Scam Sniffer warns of fake Influencers and Telegram bots spreading crypto-malware

Bad actors are using cryptocurrency-stealing malware using a complex combination of fake X accounts and malicious Telegram bots.

Web3 security firm ScamSniffer has warned of a new scam targeting cryptocurrency users by impersonating popular figures in the space and emptying their wallets using hidden malware.

The attack begins with scammers creating fake X accounts that pose as popular cryptocurrency influencers and promote Telegram groups promising to offer investment advice. These groups are often touted as “private” and are often promoted under posts from influencers that scammers impersonate to appear legitimate.

When unsuspecting users join the group via the invite link, they are asked to verify using a Telegram verification bot called “OfficialSafeguardBot,” which “creates artificial urgency” by giving users little time to complete the captcha, according to ScammSniffer.

During this fake authentication process, the bot injects “malicious PowerShell code” – a scripting language used for task automation in Windows – into the victim’s clipboard, and victims are tricked into running this code in Windows when the bot prompts it as a step to complete. verification process. See below.

Telegram verification bot encourages users to run malicious code. Source: ScamSniffer on X

According to ScamSniffer, there have been “numerous recent cases” of similar tactics being used to steal a user’s private keys. The malware also managed to evade several antivirus software; only VirusTotal flagged it as malicious.

To protect themselves, users were advised to use hardware wallets, avoid running unknown commands, and avoid installing unverified software.

The report follows an earlier warning to ScamSniffer in December about an increase in fake X accounts. Notably, impersonation accounts have increased over 87% since November, with two victims losing more than $3 million by clicking malicious links promoted through some of these accounts.

In recent months, threat actors have increasingly resorted to malware designed to drain crypto assets. This surge coincides with Bitcoin’s rise to $100,000 and a broader rally in altcoins, making the crypto sector increasingly lucrative for scammers.

On December 9, Cado Security Labs flagged the Realst malware, which infiltrated users’ systems using a fake meeting app, fooling users into believing they needed to download the app for a legitimate business opportunity or to interact with a trusted person.

Once deployed, the malware steals crypto assets, browser stored credentials, bank card details and other sensitive information.

In October, decentralized finance protocol Radiant Capital lost more than $50 million after some platform developers had their systems attacked via a compressed PDF file containing malware. The attack involved social engineering; The infected file was introduced via Telegram by an attacker impersonating a trusted former contractor.