Desarrollador de Ethereum expone estafa de phishing usando dominio falso de StreamYard

Un desarrollador de Ethereum acaba de desenmascarar una sofisticada operación de phishing que utilizaba un dominio falso de StreamYard para engañar a usuarios incautos.

La trampa—diseñada con precisión quirúrgica—simulaba la plataforma legítima de streaming para robar credenciales y fondos de wallets conectadas.

Mecanismo de engaño: Los atacantes crearon una réplica casi perfecta del sitio oficial, aprovechando la confianza de la comunidad en herramientas populares de colaboración.

El desarrollador identificó patrones sospechosos en las transacciones vinculadas al dominio falso—red flags que cualquier inversor experimentado reconocería al instante.

Lección de seguridad: Verificar siempre URLs antes de conectar wallets y usar herramientas de verificación de contratos. Porque en cripto, hasta los 'yields' más jugosos pueden esconder anzuelos envenenados—sobre todo cuando los mercados están en máximos históricos y la avaricia nubla el juicio.

Phisher tried to ‘help’ Zak install malicious app

According to the Ether core dev, the email included a link displayed as streamyard.com but was actually hyperlinked to streamyard.org. When Cole clicked, the page returned an “error joining” message and instructed him to download a desktop application to continue.

In the screenshots Cole shared on his X thread, he declined making the installation at first because of his company’s security policies, but the attacker begged him to add it “just this once,” even sending a video tutorial to demonstrate how to install the supposed app. 

“Mate, it’s StreamYard, they have over 3 mil users. I have a corp laptop too, but it’s all good. The browser version barely works, maybe 1 out of 20 attempts actually connects. I’m pretty sure they keep it around as marketing, but in practice everyone ends up using the desktop app. Way more stable…” the message read.

That was when Cole saw “red flags everywhere,” and downloaded the package onto a controlled lab machine instead of his work computer. 

Inside the DMG file, he found a hidden Mach-O binary named “.Streamyard,” a Bash loader, and a fake Terminal icon meant to trick users into dragging it to gain system-level access.

He described the loader as a “Russian nesting doll of bullshit,” explaining how it concatenated base64 fragments, decrypted them with a key, re-encoded the result, and executed it. Each step was intended to evade antivirus detection.

“Decoded offline, Stage2 was AppleScript that would find the mounted volume, copy .Streamyard to /tmp/.Streamyard, strip quarantine with xattr -c, chmod +x, then execute. Silent, surgical, and deadly,” the dev explained, jotting down the line of code.

Cole added that if a victim disabled macOS Gatekeeper or fell for the phishing Terminal drag trick, the malware would have silently exfiltrated everything, including passwords, crypto wallets, emails, messages, and photos.

Conversation with the attacker reveals hired malware services

Instead of shutting the operation down, Cole joined a live call with the scammer after asking them to help, who appeared nervous and read from a script while trying to guide him through the fake installation. 

During the video call session, the Ether programmer began screen-sharing, scrolling through a folder of explicit Kim Jong Un videos to throw the attacker off balance.

As he pressed for answers on why it wasn’t working, the scammer admitted he was not part of a state-backed operation, but was in an active community of hackers that had rented a phishing kit for about $3,000 a month. 

Cole noted the attacker used colloquialisms such as “mate” to trick victims into thinking he was based in the United Kingdom or close to the United States. The attacker also revealed that he did not control the infrastructure directly and could not manage the payload domains, and he was using a “budget cybercrime as a service.”

14/21

The kicker was they used https://t.co/3gJrz4EVIl for delivery (load.*.php?call=stream endpoints) and https://t.co/NqE3HGJVms (@streamyardapp) as the lure and both are now burned (thanks @_SEAL_Org). pic.twitter.com/B0zbCmxzpj

According to crowdsourced security intelligence firm VirusTotal’s findings, the delivery infrastructure they used was lefenari.com, which hosted payloads through scripted endpoints, and streamyard.org, as a lure. Both domains are now disabled, with assistance from cybersecurity firm Security Alliance.

The smartest crypto minds already read our newsletter. Want in? Join them.