A sophisticated phishing kit known as CryptoChameleon has been uncovered by Lookout, Inc. [2] [3] [4] [6], targeting cryptocurrency platforms [1] [2] [3] [4] [5] [6] [8] [10], employees of Binance and Coinbase [2] [4] [5] [6], and the Federal Communications Commission (FCC) in the United States [2] [4] [6] [8].


This phishing kit [1] [2] [3] [4] [5] [6] [7] [8] [9], CryptoChameleon [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], utilizes text messages [2] [3] [4] [6], email [8], and voice calls to deceive victims and gather sensitive data such as usernames [3], passwords [2] [3] [4] [5] [6] [8], password reset URLs [4] [5] [6] [8], and photo IDs [2] [3] [4] [5] [6] [8]. It specifically targets users of cryptocurrency and Single Sign-On (SSO) services [2], mimicking tactics used by the Scattered Spider cybercriminal group [2] [4] [6]. CryptoChameleon is capable of targeting organizations utilizing solutions like Okta, Outlook [2] [4] [5] [6], and Google [2] [3] [4] [5] [6], using authentic-looking phone numbers and websites to deceive victims [2]. Lookout customers using Phishing Content Protection (PCP) are protected from these attacks [4]. The phishing kit employs evasion tactics like completing captchas using hCaptcha and impersonating reputable company brands and authentication processes [2]. Lookout has identified over 250 phishing sites utilizing CryptoChameleon and advises users and organizations to safeguard their data and devices against these threats. Organizations are encouraged to educate employees on social engineering tactics [5], implement policies for verifying the source of requests [5], utilize password managers, and enable multifactor authentication to strengthen defenses against phishing attacks targeting mobile users. Evidence suggests that hundreds of victims have been impacted by the attack [9], primarily US-based users [8], with many still active [8]. The attackers behind this campaign are believed to be financially motivated threat actors who have previously targeted enterprise and government organizations [7]. The phishing kit used in these attacks has affected hundreds of victims and employs social engineering tactics to lure victims into providing their credentials [7]. The attackers also use native English speakers with professional call center skills to assist in the phishing process [7]. These attacks rely on active engagement by the victims with the attackers [7], and individuals are advised to avoid responding to unsolicited outreaches and report any suspicious activity to corporate security teams [7]. As cryptocurrencies increase in value [7], threat actors are expected to intensify their efforts in breaching accounts [7]. The detailed focus and use of manual operators in the CryptoChameleon campaign suggest a sophisticated approach to fooling victims [7]. The motivation behind targeting FCC employees may be to showcase the threat actor’s capabilities in breaching federal agencies [7], indicating a broader aim to target organizations beyond financial accounts [7]. Lookout researchers have identified over 250 phishing sites using this kit [1] [4] [9], with victims impacted by the attack [1] [4] [6] [9]. Lookout Mobile Endpoint Security customers have been protected against these phishing sites since before the discovery in February 2024 [1] [4]. The kit is continuously evolving [1], and Lookout will update protections for customers as necessary [1].


The impact of the CryptoChameleon phishing kit on organizations and individuals is significant, with hundreds of victims affected by the attacks [4] [6] [9]. To mitigate these threats, users and organizations are advised to take proactive measures such as educating employees on social engineering tactics, implementing verification policies, using password managers [5], and enabling multifactor authentication [1] [3] [5] [9]. As threat actors continue to target financial accounts, it is crucial for individuals to remain vigilant and report any suspicious activity. The evolving nature of the phishing kit suggests that future attacks may become more sophisticated, emphasizing the need for continuous updates and protections.


[1] https://vmblog.com/archive/2024/02/29/lookout-discovers-advanced-phishing-kit-targeting-u-s-federal-agency-and-cryptocurrency-exchange-organizations.aspx
[2] https://www.lookout.com/news-release/lookout-discovers-advanced-phishing-kit-targeting-u-s-federal-agency-and-cryptocurrency-exchange-organizations
[3] https://bnnbreaking.com/tech/cybersecurity/cryptochameleon-phishing-kit-targets-fcc-crypto-platforms-lookout-unveils-threat
[4] https://ai-techpark.com/lookout-discovers-cryptochameleon-targeting-fcc-crypto-platforms/
[5] https://www.darkreading.com/application-security/cryptochameleon-attackers-target-apple-okta-users-tech-support-gambit
[6] https://markets.financialcontent.com/stocks/article/bizwire-2024-2-29-lookout-discovers-advanced-phishing-kit-targeting-us-federal-agency-and-cryptocurrency-exchange-organizations
[7] https://www.scmagazine.com/news/cryptochameleon-campaign-targets-employees-of-cryptocurrencies-fcc
[8] https://www.hackread.com/cryptochameleon-phishing-crypto-users-fcc-employees/
[9] https://finance.yahoo.com/news/lookout-discovers-advanced-phishing-kit-130000849.html
[10] https://allinfosecnews.com/item/lookout-discovers-cryptochameleon-targeting-fcc-crypto-platforms-2024-03-01/