On July 22, 2025, cybersecurity researchers uncovered a sophisticated phishing campaign targeting Web3 developers and cryptocurrency users through fraudulent AI platforms. Dubbed LARVA-208 (also known as EncryptHub or Water Gamayun), this operation deploys malware like Fickle Stealer to harvest usernames, passwords, and crypto wallet credentials. Shared by users like @R4yt3d on X, the campaign exploits the hype around AI and Web3 to lure victims, emphasizing the growing intersection of emerging tech and cyber threats. This incident aligns with a broader surge in AI-fueled scams, contributing to over $4.6 billion in crypto losses in 2024 alone. Below, we detail the campaign, its methods, impacts, and protective strategies.
Detected on July 22, 2025, by firms like AhnLab and shared via platforms including The Hacker News and SecurityOnline, LARVA-208 targets English-speaking IT professionals and Web3 developers. The group creates phony AI platforms, such as "Norlax AI," mimicking legitimate tools to distribute malware. This financially motivated actor has evolved from previous campaigns involving fake gaming and Web3 firms, now incorporating AI themes to capitalize on current trends.The operation is part of EncryptHub's broader activities, with attacks observed worldwide but focusing on crypto ecosystems. No specific victim counts have been disclosed, but the potential for widespread compromise is high given the malware's info-stealing capabilities.
LARVA-208 employs social engineering via fake job postings and AI platform demos to trick users into downloading malicious files. Victims are directed to bogus sites like norlax-ai[.]com, where they encounter lures promising AI-driven tools for Web3 development. These sites host Fickle Stealer, a malware that extracts browser data, crypto wallets, and credentials.Common vectors include:
The malware supports over 35 browsers and 100+ crypto extensions, exfiltrating data to attacker-controlled servers.
This campaign evolves from earlier EncryptHub efforts, incorporating AI hype to enhance phishing efficacy. Tactics include professional-looking fake sites with SSL certificates and social proof to lower suspicions. Once infected, Fickle Stealer scans for sensitive files, including crypto wallets like MetaMask and Phantom, and uploads them via Telegram bots.Similar to past scams draining $2.1 billion in 2024, this operation uses unrestricted AI models for generating phishing content. X users like @the_yellow_fall and @fridaysecurity have highlighted these tactics, urging vigilance.
This phishing wave amplifies risks in DeFi, where stolen credentials can lead to wallet drains and unauthorized transactions. With AI making scams more convincing, users face increased exposure to fake approvals and drainers. Broader impacts include eroded trust in Web3 projects and potential regulatory scrutiny, as seen in campaigns like Bitget's Anti-Scam Month. For developers, it underscores the need for secure practices amid rising cybersquatting and fake NFT lures.
To counter this threat, prioritize education and technical safeguards:
As Web3 and AI converge, staying informed is key. Follow updates from sources like Cybersecurity News and X alerts to mitigate these evolving risks.