"ClickFix" Attack Escalation: Hackers Impersonate VCs and Hijack Browser Extensions to Steal Cryptocurrency Assets

On March 3rd, cybersecurity organization Moonlock Lab reported that crypto hackers have recently upgraded their “ClickFix” attack method, impersonating venture capital firms to contact target users via social media platforms and induce them to execute malicious code to steal crypto assets. The attackers disguise themselves as fake VC firms such as SolidBit, MegaBit, Lumax Capital, and send collaboration invitations through LinkedIn, guiding victims to fake Zoom or Google Meet meeting links. The pages embed a fake Cloudflare “I’m not a robot” verification button; clicking it copies malicious commands to the clipboard and tricks users into pasting and executing them in the terminal, completing the attack. Researchers point out that this method bypasses traditional security defenses by “making victims execute commands themselves.” Meanwhile, hackers also hijack browser extensions to carry out attacks. John Tuckner, founder of cybersecurity firm Annex Security, revealed that after the Chrome extension QuickLens changed ownership on February 1st, a new version containing malicious scripts was released two weeks later, triggering the ClickFix attack and stealing user data. The extension has approximately 7,000 users and has now been removed from the store. The report states that hijacked extensions scan crypto wallet data and mnemonics, and capture Gmail emails, YouTube channel data, as well as login and payment information.