# "Crazy Evil" Gang Spreads Malware That Steals Information Targeting Crypto Market

# **Information about the Crazy Evil Group**

Crazy Evil is a cybercriminal group from Russia that has been active since 2021, specializing in digital asset fraud, identity theft, and the distribution of information-stealing malware (infostealer). The group primarily operates on dark web forums such as Lolz.Guru, LolzTeam, and Zelenka, with total illegal revenue exceeding $5 million.

Crazy Evil runs multiple smaller branches (traffer teams) to manage scam campaigns targeting cryptocurrency investors, gaming accounts, payment cards, and other financial targets. They use Telegram channels to recruit new members, advertise services, and distribute malware.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1738914471694/15f1a44d-ca16-47f8-8179-ad1a82f27ad3.png align="center")

*Figure 1. Example of an attack chain by Crazy Evil*

Members of Crazy Evil are required to operate undetectable malware (FUD) on both Windows and macOS, have deep knowledge of hardware cryptocurrency wallets like Ledger and Trezor, and the ability to exploit security vulnerabilities. For inexperienced recruits, the group provides detailed guides and direct training through "supervisors." Crazy Evil also offers support services such as malware effectiveness testing, malware encryption, and a revenue-sharing system from scammed victims, strengthening its position in the underground cybercrime community.

# **Organizational Structure and Subgroups**

The work related to the Crazy Evil group is divided among six subteams, including: **AVLAND, TYPED, DELAND, ZOOMLAND, DEFI**, and **KEVLAND**. Each subgroup is responsible for a specific type of scam and has its own recruitment process, making management easier. To simplify supervision, they use the identifier "CE" followed by a number to identify specific groups.

| **Group Identifier** | **Group Name** | **Type of Scam** |
| --- | --- | --- |
| CE-1 | AVLAND | Voxium, Rocket Galaxy |
| CE-2 | TYPED | TyperDex |
| CE-3 | DELAND | DeMeet |
| CE-4 | ZOOMLAND | Zoom and WeChat Scams |
| CE-5 | DEFI | Selenium Finance |
| CE-6 | KEVLAND | Gatherum |

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1738907421756/6f80dde2-fbf6-4e2c-ae7f-a434220baf40.png align="center")

*Figure 2. Organizational structure of Crazy Evil*

# **Crazy Evil's Scam Projects**

## **AVLAND (CE-1)**

This group focuses on the following scam projects:

* **Job Offer & Investment Scams:**  
    CE-1 operates the scam project **Voxium**, a fake decentralized communication tool promoted on social media and Telegram. They mainly use fake tactics such as recruiting for project management positions, media personnel, or investment invitations in Web3 projects.
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1738911246609/0a62a6af-bb79-48f4-bc02-66522f50fad4.png align="center")

*Figure 3. Voxium project introduction website*

* **Infostealer Malware Distribution:**  
    After tricking victims into visiting websites like **voxiumcalls\[.\]com**, they require entering a meeting code to download malicious installation software. This malware helps CE-1 steal sensitive data such as IP addresses, browser cookies, passwords, and cryptocurrency wallets.
    
* **Link to Rocket Galaxy Scam Project:**  
    CE-1 is linked to the scam game **Rocket Galaxy**, which previously operated under the name **Rocket Legacy**. They use fake websites and virtual social media accounts to increase the credibility of Rocket Galaxy, aiming to distribute malware and collect victim data.
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1738911348565/0753f31d-849e-46ea-a49c-31fa09a31de2.png align="center")

*Figure 4. Rocket Galaxy project introduction website*

CE-1 uses platforms like Dropbox and Telegram APIs to control operations, authenticate malware, and analyze stolen information. Malicious websites like **voxium\[.\]jeu** and **rocketgalaxy\[.\]xyz** play a central role in malware distribution and victim data collection.

## **TYPED (CE-2)**

The scam projects operated by this group include:

* **Malware Distribution via Fake Software (TyperDex):**  
    CE-2 runs the scam project **TyperDex**, software advertised to boost productivity and supported by AI. TyperDex is described as an application to improve typing skills, but in reality, it contains information-stealing malware (infostealer).
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1738911674747/ac7fca81-bdda-476b-b480-861846b5dff1.png align="center")

*Figure 5. TyperDex software introduction website*

* **SEO Poisoning Strategy:**  
    CE-2 leverages the **SEO poisoning** strategy, optimizing search results to bring scam websites to high positions on major search engines, attracting victims naturally without direct bait.
    
* **Cross-Platform Attacks (Windows and macOS):**  
    The malicious installation files for Windows and macOS of TyperDex link to storage services like Dropbox to distribute malware. For macOS users, the malware still operates normally and shares the command and control (C2) infrastructure with the Voxium project, helping CE-2 maintain operations even if part of the infrastructure is removed.
    
* **Scams Based on Fake Applications and Websites:**  
    CE-2 operates multiple domains related to TyperDex such as **typerdex\[.\]jai**, **typerdex\[.\]jio**, and **typerdex\[.\]com**, serving the distribution of malicious software and collecting information from victims. They frequently update and change infrastructure to avoid detection by cybersecurity organizations.
    

## **DELAND (CE-3)**

This group focuses on the scam project **DeMeet**, advertised as a community development platform with chat and event planning features. However, DeMeet is essentially a tool for distributing information-stealing malware (infostealer), targeting both Windows and macOS users through malicious installation files stored on Dropbox.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1738912213380/6864a48f-71d2-42d3-b013-b24c93a9a13b.png align="center")

*Figure 6. DeMeet project introduction website.*

Unlike other projects, DeMeet allows users to create their own access codes to download software, helping CE-3 bypass access restrictions and more easily distribute malware. This makes victims feel it is a legitimate platform, making them more likely to download malicious files.

## **ZOOMLAND (CE-4)**

CE-4 operates scam campaigns by impersonating popular online meeting platforms like **Zoom** (targeting English-speaking users) and **WeChat** (targeting Chinese-speaking users). This is the only group in Crazy Evil that directly targets Chinese victims.

The scam website requires victims to download malicious installation files from Dropbox, such as **ZoomInstallerFull.exe** and **Zoom\_v.4.83.dmg**. For macOS users, this malware uses the same command and control (C2) server as the Voxium and TyperDex campaigns, with IP **141.98.9\[.\]20**.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1738913298240/2bcdf063-41c4-43ab-9dd0-f1d56cdb0ffb.png align="center")

*Figure 7. Fake Zoom website*

## **DEFI (CE-5)**

CE-5 operates the scam project **Selenium Finance**, advertised as a digital asset management platform. But in reality, it is a tool for distributing information-stealing malware (infostealer).

This project targets victims interested in decentralized finance (DeFi) and cryptocurrency. Selenium Finance even issues fake **ERC-20 tokens** to increase credibility, scamming potential investors.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1738913697372/4d090bfb-0696-43ab-bee7-fd8c5f7d4575.png align="center")

*Figure 8. Selenium DeFi project introduction website*

For macOS users, the malware can be downloaded from the domain **iiyoiyol\[.\]com**, using the file **DeFi\_Run\_Bot\_v.4.89.dmg**. This malware connects to remote command and control (C2) servers to collect sensitive financial data from victims.

Additionally, CE-5 provides Russian-language guides on DeFi-related scam tactics, including digital asset scam strategies and ways to manipulate inexperienced investors. This shows the group is targeting victims in the decentralized finance ecosystem.

## **KEVLAND (CE-6)**

CE-6 operates the scam project **Gatherum**, advertised as an AI-supported online meeting software, but in reality, it is still a tool for distributing information-stealing malware (infostealer).

For Windows users, Gatherum downloads the file **GatherumSetup.exe** from Dropbox. For macOS, it downloads the file **Gatherum\_v.6.97.dmg** from the domain **iiyoiyol\[.\]com**, connecting to a remote command and control (C2) server with IP address **141.98.9\[.\]20**, similar to other Crazy Evil scam campaigns.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1738913756735/6dc0366a-0715-47bb-88c5-72543d70f2e0.png align="center")

*Figure 9. Gatherum project introduction website*

# **List of IOCs Related to the Campaign**

## **Domain**

| tokenframegovernance\[.\]com |
| --- |
| voxiumcalls\[.\]com |
| voxium\[.\]eu |
| voxiumhub\[.\]com |
| voxium\[.\]cloud |
| rocketgalaxy\[.\]io |
| rocketgalaxy\[.\]xyz |
| rocketgalaxyworld\[.\]com |
| playrocketgalaxy\[.\]com |
| rocketlegacy\[.\]xyz |
| ccdcompany\[.\]online |
| ultima-dapp\[.\]online |
| ultimadapp\[.\]online |
| solanans\[.\]com |
| watcherbot\[.\]xyz |
| secretum\[.\]io |
| iiyoiyol\[.\]com |
| typerdex\[.\]io |
| typerdex\[.\]ai |
| typerdex\[.\]jai |
| typerdex\[.\]team |
| typerdex\[.\]com |
| demeet\[.\]app |
| demeetapp\[.\]com |
| demeet\[.\]site |
| demeet\[.\]online |
| app.us4zoom\[.\]us |
| app-wechat\[.\]com |
| selenium\[.\]fi |
| gatherum\[.\]ca |
| gatherum\[.\]net |
| gatherum\[.\]one |
| gatherum\[.\]cc |

## **IP Address**

| 178.22.31\[.\]97 |
| --- |
| 141.98.9\[.\]20 |

# **Recommendations**

**FPT Threat Intelligence** recommends organizations and individuals take several measures to prevent this scam campaign:

* **Enhance Endpoint Protection:** Deploy EDR solutions to detect and block malware related to Crazy Evil.
    
* **Web Filtering and Monitoring:** Use web filtering tools to block access to malicious domains and suspicious downloads.
    
* **Continuous Threat Monitoring:** Regularly update IOCs and new tactics of Crazy Evil.
    
* **User Training and Awareness:** Organize cybersecurity training sessions, emphasizing scam recognition and risks from social engineering attacks.
    
* **Collaboration and Information Sharing:** Share threat information with industry organizations, partners, and law enforcement agencies.
    
* **Strengthen Regulatory Compliance:** Ensure security policies align with current cybersecurity and data protection regulations.
    

# **References**

* [**"Crazy Evil" Cryptoscam Gang: Unmasking a Global Threat in 2024**](https://www.recordedfuture.com/research/crazy-evil-cryptoscam-gang)
    
* [**Crazy Evil gang runs over 10 highly specialized social media scams**](https://securityaffairs.com/173784/cyber-crime/crazy-evil-runs-10-social-media-scams.html)
