Ethereum core developer Zak Cole was recently targeted in a phishing scheme, where the attacker disguised a link as an invitation to appear on a podcast. According to Zak, the attempt relied on fake domains and a malicious installer to steal crypto credentials and data from his computer.
Cole wrote a 21-post X thread late Monday, starting with how the scam began with a direct message on X inviting him to “Join our podcast!”
2/21
— zak.eth (@0xzak) September 15, 2025
It all started with a Twitter DM to "Join our podcast!"
The attacker (@0xMauriceWang) posed as someone from @theempirepod. Looked legit after a brief skim so I agreed. Then came an email from [email protected] with a @StreamYard link. Text said… pic.twitter.com/fEvazOVFs5
The sender, using the handle @0xMauriceWang on the social platform, posed as a representative of Blockwork’s Empire podcast and followed up with an email from what Zak said looked like “a legitimate podcast domain.”
Phisher tried to ‘help’ Zak install malicious app
According to the Ether core dev, the email included a link displayed as streamyard.com but was actually hyperlinked to streamyard.org. When Cole clicked, the page returned an “error joining” message and instructed him to download a desktop application to continue.
In the screenshots Cole shared on his X thread, he declined making the installation at first because of his company’s security policies, but the attacker begged him to add it “just this once,” even sending a video tutorial to demonstrate how to install the supposed app.
“Mate, it’s StreamYard, they have over 3 mil users. I have a corp laptop too, but it’s all good. The browser version barely works, maybe 1 out of 20 attempts actually connects. I’m pretty sure they keep it around as marketing, but in practice everyone ends up using the desktop app. Way more stable…” the message read.
That was when Cole saw “red flags everywhere,” and downloaded the package onto a controlled lab machine instead of his work computer.
Inside the DMG file, he found a hidden Mach-O binary named “.Streamyard,” a Bash loader, and a fake Terminal icon meant to trick users into dragging it to gain system-level access.
He described the loader as a “Russian nesting doll of bullshit,” explaining how it concatenated base64 fragments, decrypted them with a key, re-encoded the result, and executed it. Each step was intended to evade antivirus detection.
“Decoded offline, Stage2 was AppleScript that would find the mounted volume, copy .Streamyard to /tmp/.Streamyard, strip quarantine with xattr -c, chmod +x, then execute. Silent, surgical, and deadly,” the dev explained, jotting down the line of code.
Cole added that if a victim disabled macOS Gatekeeper or fell for the phishing Terminal drag trick, the malware would have silently exfiltrated everything, including passwords, crypto wallets, emails, messages, and photos.
Conversation with the attacker reveals hired malware services
Instead of shutting the operation down, Cole joined a live call with the scammer after asking them to help, who appeared nervous and read from a script while trying to guide him through the fake installation.
During the video call session, the Ether programmer began screen-sharing, scrolling through a folder of explicit Kim Jong Un videos to throw the attacker off balance.
As he pressed for answers on why it wasn’t working, the scammer admitted he was not part of a state-backed operation, but was in an active community of hackers that had rented a phishing kit for about $3,000 a month.
Cole noted the attacker used colloquialisms such as “mate” to trick victims into thinking he was based in the United Kingdom or close to the United States. The attacker also revealed that he did not control the infrastructure directly and could not manage the payload domains, and he was using a “budget cybercrime as a service.”
14/21
— zak.eth (@0xzak) September 15, 2025
The kicker was they used https://t.co/3gJrz4EVIl for delivery (load.*.php?call=stream endpoints) and https://t.co/NqE3HGJVms (@streamyardapp) as the lure and both are now burned (thanks @_SEAL_Org). pic.twitter.com/B0zbCmxzpj
According to crowdsourced security intelligence firm VirusTotal’s findings, the delivery infrastructure they used was lefenari.com, which hosted payloads through scripted endpoints, and streamyard.org, as a lure. Both domains are now disabled, with assistance from cybersecurity firm Security Alliance.
Get up to $30,050 in trading rewards when you join Bybit today
