Cybersecurity researchers warn that ClickFix social-engineering attacks are increasingly targeting crypto professionals by impersonating venture capital firms and hijacking browser extensions to steal funds and credentials.
According to Moonlock Lab, scammers create convincing fake VC identities — names observed include SolidBit, MegaBit and Lumax Capital — and reach out to targets on LinkedIn with partnership or deal proposals. Conversations are escalated to fraudulent Zoom or Google Meet links. The meeting page displays a bogus Cloudflare ‘I’m not a robot’ checkbox which, when clicked, copies a malicious command to the clipboard and instructs the user to paste it into a terminal as a verification step. Pasting and executing that command runs the attacker’s payload on the victim’s machine.
Moonlock Lab noted the attackers ‘turn the victim into the execution mechanism,’ bypassing conventional protections by having users run commands themselves rather than delivering an obvious download or exploit. The group also identified an account in the name of Mykhailo Hureiev, presented as a co-founder and managing partner of SolidBit Capital, used in initial LinkedIn outreach; similar accounts have been reported by other targets. Researchers say the campaign infrastructure is designed to rotate identities and fronts as soon as one is exposed.
A related vector involved a compromised Chrome extension. QuickLens, an extension that enabled Google Lens-style searches in the browser and had roughly 7,000 users, was removed from the Chrome Web Store after a change of ownership on Feb. 1 and the release of a new version two weeks later that contained malicious scripts. Annex Security reported the updated extension launched ClickFix-style attacks and additional information-stealing tools. eSecurity Planet reported the hijacked QuickLens searched for crypto wallet data and seed phrases and scraped Gmail inboxes, YouTube channel data, and other credentials and payment information entered into web forms.
ClickFix campaigns have been observed since at least 2024 and have expanded beyond crypto into many industries. Microsoft Threat Intelligence reported in August 2025 that it had tracked campaigns affecting thousands of enterprise and end-user devices daily, and Unit42 documented ClickFix-style social engineering hitting manufacturing, wholesale and retail, state and local governments, and utilities and energy in mid-2025.
Security takeaways: be skeptical of unsolicited partnership messages and meeting links, independently verify contacts before engaging, never paste or run commands provided in a web page or chat, review browser extensions for recent ownership changes and excessive permissions, and remove or disable extensions that change hands or behave suspiciously.