Hackers impersonated venture capitalists and hijacked the QuickLens plugin, using ClickFix technology to steal crypto assets.

PANews reported on March 3rd that, according to Cointelegraph, hackers are using the "ClickFix" attack technique to steal cryptocurrencies. The two latest attacks involve impersonating venture capital firms and hijacking browser extensions. Cybersecurity firm Moonlock Lab reported that scammers impersonated fake VCs such as SolidBit, MegaBit, and Lumax Capital, contacting users via LinkedIn with offers of collaborations, then directing them to click on fake Zoom and Google Meet links. After clicking the links, users were redirected to a page with a fake Cloudflare "I'm not a bot" verification box. Clicking this box copied malicious commands to the clipboard and prompted users to open their terminals and paste a purported verification code, thus executing the attack. Moonlock Lab pointed out that this method turns victims into execution mechanisms, bypassing security industry defenses.

Meanwhile, hackers also spread malware by hijacking the Chrome extension QuickLens. This extension allowed users to run Google Lens searches directly in their browsers; after ownership was transferred, the new version contained malicious scripts that could launch ClickFix attacks and steal information. With approximately 7,000 users, the hijacked extension would search encrypted wallet data and mnemonic phrases to steal funds, as well as scrape Gmail inbox contents, YouTube channel data, and login credentials or payment information entered into web forms. The extension has been removed from the Chrome Web Store. ClickFix technology, which has been popular among hackers since last year, forces victims to manually execute malicious payloads and has affected thousands of businesses and industries worldwide.