Crazy Evil Gang Targets Crypto with StealC, AMOS, and Angel Drainer Malware
A Russian-speaking cybercrime gang known as Crazy Evil has been linked to over 10 active social media scams designed to deceive victims into installing malware such as StealC, Atomic macOS Stealer...
What Happened?
Crazy Evil operates as a well-coordinated traffer network, specializing in identity fraud, cryptocurrency theft, and malware distribution. The gang relies on traffers—social engineering experts—who redirect legitimate traffic to malicious phishing pages. These traffers exploit platforms like Telegram, where their network operates under the alias @c, boasting over 4,800 subscribers.
Since at least 2021, Crazy Evil has acted as an intermediary, directing traffic to botnet operators who compromise users based on region, operating system, or specific targeting needs. According to researchers, their model closely resembles lead generation, but instead of selling products, they deliver victims to cybercriminal groups.
Unlike typical e-commerce scams, Crazy Evil specializes in digital asset theft, targeting non-fungible tokens (NFTs), cryptocurrencies, payment cards, and online banking accounts. Their operations have generated over $5 million in illicit revenue and compromised tens of thousands of devices worldwide.
Why This Matters
While many scam groups operate within narrow silos, Crazy Evil’s malware arsenal spans both Windows and macOS, broadening their attack surface. Their campaigns are highly targeted, with traffers spending days or weeks conducting reconnaissance before launching attacks.
Recent exit scams involving cybercrime groups Markopolo and CryptoLove have left a gap in the black market, and Crazy Evil has stepped in to fill the void. Their tactics have evolved into a fully structured affiliate program, offering instruction manuals, crypter services, and operational support to traffers.
Crypto Drainer Malware Operations
Crazy Evil operates through multiple sub-teams, each managing a specific scam to spread malware under the guise of legitimate services:
AVLAND (AVS | RG or AVENGE) – Uses fake job offers and investment scams to distribute StealC and AMOS via a fake Web3 tool called Voxium.
TYPED – Propagates AMOS stealer disguised as an AI software named TyperDex.
DELAND – Spreads AMOS stealer under the pretense of a community development platform called DeMeet.
ZOOMLAND – Uses phishing pages impersonating Zoom and WeChat to infect users with AMOS stealer.
DEFI – Distributes AMOS stealer via a fake digital asset management service named Selenium Finance.
KEVLAND – Spreads AMOS stealer disguised as AI-powered virtual meeting software called Gatherum.
The Bigger Picture
Crazy Evil’s model represents the next evolution of cybercrime-as-a-service (CaaS). With the use of Telegram as a command hub, traffers are directed to private channels, each dedicated to specific criminal activities:
Payments Channel – Tracks traffers’ earnings.
Logbar – Provides details of stolen credentials and attack successes.
Info Channel – Shares administrative and technical updates.
Global Chat – Acts as a general forum for traffers.
Beyond phishing attacks and malware distribution, Crazy Evil’s tactics mirror those of nation-state actors in the way they conduct intelligence gathering before deploying malware. Their approach involves deep reconnaissance, personalized phishing lures, and persistent targeting of high-value cryptocurrency users.
The Bottom Line
As long as crypto scams remain lucrative, groups like Crazy Evil will continue to evolve. Their highly structured, well-organized trafficking system makes them an ongoing threat to the cryptocurrency sector. Cybersecurity teams must remain constantly vigilant as criminals refine their social engineering playbook.
The game is changing. Threat actors aren’t just using malware—they’re building entire business models around deception, infiltration, and monetization.
Stay ahead. Stay informed.