Fake AI startups unleash wave of crypto-stealing malware in sophisticated 2025 scams
Crypto-stealing malware is surging in 2025, with scammers impersonating flashy AI and Web3 startups to launch one of the most coordinated digital heists in recent memory.
A dangerous wave of crypto-stealing malware is sweeping through digital asset communities, with cybersecurity firm Darktrace uncovering an alarming trend: scammers are now creating entirely fake AI and Web3 startups to distribute malicious software.
These elaborate operations – complete with professional branding, counterfeit investor pages, and verified social media accounts – have already drained millions from unsuspecting victims through seemingly legitimate projects like “Eternal Decay” and “Pollens AI.”
The crypto-stealing malware typically hides in software downloads promoted through Telegram, Discord, and X by actors posing as company representatives.
Fake startups creating real threats
“Threat actors are going to great lengths to make these fake startups look real,” said a Darktrace analyst in a press briefing.
“They’re building fake merchandise shops, faking investor pages, and even using verified social accounts to boost credibility.”
Startups like “Eternal Decay,” which pretended to be a blockchain-based gaming platform, fooled users with images stolen from another title, “Zombie Within.” Other bogus firms include Pollens AI, Swox, and Buzzu — all with eerily similar branding and cloned codebases.
What links them all? A payload of crypto-stealing malware embedded in software downloads, often shared directly via Telegram, Discord, or X (formerly Twitter) by scammers posing as company employees.
Source: Darktrace
Darktrace’s technical team discovered that the malware, often based on the Realst and Atomic Stealer families, targets both Windows and macOS.
The Windows version relies on Electron-based apps for system profiling and stealthy file execution. On macOS, it uses sophisticated tactics like obfuscation, stolen certificates, and background persistence.
“These apps appear polished — like something you’d see from a real startup — but they’re weapons built to steal wallets and identity data,” explained Darktrace in their report.
The return of the notorious malware group CrazyEvil?
Interestingly, the tactics mimic methods used by the notorious malware group CrazyEvil, first identified by Recorded Future earlier this year.
Though not directly linked yet, the strategy and deception style match previous campaigns that specifically targeted developers and Web3 contributors.
“Whether it’s CrazyEvil or a new threat actor, the evolution is clear,” said Allan Liska, a threat intelligence analyst at Recorded Future. “We’re seeing malware authors create brands, communities, and whole ecosystems as traps — not just phishing emails.”
The explosion of crypto-stealing malware in 2025 isn’t isolated. It’s part of a broader cybercrime wave targeting crypto. A recent Kaspersky Financial Cyberthreats report found that:
Crypto phishing attacks are up 83.4% year-over-year
Mobile banking trojans have surged by 360%
Meanwhile, attacks on traditional banking systems are in decline
“Cybercriminals are following the money,” noted Kaspersky’s lead researcher, Igor Golovanov. “They’re investing in malware specifically designed to target crypto, because that’s where the real profits are now.”
Kaspersky also recently warned of SparkCat malware threat
🐾 SparkKitty: A silent killer on mobile
One of the most dangerous new strains is SparkKitty, a mobile malware family that’s been active since February 2024.
Disguised as TikTok mods or crypto apps, it managed to bypass Play Store and App Store protections, stealing users’ seed phrases by accessing photo galleries and clipboard data.
Security researchers believe SparkKitty’s success proves just how advanced crypto-stealing malware has become, and how underprepared average users remain.
How to stay safe from these scammers
With scammers replicating legitimate business tactics, spotting fraud is tougher than ever. Experts advise users to:
Avoid downloading crypto apps from unverified sources
Double-check team identities and project backers
Never share private keys or seed phrases, especially in chats
Use multi-layered wallet security (cold storage, passphrases)
As 2025’s crypto-stealing malware campaigns reach new heights, they reveal a chilling truth: trust, the cornerstone of Web3, is now a primary attack vector.
In a world where innovation is easily imitated and credentials are gold, vigilance is no longer optional but survival.
Davidson Okechukwu is a passionate crypto journalist/writer and Web3 enthusiast, focusing on blockchain innovation, deFI, NFT ecosystems, and the societal impact of decentralized systems.
His engaging style bridges the gap between technology and everyday understanding with a degree in Computer Science and various professional certifications from prestigious institutions.
With over four years of experience in the crypto and DeFi space, Davidson combines his technical knowledge with a keen understanding of market dynamics.
In addition to his work in cryptocurrency, he is a dedicated realtor and web management professional.
