Pierluigi Paganini
February 03, 2025
Since 2021, the Crazy Evil gang has become a major cybercriminal group, using phishing, identity fraud, and malware to steal cryptocurrency.
Security experts identified six Crazy Evil’s subteams, called AVLAND, TYPED, DELAND, ZOOMLAND, DEFI, and KEVLAND, which are running targeted scams for specific victim profiles.
The leader of the group is a threat actor known on Telegram as “Abrahamˮ @AbrahamCrazyEvil.
The group’s arsenal includes multiple malware strains including the Stealc and the AMOS infostealer for Windows and macOS.
“Insikt Group has found over ten active scams, including Voxium and Rocket Galaxy, leveraging tailored lures to deceive victims.” reads the report published by Insikt Group. “Targeting of Cryptocurrency Users and Influencers: Crazy Evil explicitly victimizes the cryptocurrency space with bespoke spearphishing lures.”
Crazy Evil is referred as a “traffer team,ˮ which is a group of social engineering specialists tasked with redirecting legitimate traffic to malicious landing pages.
The gang targets high-value victims, also called “mammoths,” for digital asset theft, including cryptocurrencies, payment cards, online banking accounts, and non-fungible tokens (NFTs). Active since 2021, the group amassed over 3,000 followers on its public Telegram CrazyEvilCorp channel. As of December 2, 2024, the fraudulent operations linked to Crazy Evil are still active.
Crazy Evil has earned over $5 million through phishing scams since 2021. Victim losses range from $0.10 to over $100,000, relying on luck and persistence.
Crazy Evil actively recruits affiliates by advertising its cybercriminal network with specific skill requirements. Applicants must be proficient in operating fully undetectable (FUD) infostealers for both Windows and macOS, as well as manipulating hardware cryptocurrency wallets through tactics like address poisoning. Applicants must be able to target Ledger and Trezor devices. Additionally, recruits should have experience working with various FUD exploits, though details on these techniques are vague.
Expertise in deploying cryptocurrency wallet drainers and setting up phishing landing pages is also highly valued. To accommodate inexperienced cybercriminals, Crazy Evil provides training materials and assigns newcomers to experienced mentors (aka “curators”) who guide them through the group’s illicit operations. This structured approach demonstrates the gang’s effort to maintain a well-trained and efficient network of traffers.
The cybercrime gang focused on targeting the Web3 and decentralized finance industry. The group maintains a strong presence on dark web forums and collaborates with other cybercrime gangs and malware developers. These factors make it a persistent cyber threat.
However, like many cybercriminal groups, its biggest vulnerability is internal conflict. As it grows in size and complexity, the risk of exit scams and splintering, seen in past groups.
“Threat groups like Crazy Evil are resilient to identification and disruption — the biggest threat to their operations comes from internal strife. When threat groups like Crazy Evil increase in membership and expand operations, exit scamming and splintering are more likely to be their downfall, as seen with Marko Polo and CryptoLove.” concludes the report that includes the Indicators of Compromise (IoCs).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, cybercrime)
