Threat actors are capitalizing on the growing popularity of cryptocurrency and its association with the current U.S. president in a rapidly executed phishing campaign. By impersonating the crypto exchange Binance, attackers lure users with a deceptive offer involving TRUMP coins, a Solana-based meme coin, and compromise victims’ devices in under two minutes, according to researchers at Cofense.
The attackers convincingly mimic Binance branding in a fresh wave of phishing emails, promising recipients up to 2,000 TRUMP coins in exchange for completing certain tasks. However, instead of legitimate rewards, victims unknowingly install the ConnectWise RAT—a remote access trojan (RAT) that gives attackers full control of their computers almost instantly.
How the Crypto Phishing Scam of Trump Coins Works
Cofense researchers uncovered how hackers structured the attack:
- Spoofed Binance Emails – Attackers use Binance branding in the sender name and include a fake “risk warning” to build credibility.
- Fake TRUMP Coin Rewards – Emails claim users can earn up to 2,000 TRUMP coins by completing specific actions:
- Installing the Binance desktop app (50 coins)
- Registering and verifying a Binance account (100 coins)
- Depositing $50 in cryptocurrency (150 coins)
- Malicious Download Link – Clicking the “Download Now” button redirects users to a fraudulent Binance app installer that secretly downloads ConnectWise RAT.
- Rapid Exploitation – Hackers monitor infections in real-time and take over devices in less than two minutes.
Unlike traditional ConnectWise RAT campaigns, where attackers manually decide when to act, this campaign automates immediate remote access, making it particularly dangerous, noted Cofense Intelligence Team member Max Gannon.
The TRUMP coin, introduced just days before President Trump’s second inauguration, is part of the Solana blockchain and follows in the footsteps of other meme coins like Dogecoin, which Tesla CEO Elon Musk famously endorsed.
The phishing campaign capitalizes on political hype and public enthusiasm for crypto investments, exploiting both current events and the fear of missing out (FOMO) to trick victims into acting quickly.
Once installed, ConnectWise RAT grants hackers complete access to victims’ computers. Attackers immediately search for saved passwords in browsers like Microsoft Edge, compensating for the RAT’s limited built-in information-stealing capabilities.
The malware also connects to command-and-control (C2) servers, allowing cybercriminals to deploy additional payloads, steal sensitive data, or use compromised devices for further attacks.
How to Stay Safe from Crypto Phishing Scams
Cybersecurity experts warn users to remain vigilant against too-good-to-be-true crypto offers. To protect yourself and your organization:
- Avoid Unsolicited Emails – Never trust emails promising free cryptocurrency or investment opportunities.
- Verify Links Before Clicking – Hover over links to check for suspicious URLs before clicking.
- Enable Multi-Factor Authentication (MFA) – Protect exchange accounts with MFA to prevent unauthorized access.
- Use Strong, Unique Passwords – Avoid storing passwords in web browsers, as malware often targets them.
- Install Security Software – Deploy endpoint detection and response (EDR) solutions to detect and block remote access trojans.
Cofense provided several IoCs, including malicious URLs embedded in phishing emails and domains linked to ConnectWise RAT deployment. Organizations should review security logs for any connections to these URLs to identify potential compromises.
As AI-driven attacks and social engineering tactics become more sophisticated, threat actors continue to refine their crypto scams. Cybercriminals exploit trending news and emerging technologies to increase credibility and urgency, forcing victims into hasty decisions.
Security professionals emphasize the importance of education and awareness in preventing phishing attacks. Understanding the tactics used in campaigns like this is crucial to staying one step ahead of cybercriminals.
