Found some nasty crypto malware targeting new builders – here’s what I discovered

Hey guys, wanted to share this wild story that happened to me recently. Spoiler alert: I almost got completely fucked over by some really clever scammers.

So I launched https://burntrash.fun a few weeks ago – it’s a free tool to clean dust tokens from your Solana wallet. Pretty niche but useful for the community. I’ve been talking to potential partners to grow the project, you know how it is when you’re building something new.

Recently I joined a Twitter space hosted by some Solflare ambassadors. Good vibes, lots of builders, seemed like a legit networking opportunity.

After the space, I followed a few speakers who seemed cool. One of them was u/DiamondMarkiii who was presented as official Solflare staff at the time. A few days later, he slides into my DMs:

“Hey, I’m with u/solflare. We support creators & projects on Solana. Let’s talk.”

Honestly? Sounds legit. We’re both building in the ecosystem, this is exactly the kind of partnership outreach you’d expect. So I replied.

He then adds me to a group chat with what he claimed was the “Solflare CMO” and other team members. The whole thing felt very official and professional.

We set up a meeting. They’re telling me burntrash.fun is “a nice product” and they want to introduce me to their CTO to explore a potential integration.

But here’s the clever part – they say the CTO is Chinese and doesn’t speak English well. “We use u/harmony_meeting,” they tell me, “it auto-translates in real time.”

I’m thinking, okay, that’s actually pretty smart. Makes sense for a global team to have tools like this.

This “Harmony Meeting” app requires me to download a .dmg file (macOS installer). No web version available. Has to be installed locally.

When I run it, it asks me to paste a command into my terminal.

At this point I’m like… wtf? Why would a meeting app need terminal access?

Instead of just running it like they probably hoped, I decided to actually examine what this thing was doing. Set up a Windows VM and started poking around the code.

What I found was absolutely terrifying:

• They’re mounting a volume that automatically runs a base64 encrypted shell command
• This bypasses macOS’s security quarantine system – the thing that’s supposed to protect you from malicious downloads
• Then it executes a binary file containing malware
• No UI. No prompts. Just runs silently in the background.

You would literally never know it happened. Could be a reverse shell giving them complete access to your machine, could be scraping your passwords, seed phrases, browser data, crypto wallets – whatever they want.

Solflare is NOT involved in this at all. These were complete impostors using fake profiles and really well-crafted personas. They specifically target new builders who are looking for partnerships or support – basically when you’re most vulnerable and eager for opportunities.

The level of social engineering here is insane. They:

• Infiltrated legitimate crypto spaces
• Built believable personas with consistent branding
• Created a realistic business scenario (CTO who doesn’t speak English)
• Had a plausible technical solution (translation app)
• Made it feel urgent and exclusive

This whole experience reminded me why I always test stuff in VMs first. If I had just run their “meeting app” on my main machine like they suggested, I’d probably be completely compromised right now and wouldn’t even know it.

The crypto space really needs better security culture. These scammers are getting scary good at social engineering, and they’re specifically targeting builders who are excited about growth opportunities.