
A cloned DAO platform distributed StealC via Dropbox, stealing wallet credentials and hijacking clipboard transactions. The attack exploits trust in AI tools.
In February 2025, a blockchain development firm discovered an employee redirected to a fake website. The site, tidyme.io, cloned the legitimate DAO management platform peerme.io. Seconds later, multiple cryptocurrency wallets linked to the organization were drained.
Security researchers at Kaspersky traced the attack to StealC, a modular information stealer designed to harvest browser data, passwords, and private keys. The malware reached victims through a malicious Electron application disguised as a platform update. The attackers stored the payloads on Dropbox, using it as the delivery infrastructure for both Windows and macOS machines.
The malware included a config.json file with Base64-encoded URLs pointing to additional stages. A JavaScript function inside preload.js handled downloading the archive and preparing it for execution. Kaspersky noted that internal log messages referred to victims as "Mammoths."
The third sub-campaign impersonated an AI translator project, luring users with a promise of legitimate features. This shift exploits the growing trust in AI tools, a pattern researchers said is increasingly common.
StealC collected clipboard data and replaced copied cryptocurrency wallet addresses with addresses controlled by the attackers. A user who copied a recipient address would paste the attacker's address instead. Kaspersky identified an Ethereum wallet address linked to the campaign.
The attack chain shows how typosquatting, cloud storage abuse, and social engineering combine to bypass basic security habits. A single download from a cloned domain can expose seed phrases and private keys.
Users should verify the domain of any platform before downloading updates, especially when the URL differs by a character or two. Hardware wallets that require physical confirmation for each transaction block clipboard hijacking. For software wallets, manually typing addresses or using whitelisted addresses reduces exposure.
Kaspersky's report provided indicators including the fake domain, Dropbox URLs, and the Ethereum wallet. VirusTotal community comments surfaced additional details about the campaign's scope. The same infrastructure could target any crypto platform with a desktop client.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.