phishedout

From Bitcoin to Bumble: How to Spot a Scam Before It Hits

Inside the Playbook: How Fake Crypto Gaming Jobs Deliver Rhadamanthys Malware

Inside the Sophisticated Social Engineering Tactics Targeting NFT and Crypto Communities

In the fast-paced world of crypto, where vaporware projects and overnight rug pulls are all too common, scammers have turned their attention to a more insidious, slow-burn tactic: faking the revival of abandoned gaming projects to distribute malware—specifically, Rhadamanthys Stealer, a powerful info-stealer sold on the dark web.

Under the guise of offering paid Discord mod roles or early access to a play-to-earn beta, these groups manipulate users into installing a malicious launcher designed to harvest wallets, session cookies, browser data, and Discord credentials. In 2025, this isn’t fringe behavior—it’s industrialized.

The Scam Framework: A Coordinated Digital Trap

These schemes are well-coordinated and rely on the appearance of legitimacy:

1. Domain Recycling

Scammers scour marketplaces and buy abandoned domains of failed GameFi projects—often still listed on CoinMarketCap or with some lingering Telegram/Discord activity. These domains are cheap, sometimes under $5. Once repurposed, they carry the illusion of longevity, making them seem safer to curious newcomers.

2. Fake Twitter Blue Accounts

They purchase aged and previously verified Twitter accounts via third-party marketplaces like PlayerUp (2024), giving them access to private DMs and a veneer of trustworthiness. Blue checkmarks are vital; many users won’t see your DM unless your account is verified. These accounts often come with:

  • Old creation dates (to avoid “new account” red flags).
  • Existing followers (1K–5K to appear organic).
  • Pinned tweets (to mimic real activity).
  • Other sources include:
    • Fun.play (Russian marketplace)
    • Underground Telegram channels

3. Crafting the Perfect Fake Profile

  • Profile Picture: A mid-value NFT (e.g., worth 250–250–5K) to avoid looking like a scammer’s “expensive PFPs.”
  • Username: 0xSomethingCool (e.g., 0xBullDriver0xPeterPan).
  • Bio Template:

“Proud father of [Name], Part-time [Job] | Crypto Enthusiast | BTCBTCSOL $ETH”

  • Pinned Tweet: A generic hobby post (e.g., about “kids” or crypto) to seem genuine.

4. Staged Social Proof

The scammers then fill the fake project Twitter with recycled crypto memes, stolen tweets, and fabricated engagement boosted by cheap SMM (social media marketing) services like Twiboost and SMMFlare. Some even mimic NFT influencers with profile photos generated or lifted from real collections.

Browser Fingerprinting Avoidance: Operational Security for Criminals

Behind the scenes, they use software like Dolphin Anty or Incognition Browser, which lets them manage hundreds of isolated Twitter profiles, each with a unique digital fingerprint and rotating IP proxies (smspva.com, nodemaven.com). This prevents Twitter from linking accounts used in parallel campaigns.

These setups are cloned across teams working worldwide. The low cost and minimal risk make this type of malware distribution more scalable than phishing.

Rhadamanthys Stealer: What It Does

Once you install the so-called “launcher” from the scam project, you are executing a bundled version of Rhadamanthys Stealer, a malware-as-a-service kit first documented in 2023 (ANY.RUN, 2023; Centripetal, 2025).

Rhadamanthys:

  • Steals login credentials, cookies, saved passwords from browsers
  • Scrapes Discord and Telegram session tokens
  • Targets hot wallets like MetaMask, Phantom, Rabby
  • Sends all exfiltrated data to a remote C2 server via encrypted tunnels
  • Uses anti-debugging and anti-sandbox techniques to avoid detection

Some builds also include secondary payloads, such as remote access trojans (RATs), screen capture modules, and clipboard hijackers to replace wallet addresses.

Social Engineering 101: How They Hook You

Once the infrastructure is live, the playbook kicks in:

  1. You receive a Twitter DM from a verified-looking account offering a part-time mod or community manager job ($1,000-$1,400/week).
  2. They direct you to a website, GitBook whitepaper, and Discord link all cloned from the original abandoned project.
  3. You’re asked to onboard by creating an in-game account.
  4. They send you a “beta launcher” and tell you to choose the EU server because “US and Asia are updating.”
  5. You install the malware. Your data is exfiltrated in minutes.

Some campaigns continue by using your hijacked Discord account to send similar offers to your friends. Others drain your hot wallet silently.

This Is Not an Isolated Operation

These groups often operate like marketing agencies, complete with CRM dashboards, recruitment scripts, and structured FAQs. Leaked playbooks reveal:

  • Scripts for Twitter cold DMs, Discord follow-ups, and job onboarding
  • Probing questions to build trust: “What timezone are you in? Do you use Mac or PC?”
  • Incentives like “you’ll be paid upfront,” or “we pay on the first day”
  • Instructions to delay any skepticism with friendly, chatty pacing (“Social Engineering 101”)

Victims are tracked, sorted, and segmented by response level. Once they reply, they are moved into “warm lead” categories.

Don’t Assume a Website Is Safe Because It’s Old

Many victims fall for this scam because the project appears aged or recognizable. It might be listed on CoinGecko, or have threads dating back to 2022. But this means nothing.

Domain age is not security. In fact, old abandoned domains are now a prime attack vector. Hosting origin matters more than WHOIS data. If the infrastructure can’t be transparently verified, assume it’s compromised.

How to Protect Yourself

  • Never download a launcher from a project unless it’s publicly vetted (open-source or backed by credible audits).
  • Verify domain history using tools like WHOIS or Wayback Machine but look deeper. Check DNS routing, server origin, and hosting behavior.
  • Don’t trust job offers via DMs, especially from accounts offering “just 3 hours a day” and “easy weekly pay.”
  • Always scan unknown executables in a sandbox or VM.
  • Use extensions like WalletGuard or ScamSniffer.

References

ANY.RUN. (2023, June 16). Rhadamanthys stealer malware analysis, overview by ANY.RUN. https://any.run/malware-trends/rhadamanthys/

Centripetal. (2025, February 24). Security bulletin: Rha-Rha-Rhadamanthys information stealer. https://www.centripetal.ai/alerts/rha-rha-rhadamanthys-information-stealer/

SOC Prime. (2023, January 19). Rhadamanthys malware detection: New infostealer spread via Google ads, spam emails to target crypto wallets and dump sensitive information. https://socprime.com/blog/rhadamanthys-malware-detection-new-infostealer-spread-via-google-ads-spam-emails-to-target-crypto-wallets-and-dump-sensitive-information/

1

Share

Leave a Reply

Your email address will not be published. Required fields are marked *