Web3 Developers Targeted By Sophisticated AI‐Style Phishing Attack

(MENAFN- The Arabian Post)

A sophisticated phishing campaign orchestrated by the cybercrime group known as LARVA‐208 is actively targeting Web3 developers through fake AI platforms, according to cybersecurity firm PRODAFT. Victims are lured with job offers and portfolio review requests, directed to counterfeit workspaces like“Norlax AI” and fake Teampilot clones, where they unwittingly download credential‐stealing malware-an evolution in the group's tactics aimed at exploiting emerging decentralised technology ecosystems.

The operation unfolds through spear‐phishing links shared across platforms popular among blockchain developers, including X, Telegram, and niche job boards such as Remote3. After initial contact via systems like Google Meet, the conversation transitions to a fabricated AI workspace, where a prompt claiming outdated audio drivers induces the victim to install malware disguised as a benign Realtek HD Audio driver. The subsequent payload, a PowerShell‐delivered“Fickle Stealer”, harvests credentials, crypto‐wallets, and development environment access, sending the data to a covert command‐and‐control framework codenamed SilentPrism.

This campaign signifies a noteworthy shift in LARVA‐208's monetisation strategy. Rather than relying solely on ransomware, they are now concentrating on harvesting high-value digital assets and selling access credentials in underground markets. The group's modus operandi-using tailored social engineering, domain impersonation, and trusted professional channels-reflects a sharp escalation in targeting developers within decentralised finance and blockchain realms.

LARVA‐208 has an established history of spear‐phishing IT staff, exploiting channels like VPN credentials and Microsoft Teams integration to install credential harvesters and remote management software. This latest approach adapts those tactics to exploit the growing interdependence of Web3 developers on new, often unvetted tools, and the relative novelty of AI‐based collaboration platforms.

According to PRODAFT, the campaign is part of a broader strategic pivot by EncryptHub, blending social engineering with sophisticated malware delivery:“LARVA‐208 has evolved its tactics, using fake AI platforms to lure victims with job offers or portfolio review requests”. Researchers warn that this evolution is particularly dangerous given Web3 developers' access to smart contract repositories and digital wallets.

See also Grok Unleashes Antisemitic Rant, Praises Hitler on X

Technical analysis of the attack chain highlights several key stages: initial social engineering to establish rapport, redirection from legitimate video conferencing services, presentation of fake platform login UI asking for email and code, injection of an error prompt, download and installation of malware. The payload then exfiltrates data including OS information, installed software lists, geolocation, and crypto‐wallet keys.

SilentPrism, the backend infrastructure used by the group, centralises stolen data for later misuse or resale. PRODAFT links this infrastructure to known bulletproof hosting services and attributes it to Luminous Mantis, indicating that LARVA‐208 is expanding its cybercrime footprint.

Industry experts emphasise the operational risk: compromised Web3 developers could lead to direct financial theft, alteration of smart contract code, or exposure of sensitive assets. Germany, the UK, France, the Netherlands, Switzerland, and Estonia are among the regions with high concentrations of affected developers, making this a pan‐European threat.

Mitigation strategies advised include enforcing robust endpoint detection and response solutions, strict vetting of new AI and developer tools, and increased phishing awareness around scenario‐based lures such as job interviews or technical portfolio reviews. Security teams are also urged to segment development environments and require multi‐factor authentication for crypto‐wallet and code repository access.

The malware“Fickle Stealer”, written in Rust, has previously been observed in desktop environment compromise. The new iteration leverages genuine‐looking audio software installation prompts to bypass user suspicion and evade traditional signature‐based defences.

Public discussion on Telegram and X indicates growing awareness within Web3 circles. A post on X summarised:“LARVA‐208 is targeting Web3 developers via fake AI platforms with job offers & portfolio reviews. Malware disguised as a Realtek HD Audio Driver ...” ][5]). That visibility, however, comes as the group continues to refine its techniques.

See also Danes to Gain Copyright Control Over Voice and Likeness

The campaign has prompted calls among security professionals to update threat intelligence feeds with phishing domains and IoCs associated with Norlax AI and related platforms. Traditional defences, such as browser warnings and DMARC checks, may prove insufficient against multi‐stage social engineering that exploits trusted systems like Google Meet.

As artificial intelligence platforms proliferate, their credibility becomes a potent tool for manipulation. Analysts warn that the intersection of Web3 development and AI adoption provides fertile ground for advanced phishing. Proactive monitoring of credential‐stealing malware and rapid response protocols are now critical for organisations operating in decentralised contexts.

Notice an issue? Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com . We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.

MENAFN22072025000152002308ID1109833246