Best crypto insights delivered straight to your inbox.
- Ethereum core developer Zak Cole foiled a phishing attempt disguised as a podcast invite, exposing a fake StreamYard malware installer.
- The attacker pushed Cole to install a trojanized app that could steal crypto wallets, passwords, and personal data from macOS systems.
- Cole confronted the scammer on a live call, uncovering a rented phishing kit operation and publishing technical details to warn others.
Ethereum core developer Zak Cole was recently targeted in a phishing scheme, where the attacker disguised a link as an invitation to appear on a podcast. According to Zak, the attempt relied on fake domains and a malicious installer to steal crypto credentials and data from his computer.
Cole wrote a 21-post X thread late Monday, starting with how the scam began with a direct message on X inviting him to “Join our podcast!”
2/21
— zak.eth (@0xzak) September 15, 2025
It all started with a Twitter DM to "Join our podcast!"
The attacker (@0xMauriceWang) posed as someone from @theempirepod. Looked legit after a brief skim so I agreed. Then came an email from [email protected] with a @StreamYard link. Text said… pic.twitter.com/fEvazOVFs5
The sender, using the handle @0xMauriceWang on the social platform, posed as a representative of Blockwork’s Empire podcast and followed up with an email from what Zak said looked like “a legitimate podcast domain.”
Phisher tried to ‘help’ Zak install malicious app
According to the Ether core dev, the email included a link displayed as streamyard.com but was actually hyperlinked to streamyard.org. When Cole clicked, the page returned an “error joining” message and instructed him to download a desktop application to continue.
In the screenshots Cole shared on his X thread, he declined making the installation at first because of his company’s security policies, but the attacker begged him to add it “just this once,” even sending a video tutorial to demonstrate how to install the supposed app.
“Mate, it’s StreamYard, they have over 3 mil users. I have a corp laptop too, but it’s all good. The browser version barely works, maybe 1 out of 20 attempts actually connects. I’m pretty sure they keep it around as marketing, but in practice everyone ends up using the desktop app. Way more stable…” the message read.
That was when Cole saw “red flags everywhere,” and downloaded the package onto a controlled lab machine instead of his work computer.
Inside the DMG file, he found a hidden Mach-O binary named “.Streamyard,” a Bash loader, and a fake Terminal icon meant to trick users into dragging it to gain system-level access.
He described the loader as a “Russian nesting doll of bullshit,” explaining how it concatenated base64 fragments, decrypted them with a key, re-encoded the result, and executed it. Each step was intended to evade antivirus detection.
“Decoded offline, Stage2 was AppleScript that would find the mounted volume, copy .Streamyard to /tmp/.Streamyard, strip quarantine with xattr -c, chmod +x, then execute. Silent, surgical, and deadly,” the dev explained, jotting down the line of code.
Cole added that if a victim disabled macOS Gatekeeper or fell for the phishing Terminal drag trick, the malware would have silently exfiltrated everything, including passwords, crypto wallets, emails, messages, and photos.
Conversation with the attacker reveals hired malware services
Instead of shutting the operation down, Cole joined a live call with the scammer after asking them to help, who appeared nervous and read from a script while trying to guide him through the fake installation.
During the video call session, the Ether programmer began screen-sharing, scrolling through a folder of explicit Kim Jong Un videos to throw the attacker off balance.
As he pressed for answers on why it wasn’t working, the scammer admitted he was not part of a state-backed operation, but was in an active community of hackers that had rented a phishing kit for about $3,000 a month.
Cole noted the attacker used colloquialisms such as “mate” to trick victims into thinking he was based in the United Kingdom or close to the United States. The attacker also revealed that he did not control the infrastructure directly and could not manage the payload domains, and he was using a “budget cybercrime as a service.”
14/21
— zak.eth (@0xzak) September 15, 2025
The kicker was they used https://t.co/3gJrz4EVIl for delivery (load.*.php?call=stream endpoints) and https://t.co/NqE3HGJVms (@streamyardapp) as the lure and both are now burned (thanks @_SEAL_Org). pic.twitter.com/B0zbCmxzpj
According to crowdsourced security intelligence firm VirusTotal’s findings, the delivery infrastructure they used was lefenari.com, which hosted payloads through scripted endpoints, and streamyard.org, as a lure. Both domains are now disabled, with assistance from cybersecurity firm Security Alliance.
If you're reading this, you’re already ahead. Stay there with our newsletter.
Disclaimer. The information provided is not trading advice. Cryptopolitan.com holds no liability for any investments made based on the information provided on this page. We strongly recommend independent research and/or consultation with a qualified professional before making any investment decisions.
Florence Muchai
Florence has been covering for the past 6 years crypto, gaming, tech, and AI news. Her Computer Studies at Meru University of Science and Technology and Disaster Management and International Diplomacy at MMUST amply equip her with language, observation and technical skills. Florence has worked at VAP Group and as an editor for several crypto media houses.
CRASH COURSE
- Which cryptocurrencies can make you money
- How to boost your security with a wallet (and which ones are actually worth using)
- Little-known investment strategies that the pros use
- How to get started investing in crypto (which exchanges to use, the best crypto to buy etc)