A sophisticated cybercriminal operation, linked to multiple "traffer" groups, is targeting cryptocurrency users and Web3 employees. This operation employs fake Electron applications disguised as legitimate tools, leveraging advanced social engineering tactics within a network of over 80 domains. The group has reportedly stolen at least $2.4 million in cryptocurrency. Analysts have observed clear signs of Russian-speaking actors based on the malware's code comments and operational patterns. The malware primarily operates through a malicious Electron-based application called “Opulous,” which prompts users to register or log in. It collects extensive system information, including IP addresses, CPU details, and antivirus software, then exfiltrates this data to a command-and-control server. The process is designed to avoid detection by verifying whether the host is a virtual machine or a server. The malware can also download and execute additional malicious files, indicating a two-stage attack strategy. From mid-2024 to mid-2025, various campaigns emerged, targeting Web3 developers through fake websites and social media. Notable examples include the 'Marko Polo' team, which managed over 30 scams, and the 'Meeten campaign,' which lured Web3 employees with bogus meeting software. The evolution of these attacks showcases a growing sophistication in their tactics, including the use of verification badges and invitation codes to bypass security measures. The ongoing threat highlights the need for vigilance in the cryptocurrency space.