Marko Polo cybercrime gang targets cryptocurrency users, influencers with scams

A prolific cybercrime group known as Marko Polo has compromised “tens of thousands of devices” worldwide through cryptocurrency and gaming-related scams, researchers said Tuesday.

The group primarily targets online gaming personalities, cryptocurrency influencers and technology professionals — “high-value targets” who are at risk of suffering significant financial losses if they fall for the scams, according to Recorded Future’s Insikt Group. The Record is an editorially independent unit of Recorded Future.

Hackers from the group approach potential victims on social media, often posing as human resources or talent acquisition representatives. They lure targets with fake job opportunities and direct them to malicious websites, where they are tricked into downloading malicious software, the researchers said. 

Marko Polo is described as a financially motivated “traffic team” — a group of organized individuals who redirect victims’ online traffic to malicious content operated by other threat actors. The group primarily consists of Russian, Ukrainian and English speakers, with administrators and operators likely based in post-Soviet states.

Insikt Group said it uncovered over 30 distinct social media scams attributed to Marko Polo, along with more than 20 compromised Zoom meeting software builds. These builds are distributed via spearphishing on social media, masquerading as Zoom meeting clients to spread the Atomic macOS Stealer (AMOS). The malicious Zoom installers have names similar to legitimate ones (ZoomInstall.dmg, ZoomSetup.dmg), but they actually originate from domains linked to the Marko Polo group.

The group’s other operations include the cracking of commercial software and the poisoning of files shared through the BitTorrent protocol, Insikt Group said.

As part of the scams, the hackers impersonate blockchain-based projects, online games, productivity software and virtual meeting tools. In addition to Atomic macOS Stealer, they deliver a range of malware strains, including HijackLoader, Stealc and Rhadamanthys.

One scam, dubbed PartyWorld, impersonates legitimate games like Fortnite and Party Icon and is promoted via social media. Users visiting the PartyWorld website are prompted to download the client for either Windows or macOS, which installs one of the infostealing malware variants.

Another scam, dubbed Nortex, masquerades as a messaging service, productivity software, and social network, impersonating the legitimate Web3 project SendingMe, a messaging app. However, Nortex does none of these things; instead, it infects victims with HijackLoader and Stealc malware once installed.

Marko Polo’s campaigns have likely exposed the sensitive personal and corporate data of their victims, generating millions of dollars in illicit revenue, Insikt Group said. The researchers identified scam reports suggesting that Marko Polo operators have stolen victims’ life savings.

The report noted that the group is quick to respond to detection efforts, frequently rebranding and renaming its scams, updating hosting infrastructure, and shifting tactics to evade scrutiny.

“This adaptability not only makes Marko Polo a persistent threat but also signals that it will likely continue evolving its methods to stay ahead of cybersecurity defenses,” the researchers said.