Whoosh—and your crypto is gone. A new hacker scheme is cleaning out traders via podcasts.
One interview invitation—and millions vanish without a trace.
One interview invitation—and millions vanish without a trace.
A phishing campaign targeting crypto industry representatives has drawn attention after researcher Jose A. Gomez Ledesma from the Quetzal team reported a series of attacks disguised as invitations to be interviewed on the popular Empire Podcast. The scammers create the impression of genuine contact with the show's hosts, reach out to potential victims via social media, and propose discussing their participation in an episode. They claim to use platforms like Streamyard or Huddle for the interview but instead redirect targets to fake websites that mimic the interfaces of these services.
When attempting to connect to such a resource, the user is shown an error message—claiming that the browser is unsupported or the connection failed—and is prompted to download a special client application. In reality, the victim downloads a DMG file presented as Streamyard or Huddle, which is actually a cover for the AMOS Stealer malware, specifically designed to attack devices running macOS.
After installation, the DMG file initiates a chain of commands involving complex content decoding. The disk image contains an obfuscated Bash script encrypted in Base64 format, which then undergoes XOR decryption via Perl and is again decoded from Base64. As a result of these operations, an AppleScript is created and launched, tasked with discovering a hidden executable file within the mounted volume. The volume names—.Huddle or .Streamyard—with a leading dot indicate their hidden status in the Unix environment. It is within these files that the malicious AMOS Stealer component is located.
This stealer is actively used by attackers to steal various types of sensitive information—from browser passwords and sessions to banking app data and crypto wallets. After infection, such artifacts are often sold on darknet forums, sometimes for less than the price of a lunch. AMOS has been previously observed in similar attacks, including campaigns using fake software like DeepSeek, and is known for its cross-application masquerading as trusted programs.
This new wave of attacks using fake podcast invitations continues a series of sophisticated schemes targeting the crypto community. Just a few weeks ago, in a similar operation, threat actors posed as CoinMarketCap journalists to reach top industry executives. Modern approaches are becoming increasingly targeted: the fake pages meticulously copy the interfaces of popular platforms, and the social media interactions are designed to build trust. The victim receives a personalized message, an interview offer, and an "official" link—everything looks realistic right up until the moment the malicious file is downloaded.
To date, the hashes of several disk images distributing AMOS have been identified and published: among them are files named Huddle.Iwv and Streamyard.ZTz, as well as trap domains like streamyard.ai and huddle01.com. The Quetzal report also includes technical indicators of compromise, including SHA256 sums of all known malicious files used in this infection chain.
The impersonation of the Empire Podcast and the replication of Streamyard and Huddle interfaces make the attack particularly convincing—victims encounter forgeries at every stage: from social media communication to the actual installation of the program. Although the malware is distributed only for macOS, this platform remains the most popular among Web3 developers and traders, making the campaign especially effective.