Crypto hackers are increasingly using the “ClickFix” technique to impersonate venture capital firms and hijack browser extensions in coordinated attempts to steal digital assets.
Cybersecurity firm Moonlock Lab said attackers created fake VC entities including SolidBit, MegaBit and Lumax Capital, contacting targets on LinkedIn with partnership offers before directing them to fraudulent Zoom or Google Meet links.
“The ClickFix technique is what makes the final step so effective,”
The Moonlock Lab team said, adding:
“By turning the victim into the execution mechanism—having them paste and run the command themselves—the attackers sidestep the very controls the security industry has spent years building. No exploit. No suspicious download.”
Victims clicking the fake meeting links were shown a bogus Cloudflare verification page that copied a malicious command to their clipboard and instructed them to paste it into their system terminal, effectively executing the malware themselves.
Moonlock Lab said the campaign allegedly involved an individual using the name Mykhailo Hureiev of SolidBit Capital, though researchers noted the infrastructure rotates identities once exposed.
In a separate incident, the QuickLens Chrome extension, previously used for Google Lens searches, was hijacked after a change in ownership and updated with malicious scripts that deployed ClickFix attacks and targeted crypto wallet data and seed phrases.
Security researchers said ClickFix campaigns have been tracked since at least 2024 across multiple industries, with Microsoft and Unit42 warning that the technique forces victims to manually execute payloads, bypassing conventional security safeguards.