"Crazy Evil" Gang Spreads Malware That Steals Information Targeting Crypto Market
Just a SOC Analyst ^^
Information about the Crazy Evil Group
Crazy Evil is a cybercriminal group from Russia that has been active since 2021, specializing in digital asset fraud, identity theft, and the distribution of information-stealing malware (infostealer). The group primarily operates on dark web forums such as Lolz.Guru, LolzTeam, and Zelenka, with total illegal revenue exceeding $5 million.
Crazy Evil runs multiple smaller branches (traffer teams) to manage scam campaigns targeting cryptocurrency investors, gaming accounts, payment cards, and other financial targets. They use Telegram channels to recruit new members, advertise services, and distribute malware.
Figure 1. Example of an attack chain by Crazy Evil
Members of Crazy Evil are required to operate undetectable malware (FUD) on both Windows and macOS, have deep knowledge of hardware cryptocurrency wallets like Ledger and Trezor, and the ability to exploit security vulnerabilities. For inexperienced recruits, the group provides detailed guides and direct training through "supervisors." Crazy Evil also offers support services such as malware effectiveness testing, malware encryption, and a revenue-sharing system from scammed victims, strengthening its position in the underground cybercrime community.
Organizational Structure and Subgroups
The work related to the Crazy Evil group is divided among six subteams, including: AVLAND, TYPED, DELAND, ZOOMLAND, DEFI, and KEVLAND. Each subgroup is responsible for a specific type of scam and has its own recruitment process, making management easier. To simplify supervision, they use the identifier "CE" followed by a number to identify specific groups.
| Group Identifier | Group Name | Type of Scam |
| CE-1 | AVLAND | Voxium, Rocket Galaxy |
| CE-2 | TYPED | TyperDex |
| CE-3 | DELAND | DeMeet |
| CE-4 | ZOOMLAND | Zoom and WeChat Scams |
| CE-5 | DEFI | Selenium Finance |
| CE-6 | KEVLAND | Gatherum |
Figure 2. Organizational structure of Crazy Evil
Crazy Evil's Scam Projects
AVLAND (CE-1)
This group focuses on the following scam projects:
- Job Offer & Investment Scams:
CE-1 operates the scam project Voxium, a fake decentralized communication tool promoted on social media and Telegram. They mainly use fake tactics such as recruiting for project management positions, media personnel, or investment invitations in Web3 projects.
Figure 3. Voxium project introduction website
Infostealer Malware Distribution:
After tricking victims into visiting websites like voxiumcalls[.]com, they require entering a meeting code to download malicious installation software. This malware helps CE-1 steal sensitive data such as IP addresses, browser cookies, passwords, and cryptocurrency wallets.Link to Rocket Galaxy Scam Project:
CE-1 is linked to the scam game Rocket Galaxy, which previously operated under the name Rocket Legacy. They use fake websites and virtual social media accounts to increase the credibility of Rocket Galaxy, aiming to distribute malware and collect victim data.
Figure 4. Rocket Galaxy project introduction website
CE-1 uses platforms like Dropbox and Telegram APIs to control operations, authenticate malware, and analyze stolen information. Malicious websites like voxium[.]jeu and rocketgalaxy[.]xyz play a central role in malware distribution and victim data collection.
TYPED (CE-2)
The scam projects operated by this group include:
- Malware Distribution via Fake Software (TyperDex):
CE-2 runs the scam project TyperDex, software advertised to boost productivity and supported by AI. TyperDex is described as an application to improve typing skills, but in reality, it contains information-stealing malware (infostealer).
Figure 5. TyperDex software introduction website
SEO Poisoning Strategy:
CE-2 leverages the SEO poisoning strategy, optimizing search results to bring scam websites to high positions on major search engines, attracting victims naturally without direct bait.Cross-Platform Attacks (Windows and macOS):
The malicious installation files for Windows and macOS of TyperDex link to storage services like Dropbox to distribute malware. For macOS users, the malware still operates normally and shares the command and control (C2) infrastructure with the Voxium project, helping CE-2 maintain operations even if part of the infrastructure is removed.Scams Based on Fake Applications and Websites:
CE-2 operates multiple domains related to TyperDex such as typerdex[.]jai, typerdex[.]jio, and typerdex[.]com, serving the distribution of malicious software and collecting information from victims. They frequently update and change infrastructure to avoid detection by cybersecurity organizations.
DELAND (CE-3)
This group focuses on the scam project DeMeet, advertised as a community development platform with chat and event planning features. However, DeMeet is essentially a tool for distributing information-stealing malware (infostealer), targeting both Windows and macOS users through malicious installation files stored on Dropbox.
Figure 6. DeMeet project introduction website.
Unlike other projects, DeMeet allows users to create their own access codes to download software, helping CE-3 bypass access restrictions and more easily distribute malware. This makes victims feel it is a legitimate platform, making them more likely to download malicious files.
ZOOMLAND (CE-4)
CE-4 operates scam campaigns by impersonating popular online meeting platforms like Zoom (targeting English-speaking users) and WeChat (targeting Chinese-speaking users). This is the only group in Crazy Evil that directly targets Chinese victims.
The scam website requires victims to download malicious installation files from Dropbox, such as ZoomInstallerFull.exe and Zoom_v.4.83.dmg. For macOS users, this malware uses the same command and control (C2) server as the Voxium and TyperDex campaigns, with IP 141.98.9[.]20.
Figure 7. Fake Zoom website
DEFI (CE-5)
CE-5 operates the scam project Selenium Finance, advertised as a digital asset management platform. But in reality, it is a tool for distributing information-stealing malware (infostealer).
This project targets victims interested in decentralized finance (DeFi) and cryptocurrency. Selenium Finance even issues fake ERC-20 tokens to increase credibility, scamming potential investors.
Figure 8. Selenium DeFi project introduction website
For macOS users, the malware can be downloaded from the domain iiyoiyol[.]com, using the file DeFi_Run_Bot_v.4.89.dmg. This malware connects to remote command and control (C2) servers to collect sensitive financial data from victims.
Additionally, CE-5 provides Russian-language guides on DeFi-related scam tactics, including digital asset scam strategies and ways to manipulate inexperienced investors. This shows the group is targeting victims in the decentralized finance ecosystem.
KEVLAND (CE-6)
CE-6 operates the scam project Gatherum, advertised as an AI-supported online meeting software, but in reality, it is still a tool for distributing information-stealing malware (infostealer).
For Windows users, Gatherum downloads the file GatherumSetup.exe from Dropbox. For macOS, it downloads the file Gatherum_v.6.97.dmg from the domain iiyoiyol[.]com, connecting to a remote command and control (C2) server with IP address 141.98.9[.]20, similar to other Crazy Evil scam campaigns.
Figure 9. Gatherum project introduction website
List of IOCs Related to the Campaign
Domain
| tokenframegovernance[.]com |
| voxiumcalls[.]com |
| voxium[.]eu |
| voxiumhub[.]com |
| voxium[.]cloud |
| rocketgalaxy[.]io |
| rocketgalaxy[.]xyz |
| rocketgalaxyworld[.]com |
| playrocketgalaxy[.]com |
| rocketlegacy[.]xyz |
| ccdcompany[.]online |
| ultima-dapp[.]online |
| ultimadapp[.]online |
| solanans[.]com |
| watcherbot[.]xyz |
| secretum[.]io |
| iiyoiyol[.]com |
| typerdex[.]io |
| typerdex[.]ai |
| typerdex[.]jai |
| typerdex[.]team |
| typerdex[.]com |
| demeet[.]app |
| demeetapp[.]com |
| demeet[.]site |
| demeet[.]online |
| app.us4zoom[.]us |
| app-wechat[.]com |
| selenium[.]fi |
| gatherum[.]ca |
| gatherum[.]net |
| gatherum[.]one |
| gatherum[.]cc |
IP Address
| 178.22.31[.]97 |
| 141.98.9[.]20 |
Recommendations
FPT Threat Intelligence recommends organizations and individuals take several measures to prevent this scam campaign:
Enhance Endpoint Protection: Deploy EDR solutions to detect and block malware related to Crazy Evil.
Web Filtering and Monitoring: Use web filtering tools to block access to malicious domains and suspicious downloads.
Continuous Threat Monitoring: Regularly update IOCs and new tactics of Crazy Evil.
User Training and Awareness: Organize cybersecurity training sessions, emphasizing scam recognition and risks from social engineering attacks.
Collaboration and Information Sharing: Share threat information with industry organizations, partners, and law enforcement agencies.
Strengthen Regulatory Compliance: Ensure security policies align with current cybersecurity and data protection regulations.
