Scammers Exploit Telegram Bots to Inject Malware and Steal Crypto, Warns Scam Sniffer

Blockchain security firm Scam Sniffer has raised alarms about a new wave of scams targeting cryptocurrency users through fake Telegram verification bots.

These schemes use social engineering tactics to inject malware into victims’ systems, ultimately compromising crypto wallets.

In a December 10 post on X , Scam Sniffer detailed how scammers are impersonating popular crypto influencers by creating fake X accounts.

Scammers Lure Users into Telegram Groups

The scammers lure unsuspecting users into Telegram groups, enticing them with promises of exclusive investment insights.

Once inside the group, users are instructed to verify their accounts through a bot called “OfficiaISafeguardBot.”

This fake verification bot creates a sense of urgency with short verification windows, compelling users to act quickly.

According to Scam Sniffer, the bot injects malicious PowerShell code into victims’ devices, allowing it to download and execute malware.

This malware compromises the systems, granting scammers access to private keys and enabling them to raid cryptocurrency wallets.

Scam Sniffer reported numerous cases of malware theft linked directly to this fake bot.

The firm noted that all recently identified cases involved the same fraudulent verification process.

While other malicious bots may exist, the security firm emphasized how easily scammers can impersonate additional services.

The infrastructure behind such scams is evolving rapidly, Scam Sniffer said, likening the approach to a “scam-as-a-service” model.

This concept mirrors how creators of crypto wallet-draining tools lease their software to phishing scammers.

The firm highlighted that while malware targeting regular users is not new, this specific combination of fake X accounts, Telegram channels, and malicious bots marks a concerning development.

The prevalence of scams on X has also surged. Scam Sniffer’s monitoring system recorded an average of 300 impersonation accounts per day in December, nearly doubling November’s average of 160.

These fake accounts promote malicious links and fraudulent tokens, often resulting in significant losses. At least two victims have reportedly lost over $3 million after interacting with these scams.

Other security firms have echoed Scam Sniffer’s warnings.

Web3 Workers Targeted with Fake Meeting Apps

Cado Security Labs recently flagged a campaign targeting Web3 workers with fake meeting apps designed to steal login credentials and crypto wallet access.

Similarly, Web3 security platform Cyvers predicted a rise in phishing attacks in December, as cybercriminals exploit the increased online activity during the holiday season.

Just recently, Radiant Capital revealed that it has fallen victim to a hack that drained $50 million from its decentralized finance (DeFi) platform.

As reported, cybersecurity firm Mandiant concluded with “high confidence” that the attack could be attributed to a threat actor linked to the Democratic People’s Republic of Korea (DPRK).

This is not the first major attack on Radiant this year.

In January, the platform suffered a $4.5 million flash loan exploit, which also forced the suspension of its lending markets.

Likewise, South Korea has accused North Korea of orchestrating the 2019 hack on cryptocurrency exchange Upbit, which resulted in the theft of 342,000 ETH, then valued at $41.5 million.