Hackers impersonate VCs and hijack QuickLens plugins, using ClickFix technology to steal crypto assets

CryptoWorld.com, March 3 — Hackers are exploiting the “ClickFix” attack method to steal cryptocurrencies. The latest two attacks involve impersonating venture capital firms and hijacking browser extensions. Cybersecurity company Moonlock Lab reports that scammers impersonate fake VCs like SolidBit, MegaBit, and Lumax Capital, contacting users via LinkedIn to offer partnership opportunities, then directing them to click fake Zoom and Google Meet links. After clicking, users are led to a page with a forged Cloudflare “I’m not a robot” verification box. Clicking this box copies malicious commands to the clipboard and prompts users to open a terminal to paste a so-called verification code, executing the attack. Moonlock Lab notes that this method makes victims unwitting participants in the attack mechanism, bypassing security defenses. Meanwhile, hackers are also hijacking the Chrome extension QuickLens to spread malware. This extension allows users to run Google Lens searches directly in the browser. After the extension’s ownership was transferred, the new version contained malicious scripts capable of launching ClickFix attacks and stealing information. The extension has about 7,000 users; once hijacked, it searches for crypto wallet data and seed phrases to steal funds, as well as harvesting Gmail inbox contents, YouTube channel data, and login credentials or payment information entered into web forms. The extension has been removed from the Chrome Web Store. The ClickFix technique has been popular among hackers since last year, forcing victims to manually execute malicious payloads and affecting thousands of businesses worldwide across multiple industries.