Crypto hackers using “ClickFix” social-engineering attacks have begun impersonating venture capital firms and hijacking browser extensions to steal funds and credentials, cybersecurity researchers warn.
Moonlock Lab reported that scammers set up fake VC identities — including SolidBit, MegaBit and Lumax Capital — to approach targets on LinkedIn with partnership offers. Targets are then steered to fraudulent Zoom or Google Meet links. The meeting pages present a fake Cloudflare “I’m not a robot” checkbox which, when clicked, copies a malicious command to the clipboard and instructs the user to paste it into their computer terminal as a verification step. Pasting and running that command executes the attacker’s payload.
“By turning the victim into the execution mechanism — having them paste and run the command themselves — the attackers sidestep the very controls the security industry has spent years building,” Moonlock Lab said, noting the ClickFix technique avoids downloads or obvious exploits.
Moonlock Lab identified an account in the name of Mykhailo Hureiev, listed as co-founder and managing partner at SolidBit Capital, as a primary contact used during the initial LinkedIn outreach; others have reported suspicious conversations with a Hureiev account. The research group emphasized the campaign’s infrastructure is built to rotate identities and fronts as soon as one is exposed.
In a related vector, attackers compromised a Chrome extension. QuickLens — an extension that enabled Google Lens searches in-browser and had roughly 7,000 users — was removed from the web store after a change of ownership on Feb. 1 and the release of a new version two weeks later that contained malicious scripts. Annex Security reported the updated extension launched ClickFix attacks and other information-stealing tools.
The hijacked QuickLens searched for crypto wallet data and seed phrases, and scraped Gmail inboxes, YouTube channel data, and other credentials and payment information entered into web forms, according to eSecurity Planet.
ClickFix campaigns have been observed since at least 2024 and have broadened beyond crypto to target many industries. Microsoft Threat Intelligence warned in August 2025 it had tracked campaigns targeting thousands of enterprise and end-user devices daily. Unit42 reported in mid-2025 that ClickFix-style social engineering affected manufacturing, wholesale and retail, state and local governments, and utilities and energy.
Security takeaways: be skeptical of unsolicited partnership messages and meeting links, verify contacts independently, avoid pasting or running commands provided in web pages or chats, review browser extensions’ ownership and permissions, and remove or disable extensions that change ownership or behave suspiciously.