Scammers are using Telegram verification bots to inject crypto-stealing malware

From cointelegraph by Stephen Katte

Scammers are combining social engineering with phony Telegram verification bots that inject crypto-stealing malware into systems to raid crypto wallets, blockchain security firm Scam Sniffer said.

In a Dec. 10 X post, the security firm said scammers are creating fake X accounts impersonating popular crypto influencers, then inviting users to Telegram groups with promises of investment insights.

Once in the Telegram group, users are asked to verify through “OfficiaISafeguardBot,” a fake verification bot that “creates artificial urgency” with short verification windows, the firm said.

Scammers impersonate popular crypto influencers on X and then invite users to malicious Telegram groups. Source: Scam Sniffer

The bot then injects a malicious PowerShell code that downloads and runs malware to compromise computer systems and crypto wallets. Scam Sniffer said it has noted “numerous cases” where similar malware led to the theft of private keys.

Scam Sniffer told Cointelegraph that the recent known cases of this type of scam were all caused by the fake verification bot.

“It’s currently unclear if there are other malicious bots. However, it’s obviously simple for them to impersonate others as well,” the firm said.

According to Scam Sniffer, malware that targets regular users has “existed for a long time,” but the infrastructure behind such malicious software is “developing rapidly” and becoming “quite sophisticated.”

It explained that when scammers have successful heists and demand grows, they evolve into a scam-as-a-service, similar to crypto wallet-draining software makers hiring out their tools to phishing scammers.

Scam Sniffer added while it had seen malware distributed through Telegram and instances of scammers impersonating others to trick run malicious code, “this is the first time we’re seeing this specific combination of fake X accounts, fake Telegram channels and malicious Telegram bots.”

The fake Safeguard bot caused all recent and known cases of this scam type. Source: Scam Sniffer

Meanwhile, the security firm said it has noted a surge in scammers impersonating others on X and shilling sham links and tokens.

On average, Scam Sniffer’s monitoring system has found 300 X impersonators a day so far this month, compared with the November average of 160.

At least two victims have lost over $3 million from clicking malicious links and signing transactions from some of these fake accounts, it added.

Cado Security Labs also sounded the alarm that Web3 workers are being targeted by a campaign using fake meeting apps to inject malware and steal credentials to websites, apps and crypto wallets.

Web3 security platform Cyvers similarly warned this month that phishing attacks may surge in December as hackers attempt to exploit the growth in online transactions ahead of the holiday season.