• nft revolution
  • decrypting defi
  • blockchain&beyond
  • news
  • 27 Feb 25

Scammers Use Fake Crypto Jobs to Spread GrassCall Malware and Steal Assets

Cybercriminals are targeting job seekers with fake crypto job listings and the malicious GrassCall app to steal cryptocurrency.

  • 112
  • 0
  • 0

0

nft.eu
  • rating +22
  • subscribers 106

Cybercriminals are targeting job seekers with fake crypto job listings and the malicious GrassCall app to steal cryptocurrency. Scammers posed as representatives of a crypto firm, offering employment but ultimately tricking candidates into downloading malware that drained their crypto wallets.

Who Is Behind the Attack

According to Recorded Future, the attack was orchestrated by the Crazy Evil cybercriminal group, known for phishing and cryptocurrency theft. In January, the group was linked to more than ten active crypto scams.

GrassCall is not the first malicious app used in this scheme. Previously, scammers deployed Gatherum, disguised as a video call service. A related VibeCall account on X used similar branding to both Gatherum and GrassCall.

How the Fake Job Scam Worked

Scammers created a fake crypto firm called Chain Seeker and posted job listings on LinkedIn, CryptoJobsList, and WellFound. After candidates applied, they were contacted via email and directed to a "marketing director" on Telegram.

Victims were then asked to download the GrassCall app from a fake website, which enabled the theft of their crypto wallet credentials.

Victim Comments

Many LinkedIn and X users reported encountering Chain Seeker job listings and being sent a GrassCall link.

“This scam was well-planned — they had a website, LinkedIn profiles, and fake employees,” wrote Cristian Ghita on LinkedIn on February 26, after applying for a role at Chain Seeker.

Even the video call app appeared realistic, he added.

While most Chain Seeker job ads were removed, at least one listing remained active on LinkedIn at the time of publication.

Fake Employees and Warnings from Experts

The Chain Seeker website listed Isabel Olmedo as CFO and Adriano Cattaneo as HR Manager. However, their LinkedIn profiles have been deleted.

The account of Artjoms Dzalbs, listed as the company’s CEO, remained active at the time of writing.

Recorded Future has previously warned that crypto traders, NFT investors, and gamers are prime targets for these types of attacks.

What to Do If You Were Targeted

Users on LinkedIn and X advise victims who downloaded GrassCall to immediately:

  • Change passwords on all crypto services using a clean device.
  • Move assets to a new crypto wallet to prevent theft.

While the fraudulent accounts have been removed, this attack highlights how scammers continue to exploit social engineering to access digital assets.

Related Reads:

This post is for informational purposes only and is not an ad or investment advice. Please do your own research making any decisions.

  • 112
  • 0
  • 0

0

Comments

0