Crypto Users Targeted by Scam via Popular Notes App

Cybercriminals are not lacking in imagination. This time, they turned a simple note-taking application into a silent weapon to empty the crypto wallets of their targets. And the worst part? The victim sees nothing coming.

A Note-Taking App Hijacked to Trap Crypto Investors

Elastic Security Labs sounded the alarm this Tuesday in a detailed report. Malicious actors actively target professionals in crypto and finance via a sophisticated social engineering campaign. They mainly operate on LinkedIn and Telegram, exploiting Obsidian’s community plugins, a note-taking app highly valued by tech and financial circles.

The scenario is polished. The attacker contacts the target on LinkedIn presenting themselves as a representative of a fictitious venture capital company. The conversation then moves to Telegram, where they discuss credible topics: crypto liquidity, financial services, treasury solutions. The goal is simple, to build trust before acting.

Then comes the trap: the victim receives credentials to access a “shared dashboard” hosted in an Obsidian cloud vault, presented as the internal database of the fake company. Once the vault is opened, Obsidian invites the user to enable sync for community plugins. At that precise moment, the infected plugins run silently.

The result? A Trojan horse called PHANTOMPULSE installs discreetly, compatible with Windows and macOS. It offers attackers full remote access to the device. Designed for stealth and resilience, it avoids classic antivirus software by disguising itself as legitimate software.

Malware That Uses Blockchain to Disappear into the Crowd

What distinguishes PHANTOMPULSE from its predecessors is its command infrastructure. Rather than relying on centralized servers, easily identifiable and blockable, it communicates via three independent blockchains. Instructions pass through on-chain transactions linked to a specific wallet.

Result: even if one blockchain explorer is inaccessible, the other two networks take over. And since blockchain transactions are public and immutable, the malware always finds its command server, never depending on a centralized infrastructure. A near indestructible design.

This attack is not happening in a vacuum: it is part of a larger wave of sophisticated frauds targeting the crypto ecosystem. In early April, a fake Ledger Live app infiltrated Apple’s App Store allowed nearly $9.5 million to be diverted in less than a week, affecting more than fifty victims across Bitcoin, Ethereum, Solana, and other major networks.

Elastic issues a clear warning to companies: everyday productivity tools can become attack vectors. The recommendation is formal, enforce strict plugin management policies at the application level.

It is finally important to recall a fundamental reality: crypto transactions are irreversible. Once the funds are gone, there is no recourse. In this context, the best defense remains systematic mistrust: never enable unknown plugins, verify the identity of professional contacts, and treat any request for access to a shared tool as a potential intrusion attempt.