President Trump's cryptocurrency forays attract threat actors eager to scam users

In late January, he released his own meme coin and more recently established a strategic reserve of digital assets for the United States populated

President Trump's economic and trade maneuvers, which has included on-again off-again tariffs, has helped send the price of Bitcoin tumbling.

His efforts also has attracted the attention threat groups eager to make money by scamming people and using Trump's coin as the lure. That includes an email campaign in which bad actors spoof the Binance crypto exchange market to deliver a remote access trojan (RAT) and steal information from infected computers.

Installing the RAT

In the scam, the unknown bad actor creates emails made to look like they're coming from Binance and offering victims the chance to acquired Trump's coin. The message in the email says the targets can earn TRUMP coins by taking such steps as installing Binance software like its desktop tool, depositing coins in a Binance account, and make trades on the exchange.

"If victims follow the instructions and download 'Binance Desktop' in order to get TRUMP coins they instead install ConnectWise RAT," Cofense threat researcher Max Gannon wrote in a report. "The threat actors behind this campaign are eagerly monitoring infections and can connect to infected computers in less than 2 minutes."

High-Profile Events Attract Cybercriminals

It's not surprising that the president's crypto efforts have caught the eyes of cybercriminals, said Jason Soroko, senior fellow at cybersecurity firm Sectigo.

"Topical events serve as fertile ground for social engineering, offering attackers a ready-made script that exploits real-time urgency and widespread public attention," Soroko said. "By aligning phishing messages and malicious campaigns with trending news or current events, cybercriminals enhance credibility and evoke strong emotional reactions, prompting hasty actions from potential victims."

Binance Impersonation

In this case, the bad actors made a significant effort to impersonate Binance, Gannon wrote. That included using "Binance" as the email sender's name and including a risk warning in the email to engender more trust in its validity.

"The threat actors also took great pains to make the website hosting the ConnectWise RAT download appear legitimate," he wrote. "Although they did not directly copy the Binance TRUMP coin page or the Binance client download page, the threat actors combined images from both into a convincing page which included further install steps."

The download link for the Binance desktop client instead downloads an installer for the ConnectWise RAT, which connects to a command-and-control server that the threat actor actively monitors, which is unusual given that with most ConnectWise RAT installations, the hacker waits a while before deciding whether to interact with the infected system.

Once connected, the bad actor looks for saved passwords for such applications as Microsoft Edge, which Gannon wrote makes up for "ConnectWise RAT's relative lack of information theft capabilities."

A Cautionary Tale

The scam is a warning about how quickly a threat actor can compromise systems, said Stephen Kowski, field CTO for SlashNext Email Secuty+.

"The sophisticated spoofing techniques, including legitimate-looking emails with risk warnings and convincingly crafted websites combining authentic imagery, highlight why real-time email security scanning with advanced AI detection capabilities is essential for identifying these threats before users interact with them," Kowski said.

Organizations can protect themselves against such scams by using multi-layered protection that analyzes email content and linked destinations to block credential theft attempts, he added. They also should educate users about the dangers of downloading financial applications from unofficial sources.

"Protecting against these rapidly evolving phishing tactics requires solutions that can detect and block malicious URLs and attachments at the point of click, preventing the initial infection that leads to credential theft and system compromise," Kowski said.