A Russian-speaking cybercrime syndicate, Crazy Evil, has been tied to more than 10 active social media scams, employing diverse tactics to trick victims into installing malicious software such as StealC, Atomic macOS Stealer (AMOS), and Angel Drainer.
"Specializing in identity fraud, cryptocurrency theft, and information-stealing malware, Crazy Evil operates a sophisticated network of traffers — social engineering specialists tasked with redirecting legitimate traffic to malicious phishing sites," stated Recorded Future's Insikt Group in their analysis.
The group's varied malware arsenal indicates that its targets include both Windows and macOS users, posing a significant threat to the decentralized finance sector.
Crazy Evil, active since at least 2021, mainly operates as a traffer team, redirecting legitimate traffic to fraudulent landing pages controlled by other criminal entities. It is allegedly managed by a figure known as @AbrahamCrazyEvil on Telegram, where the group has over 4,800 subscribers (@CrazyEvilCorp).
Unlike typical scams that create counterfeit shopping websites for fraudulent transactions, Crazy Evil focuses on stealing digital assets, including NFTs, cryptocurrencies, payment card information, and online banking credentials. The group is believed to have generated over $5 million in illicit revenue, impacting thousands of devices worldwide.
The group's notoriety has grown following exit scams involving two other cybercrime outfits—Markopolo and CryptoLove—which were previously associated with a ClickFix campaign involving fake Google Meet pages in October 2024.
"Crazy Evil explicitly targets the cryptocurrency sector with custom spear-phishing lures," Recorded Future noted. "Crazy Evil traffers often spend days or even weeks scouting operations, identifying targets, and initiating engagements."
In addition to orchestrating attacks that deliveThe group's notoriety has grown following exit scams involving two other cybercrime outfits—Markopolo and CryptoLover information stealers and wallet-draining malware, the group's leaders offer training materials and guidance for traffers, alongside an affiliate structure to delegate operations.
Crazy Evil is the second cybercrime group after Telekopye to be exposed in recent years, with its operations centered around Telegram. New recruits are guided by a Telegram bot controlled by the threat actor to various private channels, such as:
- Payments: Announcing earnings for traffers
- Logbar: Tracking information-stealer attacks and stolen data
- Info: Offering regular updates on administrative and technical matters
- Global Chat: A central space for communication, from work-related topics to casual discussions
The group operates through six sub-teams—AVLAND, TYPED, DELAND, ZOOMLAND, DEFI, and KEVLAND—each responsible for specific scams involving the installation of malicious tools via fake websites.
"As Crazy Evil continues to thrive, other cybercriminal groups are likely to mimic its tactics, urging security teams to stay alert to avoid large-scale breaches and loss of trust within the cryptocurrency, gaming, and software sectors," said Recorded Future.
This revelation follows the discovery of a traffic distribution system (TDS) named TAG-124, which overlaps with activity clusters linked to multiple threat groups, including Rhysida ransomware, Interlock ransomware, and SocGholish. This TDS is used in initial infection chains to distribute malware, such as the Remcos RAT and CleanUpLoader, which serves as a conduit for both Rhysida and Interlock ransomware.
"TAG-124 is composed of compromised WordPress sites, actor-controlled payload servers, and additional components," explained Recorded Future. "When specific criteria are met, these sites display fake Google Chrome update landing pages, leading to malware infections."
The use of TAG-124 further links Rhysida and Interlock ransomware strains, with newer variants employing the ClickFix technique, which instructs visitors to execute a command copied to their clipboard to trigger the malware infection.
Compromised WordPress sites, totaling over 10,000, have been used to distribute AMOS and SocGholish as part of client-side attacks.
"JavaScript loaded in the user's browser generates a fake page within an iframe," said researcher Himanshu Anand. "Attackers exploit outdated WordPress versions and plugins to avoid detection by websites lacking client-side monitoring tools."
Additionally, threat actors have leveraged the trust in platforms like GitHub to distribute malicious installers leading to the deployment of Lumma Stealer and other payloads, including SectopRAT, Vidar Stealer, and Cobalt Strike Beacon.
Trend Micro highlighted that this activity shares similarities with the tactics used by the threat actor Stargazer Goblin, known for utilizing GitHub repositories for payload distribution. However, the key difference is that the infection chain begins with compromised websites that redirect to malicious GitHub release links.
"The Lumma Stealer distribution method is evolving, with the attacker now using GitHub repositories to host malware," said security researchers Buddy Tancio, Fe Cureg, and Jovit Samaniego.
"The malware-as-a-service (MaaS) model makes it easier for cybercriminals to execute sophisticated cyberattacks, simplifying the spread of threats like Lumma Stealer."
In a comment to The Hacker News, Antonis Terefos, a reverse engineer at Check Point Research, noted that the Stargazer Goblin group has been observed "shifting from Atlantida Stealer to Lumma, and testing other stealers."