Moonlock Lab tracks a campaign targeting cryptocurrency and Web3 professionals through LinkedIn outreach, fabricated venture capital firms, and fake Zoom or Google Meet links. The attack flow uses recruiter or investor personas tied to fronts such as SolidBit Capital, MegaBit, and Lumax Capital, then redirects victims through Calendly-style scheduling into spoofed meeting pages. Delivery relies on ClickFix-style fake CAPTCHA prompts that poison the clipboard and instruct victims to paste and run malicious commands in Terminal, with cross-platform payload handling for macOS and Windows. Moonlock reports overlaps with DPRK-aligned cryptocurrency targeting and Mandiant-attributed UNC1069 activity, including similar fake Zoom domain conventions, Calendly-to-fake-Zoom social engineering, and cross-platform ClickFix delivery, while noting that definitive attribution remains open. The infrastructure pivots through shared WHOIS details, rotating fake company identities, AI-generated staff profiles, typosquatted event or media branding, and a newly registered lumax[.]capital front.