Crypto users targeted in ‘elaborate’ scam using popular notes app

Crypto users have been warned of a new social engineering scam that tricks victims into using community plugins on the note-taking app Obsidian to unknowingly run malware that can take control of their devices.

Elastic Security Labs said in a report on Tuesday that it found a novel campaign targeting those in crypto and finance using “elaborate social engineering on LinkedIn and Telegram” to trick victims into allowing malicious, yet seemingly safe, software to run on their devices.

Attackers abuse the community plugin ecosystem on Obsidian to “silently execute code when a victim opens a shared cloud vault,” with attacks working on both Windows and macOS devices.

It's the latest known attack campaign targeting crypto users, a popular target for scammers, as blockchain transactions cannot be reversed. In 2025, $713 million was stolen via compromises of individual crypto wallets, according to Chainalysis.

Elastic said the scammers contact victims on LinkedIn under the guise of being a venture capital firm and eventually steer the conversation to Telegram in discussions around “financial services, specifically cryptocurrency liquidity solutions, creating a plausible business context.”

The attackers ask their target to use Obsidian, framing it as their fake company’s database for accessing a shared dashboard, and the potential victim is given a login to connect to a cloud-hosted vault controlled by the attackers.

“This vault is the initial access vector,” Elastic said. “Once opened in Obsidian, the target is instructed to enable community plugins sync. After that, the trojanized plugins silently execute the attack chain.”

Source: Elastic Security Labs

The attacks differ slightly on Windows and macOS, but both deploy a previously undocumented remote access trojan, or RAT, which Elastic dubbed “PHANTOMPULSE.”

The malware, which is disguised as legitimate software, gives the attackers control over the victim's device, with Elastic adding it was “designed for stealth, resilience, and comprehensive remote access.”

Elastic said that PHANTOMPULSE uses a decentralized command-and-control mechanism via at least three different blockchain networks, using on-chain transaction data tied to a specific wallet to connect to the attacker and receive instructions.

Related: US Treasury expands cybersecurity threat intel to crypto industry

“This technique provides the operator with an infrastructure-agnostic rotation capability,” Elastic said. “Because blockchain transactions are immutable and publicly accessible, the malware can always locate its C2 [command-and-control mechanism] without relying on centralized infrastructure.”

“The use of three independent chains adds redundancy: even if one chain's explorer is blocked or unavailable, the remaining two provide alternative resolution paths,” it added.

Elastic said it was able to block the attack, but it shows that attackers “continue to find creative initial access vectors” as abusing Obsidian's community-run plugin ecosystem allowed them to skirt “traditional security controls entirely, relying on the application's intended functionality to execute arbitrary code.”

It added that financial and crypto companies “should be aware that legitimate productivity tools can be turned into attack vectors,” and organizations should enforce app-level plugin policies to defend against similar attacks.

Magazine: Bitcoin may take 7 years to upgrade to post-quantum — BIP-360 co-author