Fake CoinMarketCap Journalists Targeting Crypto Executives in Spear-Phishing Campaign

Fake CoinMarketCap journalist profiles used in spear-phishing target crypto execs via Zoom interviews, risking malware, data theft, and wallet loss.

A new spear-phishing campaign is targeting executives in the crypto industry through fake interview requests. The attackers impersonate journalists affiliated with CoinMarketCap, using their active profiles on the company’s website to appear legitimate.

****Real Identity, Real Risk** **

Threat intelligence analysts have identified a spear-phishing campaign aimed at executives in the crypto industry. The attacker uses the exact name and photo of a former CoinMarketCap contributor to establish trust.

When contacted directly, the impersonated individual confirmed they are no longer affiliated with CoinMarketCap. However, their name and photo remain publicly listed, giving the phishing attempt an added layer of credibility.

****The Setup** **

The scam works like this: Targets receive an email inviting them to participate in an interview on Web3 innovation. The message appears to come from the CoinMarketCap team, but actually originates from a fake, non-resolving domain configured only to send emails.

Picture A – Domain information according to AlienVault OTX Intel Platform

These emails are professionally written and raise no suspicion beyond the domain itself. Each one closes with a button to schedule a Zoom call via Calendly, still featuring original CoinMarketCap branding.

When the target joins the call, they are introduced to two characters: Igor and Dirk (the latter impersonating a former CoinMarketCap editor, using the person’s real name and profile picture displayed through Zoom).

Picture B – Fake email received by an executive

After a brief introduction and small talk, Igor asks the target to change their application’s language to Polish, claiming that his note-taking app would otherwise malfunction. He even chats with his partner in crime, saying something along the lines of: “Just like we did last time with the other interview. Dirk, help me change it to Polish on your end, too.”

He then takes the opportunity to ask about the target’s operating system in order to “help change the language.” This process leads to a Zoom restart, now running in Polish.

The interview resumes, and minutes later, a pop-up appears in Polish with two options, one highlighted in blue. It is a standard Zoom prompt stating: “A remote participant wants to take control of your screen.”

Accepting would grant the attacker full control over the target’s keyboard and mouse (enough to deploy malware, exfiltrate files, or steal credentials and crypto wallets), all under the guise of normal application interaction.

****Remote Control** **

Threat actors exploit Zoom’s remote control feature because it’s enabled by default in many corporate environments and often goes unnoticed as an attack vector. Users typically don’t expect Zoom to be used maliciously, and while one may think they’d notice something’s off, most are distracted during calls.

In practice, once remote access is granted, deploying malware can take just seconds: opening an execution prompt, pasting a command, and pressing Enter is enough to compromise the system. This tactic has proven highly effective, especially in targeted attacks against crypto professionals, with high-profile victims and influencers already warning publicly about this.

This approach resembles the recent wave of ClickFix attacks, where victims are instructed to perform the steps themselves. The difference here is that the attacker executes the procedure directly through remote control, which makes it considerably more dangerous and unpredictable.

Picture C – A real recording of the Threat Actors impersonating CoinMarketCap employees

****IOCs and Summary** **

Domain: team-coinmarketcapcom

Domain: contact-coinmarketcapcom

Email: dirk@team-coinmarketcapcom

Email: no-reply@contact-coinmarketcapcom

****References** **

Original Intelligence Pulse: https://otx.alienvault.com/pulse/688bdd12087cf39d39d15839