Analysis Summary

Crazy Evil, a Russian-speaking cybercrime gang, has been linked to a series of social media scams targeting cryptocurrency users, primarily through the distribution of malware like StealC, Atomic macOS Stealer (AMOS), and Angel Drainer.

According to the Researcher, Operating since at least 2021, Crazy Evil specializes in identity fraud, cryptocurrency theft, and information-stealing malware. The group uses social engineering tactics and a network of traffic to redirect legitimate internet traffic to malicious phishing pages, compromising both Windows and macOS users. These attacks often focus on decentralized finance (DeFi) systems and are estimated to have generated over $5 million in illicit revenue, affecting tens of thousands of devices globally.

The gang operates through a sophisticated traffer model, employing six sub-teams—AVLAND, TYPED, DELAND, ZOOMLAND, DEFI, and KEVLAND—each associated with specific scams. These scams often promote fake platforms such as Voxium, TyperDex, DeMeet, and Selenium Finance, among others, under the guise of legitimate services. The malware used, primarily AMOS, is distributed via these fraudulent websites, and the group has been particularly active in exploiting the cryptocurrency space with highly-targeted spear-phishing campaigns. Crazy Evil's operations are further coordinated via Telegram channels, where affiliates are instructed on how to execute these attacks and share updates on their activities.

Crazy Evil's traffers use a "lead generation" approach to generate high-quality, undetected traffic, ensuring their malicious pages are not flagged by security vendors. The group’s success has also contributed to its growth, with over 4,800 subscribers on Telegram, where they provide tools, guides, and affiliate opportunities to other cybercriminals. The group’s modular structure, with distinct sub-teams dedicated to specific scams, has allowed it to scale operations effectively while maintaining operational secrecy. This approach has allowed them to maintain a sustained presence in the cryptocurrency ecosystem, further exacerbating the risks to digital asset holders.

In addition to its focus on cryptocurrency theft, Crazy Evil is part of a larger trend of cybercrime groups using traffic distribution systems (TDS) like TAG-124. This system, which overlaps with various ransomware groups, uses compromised WordPress sites to redirect users to fake landing pages that deliver malware. These sites, often running outdated plugins, make detection more difficult. The TDS is used to distribute not only malware like StealC and AMOS but also other malicious payloads like Lumma Stealer and Cobalt Strike Beacon. This interconnectedness between cybercrime groups highlights the broader threat landscape and the need for heightened security across platforms.