AI is now part of almost every new idea in crypto - from gaming projects to early developer platforms. Many of these products appear first as beta versions, shared through Discord or Telegram, where early adopters are invited to try them before launch. But not every beta is safe to install.

The past few months have made it clear that some of these so-called tools are designed not to build, but to breach.

One example is a campaign known as Meeten - a coordinated effort using fake AI startups to spread spyware across the crypto space. These apps look like real products, complete with websites, logos, and direct outreach to users. But once installed, they quietly steal wallets, passwords, and browser data — without showing any obvious signs of attack.

What Makes the Meeten Campaign So Convincing

First spotted in late 2024 and still ongoing in August 2025, Meeten isn’t a single malware strain. It’s a campaign structure. The actors behind it create fake companies with names like Swox, Pollens AI, or Eternal Decay, presenting them as AI startups, NFT gaming platforms, or token-powered developer tools. Their playbook includes:

• A clean website with product screenshots

• A Notion page or GitHub repo showing “setup instructions”

• A fake team with LinkedIn profiles

• Social activity on X (Twitter) and Telegram

• Verified DMs offering early access

Once a target shows interest, they receive a personal invite code and a link to download the “beta app.” That download is the breach point.

On Windows, the malware arrives wrapped in a legitimate-looking Electron app, signed with stolen certificates. It silently grabs:

• Wallet files (MetaMask, Phantom, Exodus)

• Session cookies, saved passwords, browser autofill

• Discord or Telegram tokens

On macOS, it’s typically a DMG package dropping Atomic Stealer—designed to harvest credentials, iCloud Keychain data, and Chrome-based login vaults.

The attack finishes before it’s even noticed. Wallets are drained. Tokens are moved. Access is lost.

Confirmed Victims & Damage

In late 2024, Web3 developers and crypto professionals were approached on Telegram and Discord by accounts posing as AI or Web3 startup teams. The attackers offered access to a “beta app” and sent clean-looking setup links. Victims who downloaded and ran the app unknowingly installed malware that drained wallets and stole credentials. In some cases, the attackers used stolen documents from the victims’ own organizations to build trust - including pitch decks and internal materials.

According to cybersecurity firm Darktrace, victims continued to suffer losses as recently as July 2025 after installing fake AI or crypto-related software. These apps were distributed under names like Swox, Eternal Decay, and Pollens AI. Victims downloaded what they believed were early-access tools. On Windows, the malware was hidden in Electron apps; on macOS, in DMG installers. Once installed, the malware silently stole wallet files, cookies, and session tokens, allowing attackers to empty crypto wallets without detection.

What This Means for Teams and Crypto Professionals

Meeten reveals a larger shift in attack strategy: malware no longer arrives through spam or weak phishing. It arrives through professional branding, social engagement, and a custom-built pitch. If one member of your team installs a fake app:

• Private keys, session tokens, and wallets may be harvested

• Password managers can be accessed via browser-based cookies

• Workspaces - Notion, GitHub, Discord, Google Drive - can be compromised

And all these don’t look like an attack. That’s what makes Meeten campaign far more dangerous.

How to Stay EXTRA SAFE from Fake Startups and Trojan Apps

• Never install early access apps sent via DM. Even if the sender seems legit, verify the project through multiple trusted sources.

• Don’t trust just a clean website. Many of these campaigns use AI-generated branding and fake employees to create visual credibility.

• Avoid entering invite codes or tokens into download pages. This tactic is used to personalize malware payloads per victim.

• Use dedicated test environments. Treat unknown software like code from the internet—never run it on a wallet-connected machine.

• Audit team behavior around early access tools. Ensure engineers, PMs, and community leads follow internal rules when testing external products.

• Stay alert on platforms like Discord, Telegram, and X. These are now entry points - not just communication channels.

• For sensitive syncs and early-stage discussions, use tools that leave no trace. With tools like extrasafe.chat, conversations occur directly between devices, without involving third-party servers. Encryption keys are generated on your device and never leave it, ensuring total control over your meeting.

About #EXTRASAFEcheck

New security risks pop up every day, spreading faster than ever. From AI flaws to data leaks, even the most popular apps can pose hidden threats, affecting both teams and individual users. That’s why our monthly review brings you the most important updates to keep you informed and protected. Follow #EXTRASAFEcheck to spot risks early and make safer online choices.