, a representative from Google Ventures, and leveraged a fraudulent conferencing software platform, OTOXAI.ORG, to gain access to sensitive cryptocurrency hot wallet data from MetaMask.

“I feel fortunate that the wallet they exploited happened to be a small defi hot wallet that I used with MetaMask that I had recently nearly emptied except for two tokens and less than $10 in ether, so the scammer got away with a little over $200 worth of crypto, stealing 200 Gitcoin and 5m Shiba Inu tokens from me.


Timeline of Events

Social Engineering and Trojan Deployment

  • Impersonation: The attacker posed as Luna Schmid, an executive at Google Ventures, using a verified Twitter account to initiate contact.
  • Invitation to Podcast: the scammer invited me to participate in the “Theory and Practice Podcast,” hosted by Google Ventures.
  • Bogus Email Domain: Email addresses used by the scammer included [email protected], which appeared legitimate as the domain redirected to Google Ventures’ official website via a 301 redirect, deceiving traditional domain verification processes.
  • Trojan Delivery: As part of the podcast setup, I was asked to download conferencing software from OTOXAI.ORG. The software contained the AMOS Trojan, a sophisticated malware designed to extract cryptocurrency wallet data from local storage.
  • While I immediately disabled wifi, wiped the device, and reinstalled the operating system, the damage was already done.

Wallet Compromise and Theft


Lessons Learned

  1. Weak Passwords Can Be Exploited:
    The compromised wallet stored encrypted SQL data with a password that was brute-forced. Always use complex, unique passwords and secure seed phrases offline, even for unlocking your MetaMask account, as that browser plugin leaves a copy of your seed phrase encrypted local with that password (the attacker likely bruteforce guessed the password which only took them a few days to do). – In other words, even though your 12-word mnemonic might have 128-bits of security, your MetaMask is only as strong as the password you use to log into it. And most people, myself included, probably don’t have a strong enough password for MetaMask via the Chrome plugin (unless they are using a ledger or device which is probably the best option), especially since MetaMask doesn’t enforce such security (lesson learned on my end). Thankfully, I do use a hardware device and trusted custodians, and never leave serious amounts in DeFi wallets where the majority of hacking-theft occurs.
  2. Domain Verification Is Essential:
    The attacker’s use of a 301 redirect to a legitimate website highlights the importance of verifying domain ownership via DNS tools, but also being suspicious over 301 redirects. Always verify email domains and links carefully. A simple check of the DNS records for the domain could have revealed that it was newly registered and unaffiliated with Google Ventures.
  3. Avoid Unverified Software:
    Downloading software from unverified sources, even under the guise of professional activities, can introduce malware like the AMOS Trojan.
  4. Secure Cryptocurrency Wallets:
    • Use hardware wallets for long-term storage (the majority of crypto remains safe thanks to these best practices)
    • Avoid exposing private keys or storing wallet credentials locally in plain text (Metamask should only be used for quick transactions and never left with serious amounts of crypto remaining)

Steps Taken

  • Reported Suspicious Activity:
    I reported the suspicious activity via Cybera.io, a partner of Chainalysis, which files a criminal report on your behalf with law enforcement agencies and exchanges to help with tracing cryptocurrency movements.
  • Strengthen Cybersecurity Measures:
    • Enhanced endpoint protection and regular scans for malware.
    • Strengthened passwords and 2FA across all accounts.
    • Regular audits of wallet activity to detect anomalies early.
  • Public Disclosure for Transparency:
    While the compromised wallet is publicly associated with me, I’m sharing this report to raise awareness of the sophisticated tactics employed by the attacker and to emphasize the importance of cybersecurity in the cryptocurrency space (Learn more here for the latest 2024 Crypto Crime Report from Chainalysis.

If you’ve found this post helpful, please share it to raise awareness about phishing scams in the crypto space. Protect yourself and your assets by adopting strong cybersecurity practices today.