"Crazy Evil" Cryptoscam Gang

Since 2021, the "Crazy Evil" cryptoscam gang has escalated into one of the most prolific cybercriminal groups targeting digital assets. Specializing in identity fraud, cryptocurrency theft, and information-stealing malware, Crazy Evil employs a well-coordinated network of traffers — social engineering experts tasked with redirecting legitimate traffic to malicious phishing pages.

Crazy Evil’s operation is both vast and meticulous. Its six subteams — AVLAND, TYPED, DELAND, ZOOMLAND, DEFI, and KEVLAND — run bespoke scams targeting specific victim profiles. From phishing lures aimed at cryptocurrency influencers to malware payloads designed for cross-platform infection, the group's tactics reflect an advanced understanding of cybersecurity loopholes.

Key Findings

1. Social Media Scams: Insikt Group has found over ten active scams, including Voxium and Rocket Galaxy, leveraging tailored lures to deceive victims.
2. Diversified Malware Toolkit: Crazy Evil uses advanced tools like Stealc and AMOS for Windows and macOS, ensuring widespread compromise.
3. Targeting of Cryptocurrency Users and Influencers: Crazy Evil explicitly victimizes the cryptocurrency space with bespoke spearphishing lures.

Mitigations

• Enhance Endpoint Protection: Deploy advanced endpoint detection and response (EDR) solutions to monitor for and block the execution of known malware families associated with Crazy Evil, such as Rhadamanthys, Stealc, and AMOS. These specific tools, in combination with social media scams, are immediate indicators of a Crazy Evil attack.
• Web Filtering and Monitoring: Deploy web filtering solutions to block access to known malicious domains linked to Crazy Evil — including all of the domains listed in this report — as well as suspicious downloads, especially those related to cracked “freemium” software.
• Continuous Threat Intelligence Monitoring: Regularly update threat intelligence feeds with the latest indicators of compromise (IoCs) related to Crazy Evil. Ensure that security teams are aware of the latest tactics, techniques, and procedures (TTPs) employed by the group.
• User Awareness and Training: Implement ongoing cybersecurity awareness training for employees, emphasizing the risks associated with phishing, social engineering, and suspicious downloads. Include specific modules on the risks posed by Crazy Evil’s cryptocurrency-targeted attacks.
• Collaboration and Information Sharing: Collaborate with industry peers, threat intelligence organizations, and law enforcement agencies to share information on Crazy Evil and similar threats. Engage in cross-sector initiatives to improve collective defenses against advanced cybercriminal groups.
• Enhanced Regulatory Compliance: Stay ahead of evolving regulatory requirements related to data protection and cybersecurity. Ensure that your organization’s practices align with both domestic and international standards, particularly in industries like finance, where Crazy Evil’s attacks could have severe consequences.
• Recorded Future: Insikt Group recommends using Recorded Future Malware Intelligence to identify build IDs, C2 infrastructure, staging domains, and other malicious indicators associated with the Crazy Evil scams described above. Using both Recorded Future Malware Intelligence and Recorded Future Network Intelligence can better identify and cluster infostealer activity, providing initial indications of infections, victimology, and pivoting scams.

To read the entire analysis, click here to download the report as a PDF.