Cybercriminals weaponize promoted posts and 'Ghost Networks' to steal cryptocurrency

Security researchers at Check Point Research have uncovered a highly coordinated cybercriminal operation that weaponizes the reputation of legitimate news outlets and developer platforms to distribute advanced cryptocurrency-stealing malware. The campaign, which exploits a "fake reputation economy," targets crypto traders and online gamblers by disguising malicious clipboard-hijackers as high-utility trading and gaming tools.

The threat actors behind the operation have successfully bypassed traditional security filters by manufacturing a facade of trust, leveraging "Ghost Networks" of fake accounts to inflate engagement metrics and manipulate security-verification services.

The anatomy of the 'fake reputation' playbook

Unlike traditional phishing attacks that rely on urgency, this campaign focuses on long-term social engineering. The attackers promote their malicious software, specifically fake "Solana sniper bots" and "crash-game predictors", through a multi-layered ecosystem:

• Legitimate ad placement: Attackers purchase promoted or sponsored posts on reputable news websites and tech forums, lending an immediate air of institutional credibility to their malicious landing pages.

• Manufactured social proof: Using botnets, the group populates GitHub and SourceForge projects with thousands of fake stars, forks, and positive comments to trick developers into believing the tools are industry-standard.

• AI-driven influence: The operation maintains a YouTube channel featuring AI-narrated tutorial videos that demonstrate how to "configure" the fake tools, further solidifying the illusion of legitimacy.

• VirusTotal poisoning: In a novel move, the attackers use a cluster of accounts to cast coordinated "safe" votes on VirusTotal, attempting to suppress automated security alerts and force reputation-based defenses to whitelist the malware.

The payload: A stealthy clipboard hijacker

Once a victim is convinced to download the "tool," the infection chain deploys a Rust-based clipboard hijacker (or "clipper"). The malware runs silently in the background of both Windows and macOS systems, continuously monitoring the user’s clipboard for text strings that match standard cryptocurrency wallet address formats.

When a match is detected, the clipper instantly substitutes the victim’s intended recipient address with one controlled by the attackers. Because most users perform a cursory check of the first and last few characters of an address during a transfer, they frequently fail to notice the subtle swap, resulting in the permanent, irreversible loss of digital assets.

A growing threat to enterprise security

Check Point Research warns that this campaign marks a troubling evolution in how malware is distributed. While the current focus is on retail crypto users and gamblers, the researchers emphasize that the "Ghost Network" methodology is easily portable to more dangerous payloads.

"These techniques can be abused by other types of actors distributing information stealers or ransomware," the report noted. "The same playbook of fake reputation and broad promotion can be reused to deliver significantly more damaging payloads into corporate environments."

Security teams are advised to move away from relying solely on "community reputation" scores for software binaries. Organizations should enforce strict application allow-listing, monitor for anomalous outbound traffic from workstations, and educate employees on the dangers of downloading "utility" software from unofficial sources, regardless of how many "stars" or positive reviews the project claims to have.