Crypto scammers are increasingly exploiting Telegram to execute malware-based scams, surpassing traditional phishing techniques in volume. According to security firm Scam Sniffer, these attacks have surged by 2,000% since November, marking a significant shift in the methods employed by bad actors.
In a Jan. 15 post on X, Scam Sniffer explained that these scams differ from the usual “connect wallet” phishing attempts. Instead of tricking users into linking their digital wallets to fraudulent websites, scammers are now deploying malware through fake verification bots within fake trading, airdrop, and alpha groups on Telegram.
“Once users execute the scammers’ code or install fake verification software, attackers can access passwords, wallet files, clipboard data, and browser information,” Scam Sniffer warned.
The firm has identified two prominent fake verification bots, OfficiaISafeguardRobot and SafeguardsAuthenticationBot, used in these schemes. As awareness of signature scams grows, scammers are pivoting to malware, which provides broader access to victims’ systems and makes tracking losses more challenging.
Scam Sniffer first flagged this issue in December, noting a rise in fake X accounts impersonating well-known crypto influencers. These accounts invite users to Telegram groups promising investment opportunities. Once inside, users are prompted to verify their identity through fraudulent bots that install crypto-stealing malware, compromising private keys and draining wallets.
Another variation involves fake Cloudflare verification pages. Users are instructed to copy and paste verification text, which secretly injects malware into their systems via the clipboard.
By January, scammers had expanded their tactics, targeting legitimate project communities with seemingly innocuous invites. “This evolution highlights the scammers’ ability to adapt to increased user awareness of phishing links,” Scam Sniffer noted. “Instead, they’re leveraging more advanced social engineering techniques through Telegram bots.”
The firm emphasized that losses from malware attacks are difficult to quantify but noted the dramatic rise in these scams indicates their effectiveness.
Cado Security Labs corroborated Scam Sniffer’s findings, reporting in December that attackers were using fake meeting apps to inject malware and steal credentials from websites, applications, and crypto wallets. Similarly, Cyvers’ 2024 Web3 Security Report revealed that $2.3 billion worth of cryptocurrency was stolen in 165 incidents in 2024, representing a 40% increase from the $1.69 billion stolen in 2023. However, it remained below the $3.78 billion stolen in 2022.
Interestingly, December recorded the lowest losses from hacks and scams in 2024, amounting to just $29 million. Despite this, the escalating sophistication of malware scams on Telegram highlights the evolving threat landscape in the crypto space.
