Crazy Evil, the infamous Russian-linked crypto criminal group, is actively recruiting hackers and scammers. It has thousands of Telegram users subscribed to its channels — and we observed the group nearly double in size in two weeks.
The group’s large-scale infrastructure deploys spear phishing, malware, social media hacking, and fake download sites to attack ‘crypto whales‘ — more specifically, their crypto wallets.
However, Crazy Evil leaders are not in the scam or cyberattack business. The criminal group is in the malware-as-a-service (MaaS) industry, scaling by bringing in new hackers, scammers, and cybercriminals and guiding them to targets.
We spent weeks investigating Crazy Evil and, today, lifts the lid on how the group operates.
Key Takeaways
- Crazy Evil is recruiting skilled hackers to expand its crypto scams.
- The group uses spear phishing and fake job offers to target crypto whales.
- Malware is deployed via fake meeting software downloads.
- Despite its complex infrastructure, Crazy Evil relies on classic scams.
- Crypto users should secure assets with MFA and cold wallets to stay safe.
Crazy Evil Recruitment Campaign Is Currently Active
We can confirm that Crazy Evil, a group operating since at least 2021, is now actively recruiting high-skilled black hat hackers and scammers.
With Bitcoin‘s price hovering around its all-time high of over $100,000, crypto is a lucrative lure to criminal groups.
Crazy Evil’s main motive is certainly financial, and the group is likely linked to international criminal syndicates rather than nation-state hackers. Like other MaaS groups, Crazy Evil offers mentors, support, guides, and, of course, the malware itself — including Windows and Mac infostealers — to those who sign up.
By using the MaaS model, Crazy Evil’s leaders, developers, and distributors can keep their hands clean while scaling dramatically.
Crazy Evil cyberattacks and scams do not start with your regular scam phishing email. Crazy Evil operators ‘spear phish’ their targets, which means that they take the time to investigate victims before establishing first contact.
Crazy Evil is interested strictly in large Web3 targets. By only targeting high-value crypto targets, the group can not only get paid fast but can also gain access to sensitive data, putting companies at risk of data breaches.
In the two weeks since we first accessed the Telegram channel, the group’s subscribers increased from over 3,000 to almost 5,000.
Crazy Evil Recruits Are Not Your Typical Low-level Scammers
A January 2025 report by Recorded Futures — a company that was controversially blacklisted by Russia for allegedly being a ‘disinformation actor’ — presented a detailed digital forensic analysis of how Crazy Evil’s operation works.
Recorded Future identified more than ten active scams on social media linked to Crazy Evil and its six sub-teams:
- C1 VLAND: Voxium and Rocket Galaxy scam
- C2 TYPED: Running the TyperDex scam
- C3 DELAND: DeMeet scam
- C4 ZOOMLAND: Zoom and WeChat impersonators
- C5 DEFI: Selenium Finance campaign
- C6 KEVLAND: Gatherum threat
We analyzed the domains, IPs, Telegram channels, and Telegram bots linked to Crazy Evil by the Recorded Futures report. We found that several things have changed in recent weeks.
For example, the individual user who was attributed as the prominent leader of the entire organization and other subgroup leaders have gone dark since Recorded Futures’ report was published, erasing information from their Telegram channel and even completely deleting their account.
As the image above shows, the Telegram channel of Crazy Evil’s alleged leader was completely stripped and changed after Recorded Future released its report on January 23, 2025.
We can confirm that despite the Recorded Future report, Crazy Evil and its subgroups are still operating. However, many elements, such as the Crazy Evil Bot — which is the entryway into the criminal organization — are no longer active or responding.
We also found that Crazy Evil has pulled the plug on several fake download domains and changed the content of others.
This is common cybercriminal behavior when threat actors are exposed. They simply migrated to clean infrastructure, which they built in advance and trashed the burned ones.
What It Takes to Work for Crazy Evil
Believe it or not, those who want to work with Crazy Evil must apply for the position. They must go through several recruitment stages on Telegram and respond to specific questions.
Specifically, Crazy Evil wants black hat hackers and scammers who can do their own victim research and direct victims to fake sites.
While Crazy Evil does provide guidance, mentors, and malware, the group expects its operators to know how to use infostealers without being detected.
It is unlikely that an individual who does not demonstrate these skills will be accepted.
Crazy Evil’s Operation May Be Sophisticated — But The Crypto Scam Is Simple
While the report released by Recorded Futures reveals a sophisticated operation, the Crazy Evil scams are not that complex.
Crazy Evil scams are highly dependent on the cybersecurity awareness levels of victims. This means how easily you can be fooled by social engineering.
Specifically, as far as we could gather on Telegram, Crazy Evil threat actors are contacting potential victims via SMS and offering them fake crypto or blockchain jobs.
Victims who fall for this trick are asked to download software for a video meeting from malicious sites that impersonate video meeting software, as seen in the image below.
When users click download or follow the instructions on these pages, they download malware. Crazy Evil operations have cross-platform capabilities and can target various browsers. They also attack Apple users with the infamous AMOS stealer and Windows users with Steac or Angel Drainer.
As mentioned, the goal of threat actors here is to empty your crypto wallets, so we advise crypto users to use cold wallets (which operate offline) or, at a minimum, enable multi-factor authentication (MFA) on their devices.
Additionally, when choosing a crypto platform, ensure security is a priority in your decision-making process.
The Bottom Line
Crazy Evil is not deploying zero-click attacks or coding new and complex malware that exploits new vulnerabilities. It is simply using old-school scam tactics to trick crypto users at scale.
Cybercriminals are not just using MaaS business models to hide behind operators. They are using these models to create an exhaustingly complicated criminal infrastructure that, while can be easily observed, is a nightmare to investigate.
Furthermore, criminals are long gone by the time their activities have been exposed and studied, leaving little digital breadcrumbs.
These tactics also confuse and overwhelm crypto users and blockchain companies that scramble to mitigate threats.
In reality, the solution to Crazy Evil scams is simple. Do not engage with strangers on SMS, social media, or other channels, and secure your accounts with MFA or cold wallets.
Crazy Evil’s glamor may sound impressive, but at its core, it’s just a remix of the “new crypto job offer scam.”
FAQs
What is Crazy Evil, and how does it operate?
How does Crazy Evil target crypto whales?
What malware does Crazy Evil use?
Why are hackers joining Crazy Evil?
How can crypto users protect themselves from Crazy Evil scams?
Is Crazy Evil still active?
References
- “Crazy Evil” Cryptoscam Gang Infects Thousands with Infostealer Malware (Recorded Future)