Crypto Scammers Shift to Telegram Malware Scams

Crypto scammers have increasingly turned to Telegram malware scams, which have now surpassed traditional phishing, surging 2,000% since November.

According to a 16 January post from security firm Scam Sniffer, these scams go beyond the typical "connect wallet" fraud, where users are tricked into linking their digital wallets to malicious sites.

Instead, scammers now deploy sophisticated malware through fake verification bots embedded in fraudulent trading, airdrop, and alpha groups.

The firm said:

“Once you execute their code or install their verification software, they can access your passwords, scan for wallet files, monitor your clipboard and steal browser data.”

Scam Sniffer has identified two such deceptive bots—OfficiaISafeguardRobot and SafeguardsAuthenticationBot—used to distribute malware.

This shift comes as users grow more cautious of signature scams, prompting bad actors to adopt malware-based attacks that offer deeper access to victims' systems and make losses harder to trace.

The firm first flagged Telegram malware scams in December after observing an uptick in fake X (formerly known as Twitter) accounts impersonating crypto influencers.

These scammers lure users into Telegram groups with promises of exclusive investment insights, then prompt them to verify their identity through a fake bot that injects crypto-stealing malware, compromising private keys and draining wallets.

Variants of Crypto Scams

Scammers have also turned to fake Cloudflare verification pages to deploy malware, tricking users into copying and pasting verification text that secretly injects malicious code into their clipboard.

Scam Sniffer highlighted this tactic in a 5 January update, noting that cybercriminals are no longer limited to impersonating influencers.

They have expanded their efforts to target legitimate project communities with seemingly harmless invites.

The security firm noted:

“This shift in tactics indicates scammers are adapting to increased user awareness about phishing links. Instead, they're leveraging more sophisticated social engineering through Telegram bots.”

It added:

“Malware attack losses are nearly impossible to measure. But the massive shift in scammer tactics tells us one thing — it's working.”

Cado Security Labs also warned in December about a similar approach, where scammers used fake meeting apps to inject malware and steal login credentials for websites, apps, and crypto wallets.

According to the Cyvers 2024 Web3 Security Report, $2.3 billion worth of cryptocurrency was stolen across 165 incidents in 2024, marking a 40% increase from 2023's $1.69 billion in losses.

However, this figure is 37% lower than the $3.78 billion stolen in 2022.

Interestingly, two security firms noted that December saw the lowest monthly losses of the year, totalling only around $29 million.