ClickFix attack escalates, hackers impersonate VCs and hijack browser extensions to steal crypto assets

The cybersecurity agency Moonlock Lab reports that crypto hackers have recently upgraded their "ClickFix" attack method, beginning to impersonate venture capital firms to contact target users through social platforms and lure them into executing malicious code to steal crypto assets.

Attackers disguise themselves as fake venture capital firms such as SolidBit, MegaBit, and Lumax Capital, sending collaboration invitations via LinkedIn and guiding victims to fake Zoom or Google Meet meeting links. The pages embed a fake Cloudflare "I am not a robot" verification button, which, when clicked, copies malicious commands to the clipboard and tricks users into pasting and executing them in the terminal, thus completing the attack. Researchers point out that this method circumvents traditional security mechanisms by "making victims execute commands themselves."

Meanwhile, hackers are also hijacking browser extensions to carry out attacks. John Tuckner, founder of cybersecurity company Annex Security, revealed that the Chrome extension QuickLens, after changing ownership on February 1, released a new version containing malicious scripts two weeks later, triggering ClickFix attacks and stealing user data. The extension had about 7,000 users and has since been removed from the store. Reports indicate that the hijacked extension scans crypto wallet data and mnemonic phrases, and scrapes Gmail content, YouTube channel data, and web login or payment information.