Popular crypto scams on Telegram

Telegram scammers use convincing scripts to gain the trust of potential victims and obtain as much information and, if they're lucky, crypto assets as they can. They disguise their true motives as "customer-oriented" or "valuable" services, assuring the potential victim that they are here to assist.

In this scheme, a fraudster pretending to be a customer and using a fake account similar to the real one keeps a close eye on customer requests in the official Telegram chat room of any major cryptocurrency exchange or trading platform. Users of the exchange usually begin to solve their problems through such a chat: they report the failure of certain functionality, the inability to withdraw assets from the wallet, or a significant delay during the execution of some transaction, transfer, etc. Typically, the group administrator promises to sort it out, requests that a ticket be created in the support service and a ticket number be provided, and then moves on to other members.

The scammer is waiting for this opportunity, and in a private message, he or she starts offering quicker solutions than a ticket in the queue (which is typically low priority, so you will have to wait a long time to solve the problem). The attacker is contacting from an account with the exchange or platform's logo, and the name is very similar to the official name of the Telegram chat where the conversation with the administrator took place, but with one letter or number added at the end. A user who is desperately trying to find a way out of a difficult situation — most often a financial one — might mistake a fraudster for an official member of the organization who is trying to assist him. 

During the conversation, the attacker informs the victim that there is an alternative solution to the problem and provides a link to a phishing site where, in addition to personal information, the address of the wallet's owner and the seed phrase must be entered. When asked, "Why enter such information?" the scammer usually responds that it will help solve the problem or speed up the transfer or withdrawal of assets, and that there is no need to worry because everything will be safe, etc.

At this point, an experienced trader realizes he is dealing with an attacker who, through phishing, is attempting to seize assets from a non-custodial wallet used for transactions on DEXs or decentralized trading platforms. A novice or inexperienced trader, however, can fall into this trap under psychological pressure, provide all the information, and lose assets in a matter of minutes.

This time, the scam targets VIP users of cryptocurrency exchanges or trading platforms who have sizable crypto asset balances. It is not difficult to build a client base of VIPs by well "motivating" one of the exchange's employees, who, through insider fraud or access to client registers, obtains all the necessary information and passes it on to criminals. Another option is to gain access to the Telegram group where VIP clients are served in any way (for example, through an invitation from one of the administrators) and then compile a list of its members.

Crypto exchanges typically charge a fee, particularly for transactions involving the withdrawal of assets from wallets. This is a significant expense for investment funds or large traders. Fraudsters use this topic to find victims and steal assets, playing on greed.

Scammers who are well-versed in the cryptocurrency industry select another potential victim from the list and invite them to a newly created Telegram channel for "VIP customer service," which is branded and decorated as the exchange's official chat. The customer accepts the invitation and goes to the group after being persuaded by the offer to increase limits or decrease commissions. There, they are politely asked to leave a review (which, of course, is "very important") about the commission differences between the largest cryptocurrency exchanges, with the option of reading an Excel file containing a comparative table with data.

Downloading and opening a file with embedded macros titled "OKX Binance & Huobi VIP fee comparision.xls" activates an XOR-encrypted backdoor virus on the VIP client's computer that extracts certain DLLs and grants attackers remote access to the "infected" device. Then, as IT experts say, it's just a matter of technique. Attackers scan all hard disk partitions for logins, passwords, seed phrases, install a keyboard spy, and control the victim's crypto exchange verification and authentication procedures. Once they have received all the necessary information, they withdraw the assets.

The most recent instance of such an attack, dubbed DEV-0139, was discovered by Microsoft in October 2022 and described on the company blog. 

The scam is not brand-new and was widely used on the crypto market in 2017–2019, but it is still relevant today.

The masterminds behind this fraudulent scheme establish a separate group on Telegram, make a group of "pumpers," and then add novice traders or beginners who were seduced by the promise of quick and easy profit. They use targeted advertising and other cryptocurrency-related Telegram groups or chat rooms to find potential victims. Typically, illiquid or little-known cryptocurrencies that have been listed on at least one cryptocurrency exchange are chosen for pumping.

The organizers then begin to disseminate "exclusive" information "from verified sources" (often "insiders") that some coin's value will soon rise due to a partnership with a well-known company or a planned listing on a top exchange. Information about crypto is shared via Telegram channels, social network profile groups, and paid YouTube vloggers.

The advertising campaign is accompanied by continuous purchases of the chosen cryptocurrency, and, of course, the artificially created demand contributes to the asset's rate gradually rising. Participants in the specially created chat receive the command to "buy" while also participating in the process of "pumping" the asset.

If the advertising campaign was successful and targeted the right audience, the speed of the "pumping" of cryptocurrency increases in direct proportion to the number of participants who believed the information and sought to become wealthy quickly. All of this causes the coin to become increasingly expensive, as more and more victims of fraudsters begin to purchase it, driving up the price.

This "game" always has a sudden and unexpected result for the participants. Scammers synchronously "dump" cryptocurrency at the highest price (the second part of the Dump scheme), and its value drops quickly (sometimes in less than a minute). Most of the time, it is even lower than it was before "pumping."

Some Telegram group members knew they were taking part in the planned Pump&Dump scheme from the start, but they had the mistaken belief that they would be able to sell their coins in good time because the organizers had promised to notify them of the date and time of the sale "on highs." However, the signal to "sell" typically arrives either too late (after the coin's price has already fallen noticeably) or not at all. As a result, the vast majority of participants in the Pump&Dump Telegram group are out of pocket, while the organizers profit handsomely.

The conclusion is self-evident. Never use wallet passwords or seed phrases on incomprehensible websites (and don't enter the address, either). Do not open unknown files on your computer, even if you have a powerful antivirus package with up-to-date databases (criminals create new viruses that are not yet recognized). Pump&Dump schemes should also be avoided because they will have unfortunate results for everyone who participates, excluding the organizers. Verify the identity of any "representative" of an exchange or trading platform before providing or receiving information from them.

By following these recommendations, you can reduce your chances of falling victim to fraud and protect your assets.