[Warning]Crypto hackers attack using ClickFix.

[satscraper]

ClickFix is the relatively new social engineering technique used by crypto hackers. The trick is that the malicious code triggering the attack appears on the victim’s machine only after they click something on the fraudulent page, rather than being explicitly downloaded. In the case described here, it was the fake Cloudflare verification page that looked identical to the real one. When the victims checked the box confirming they’re not a “camel,” the page silently copied  malicious command to their clipboard, which then appeared in their terminal and initiated the attack.

It’s cleverly designed, to say the least.

In situations like this, no one will call you paranoid for checking every URL of any page you intend to visit.

A couple of good URL checkers I personally use: urlscan, urlvoid, immuniweb

Be vigilant.

P.S. Please share any relevant checkers you use.

[joniboini]

I read this on another website recently. As far as I'm aware, the code isn't automatically run after you click or interact with the website. The users need to copy and paste it on their own. In theory, it should be easy to avoid as long as they don't copy-paste every code they see on the internet. There are different cases where the attackers use malicious or exploited extensions to collect users' data and launch remote execution, in which avoiding low-quality extensions should be the priority. Users should recognize the dangers of low usage extensions and closed sources one if they pay attention to security news. CMIIW.

[Chibit01]

This is scary, and not just those who visit some random site that could be affected by this clickfix attack, there was also some report from the link you shared which talk about the same hackers being associated with some Google extension that was built to help on running some certain task, before you know they will also expand to some well known help tools and before it will be discovered and made public many will already have been affected, this will be difficult for some to overcome especially as they might only be expecting to be exploit when they download a file or manual grant permission to third party, only clicking have put your entire device at risk.

[satscraper]

The users need to copy and paste it on their own.W.

Yeah, this is true regarding paste but not regarding copy, Malicious code enters their clipboard ^{after they click} automatically. No other actions, and this is the trick. Then users can accidentally paste this code into the terminal, and it really can happen.

For example, I do a lot of work in  terminal on my Xubuntu machine, so the terminal is open almost all the time. Sometimes, when I want to paste something into it, something completely different appears there instead.

 An inattentive user might press Enter without noticing.

[rdluffy]

...Then users can accidentally paste this code into the terminal, and it really can happen.

For example, I do a lot of work in  terminal on my Xubuntu machine, so the terminal is open almost all the time. Sometimes, when I want to paste something into it, something completely different appears there instead.

 An inattentive user might press Enter without noticing.

When I started reading, I got a little paranoid, hehehe
As you said, it can happen, of course, but I believe it would be extremely difficult for you to achieve because:

1 - most novice users will not open any terminal
2 - the vast majority of ordinary users do not access or use terminals
3 - those who use terminals are usually people who assume they have enough information to avoid falling for scams or phishing (like you)

But still, it's always good to be careful and learn about new scams so you don't fall for any

[Lucius]

@satscraper, when I read the article, I remembered at least one case that was also written about on this forum - because it all comes down to convincing the victim to copy the link and then press enter, and then it's game over if the victim has cryptocurrencies in hot wallets. Scammers usually approach victims using their LinkedIn profiles, and then send them a fake link on Zoom.

I learned as a kid not to talk to strangers, and I still apply that today when it comes to the online world, especially when someone starts asking you about cryptocurrencies. In fact, it's unlikely anyone will even ask me something like that, because apart from this forum, cryptocurrencies aren't a topic for me anywhere else.

Code:

https://decrypt.co/241422/how-to-spot-fake-zoom-links-scammers-are-using-to-steal-your-crypto

[Amphenomenon]

The users need to copy and paste it on their own.W.

Yeah, this is true regarding paste but not regarding copy, Malicious code enters their clipboard ^{after they click} automatically. No other actions, and this is the trick. Then users can accidentally paste this code into the terminal, and it really can happen.

Thinking of this makes it more scary and is no doubt they will target more Devs and might maybe make the false job requirements to including Linux users, since the majority using Linux OS must interact with their terminal.

It is just for everyone to be careful especially when it involves job seeking/interviews, this is one common target for attackers now, many are desperate to get that good jobs with benefits but we need to be extra careful.

Before clicking such links, do a digging if such user is member of the company and if such company exist, also, site like Virustotal and Scamadviser can be helpful to verify if a link is legitimate or malicious.

I learned as a kid not to talk to strangers, and I still apply that today when it comes to the online world, especially when someone starts asking you about cryptocurrencies. In fact, it's unlikely anyone will even ask me something like that, because apart from this forum, cryptocurrencies aren't a topic for me anywhere else.

Code:

https://decrypt.co/241422/how-to-spot-fake-zoom-links-scammers-are-using-to-steal-your-crypto

One important thing people often ignore is, anything that seems off, should be taken as a red flag already. There is no special job neither are you. A stranger who really generous or kind has something to steal from you. The internet is more dangerous than the real world...

Even when interacting with others we know cautiousness is important, people can be misleading or get their account hacked.

[AVE5]

It's unfortunately obvious that the internet is strictly a risky place where crime also have to advance as technology advances too and such is how more threats those using mobile wallet faces.
Some malicious attacks can be so sophisticating dangerous such that entirely doesn't operates by getting your recovery keys but also priotizes of stealing your funds by gaining access permission of clicking links.
These hidden hackers strategy can be too dangerous and on that note, it's also important to protect our device with anti malwares and selfly take adequate responsibilities with our privacies.

[Pablo-wood]

Obviously this criminals are consistent in their refining if social engineering techniques. I feel things might get worse now AI prompts can build virtually anything in the world. How in the world will a mere extension have malicious threats not to mention the case of the cloud flare verifier. It's becoming even more scary in the cyber space with the height at which this hackers are moving with. One has to be extremely careful while navigating through sites.

[Davidvictorson]

Scammers are getting more innovative but the thing is that they will always be found and exposed and it is left for those who are uninformed to get updated in their cybersecurity so as to not fall a victim to them. In my estimation, if a url, email, message, link looks sketchy, then it is. You gotta trust your instincts and don't even try to click or open it. 

Before clicking such links, do a digging if such user is member of the company and if such company exist, also, site like Virustotal and Scamadviser can be helpful to verify if a link is legitimate or malicious.

I can confirm that Virustotal is good for url checker and also file checker as well if the individual has other needs. However, be sure to use more than one if you need to be double certain.

[tabas]

Man, they're becoming more clever with this. With the usual cloudflare verification, we're required to press that check and if they're making that fake verification page as their agreement page, many are likely going to fall for this one. So, one best way is to avoid clicking on unknown links that are sent to us. With this, we're protecting ourselves and don't be that kind of guy that likes to click links usually. If you're not visiting those websites often, then don't do it as if it's necessary even when it's not. The scammers and hackers are reinvesting their ways of fooling us so be careful.

[Amphenomenon]

Before clicking such links, do a digging if such user is member of the company and if such company exist, also, site like Virustotal and Scamadviser can be helpful to verify if a link is legitimate or malicious.

I can confirm that Virustotal is good for url checker and also file checker as well if the individual has other needs. However, be sure to use more than one if you need to be double certain.

Yeah, I must add that Virustotal sometimes might not red flag an actual malicious link but after some while it will be flagged once verified. Adding Scamadviser _{another site doing similar job with more details} is helpful. Also we cannot be overly reliant on these tools, when something seems off,  different from the usual or someone shared something similar about an attack of such, avoid or take more time to verify and if you are being pressured just end things because that is a method use in social engineering attack.

[Outhue]

If you like hear or not, PC and computers are not safe for any crypto users or investors, if you must use computers make sure you separate your crypto wallet from PC, get a separate device for your crypto, and this is why I always recommend a hardware wallet that's completely open source. The most dangerous hardware you can use to store your crypto is computers, there are too many attacks you will have to look out for, you can't keep escaping from them all.

[satscraper]

3 - those who use terminals are usually people who assume they have enough information to avoid falling for scams or phishing (like you)

I feel safe because I actually use separate machines for browsing and for crypto clients that may be paired with my hardware crypto signers. But even with this setup I constantly harden my Xubuntu machine that I use for browsing. ^{Don’t believe those who say that Linux is safe by default. Without proper tuning, it’s full of holes that can be exploited by hackers}.

[Cryptinice]

ClickFix is the relatively new social engineering technique used by crypto hackers. The trick is that the malicious code triggering the attack appears on the victim’s machine only after they click something on the fraudulent page, rather than being explicitly downloaded. In the case described here, it was the fake Cloudflare verification page that looked identical to the real one. When the victims checked the box confirming they’re not a “camel,” the page silently copied  malicious command to their clipboard, which then appeared in their terminal and initiated the attack.

It’s cleverly designed, to say the least.
Be vigilant.

P.S. Please share any relevant checkers you use.

This is a good reminder that modern crypto attacks no longer rely only on downloads — they rely on user interaction and psychology. When a page asks you to paste a command into your terminal, that alone should trigger suspicion. No legitimate verification system requires that.

For beginners, especially if you don’t understand what a command does, don’t run it. In crypto, one pasted command can compromise your entire system or wallet.

Security today is less about antivirus software and more about behavior awareness. The safest habit is simple: slow down, verify URLs carefully, and never execute instructions from a page you don’t intentionally trust.

[joniboini]

Yeah, this is true regarding paste but not regarding copy, Malicious code enters their clipboard ^{after they click} automatically. No other actions, and this is the trick. Then users can accidentally paste this code into the terminal, and it really can happen.

That's a good point. I assume you mean the attacker can insert a newline code or something similar to trigger the enter key after the victim pastes the code into the terminal? I can see someone with no prior knowledge fall for an attack like that. Either you monitor your clipboard or copy-paste into another app to see what exactly you copied before executing it. I have a habit of doing that on my browser with the address bar or the search bar, but it's probably not ideal and unsafe for most users too.