GrassCall Scam Uses Fake Job Interviews to Steal Crypto

A new cybercrime campaign is preying on Web3 job seekers by using fake job interviews to spread "GrassCall" malware. The Russian-speaking cybercriminal group Crazy Evil orchestrated the scam by posting deceptive job listings and luring applicants into downloading a phony video conferencing app. This app comes bundled with malware that attempts to steal cryptocurrency wallets.

Hundreds of victims have reported financial losses, leading to the creation of a Telegram support group where affected individuals help one another remove the malware from their Windows and Mac devices.

The scam was carried out by Crazy Evil’s subgroup, "kevland," which specializes in social engineering attacks. The hackers built a fraudulent company, "ChainSeeker.io," complete with a fabricated website and social media presence. They placed high-profile job listings on platforms like LinkedIn, WellFound, and CryptoJobsList, targeting blockchain and cryptocurrency professionals. Applicants were contacted via email and instructed to reach out to a supposed Chief Marketing Officer through Telegram.

Once in contact, the fake recruiter directed job seekers to download the "GrassCall" meeting software from grasscall[.]net. The website offered downloads for both Windows and Mac, and required users to enter a code provided by the scammer before proceeding.

Upon execution, the fake software deploys malware. On Windows, it installs a remote access trojan (RAT) alongside an infostealer, like Rhadamanthys. On Mac, it installs the Atomic Stealer (AMOS) malware. These malicious tools allowed attackers to harvest stored credentials, authentication tokens, passwords, and cryptocurrency wallet data. Additionally, keyloggers were installed to capture keystrokes, further compromising sensitive information.

The stolen data was uploaded to cybercriminal-operated servers, with notifications sent to private Telegram channels used by the group. If a cryptocurrency wallet was detected, attackers attempted to brute-force passwords and drain funds. The individual cybercriminal who tricked the user into downloading the malware receives payment based on the stolen assets’ value, with some reportedly making substantial sums from each successful breach.

Following public exposure, CryptoJobsList removed the fraudulent job postings and issued warnings to affected applicants, advising them to scan their devices for malware. Although the GrassCall website has been taken down, cybersecurity researchers report that the criminals have restarted the scheme with a new fake video conferencing software, "VibeCall."

This attack is similar to another campaign that targeted Web3 professionals using fake meeting apps, such as “Meeten,” which was recently discovered by Cado Security Labs.

To stay protected, security experts recommend enabling two-factor authentication (2FA) on all accounts, using strong passwords and securely managing them, and avoiding downloads from unverified sources. As cyber threats targeting the Web3 industry persist, job seekers must remain vigilant against evolving scams.