TLDR:
Crypto scammers have dramatically shifted to Telegram malware scams, showing a 2,000% increase since November 2023, surpassing traditional phishing methods
Instead of typical wallet connection scams, attackers are now using fake verification bots in trading, airdrop, and alpha groups to distribute sophisticated malware
Two identified fake verification bots – OfficiaISafeguardRobot and SafeguardsAuthenticationBot – are being used to steal passwords, wallet files, and browser data
Scammers have evolved from impersonating crypto influencers to targeting legitimate project communities with seemingly harmless invites
Total crypto theft reached $2.3 billion across 165 incidents in 2024, marking a 40% increase from 2023, though December saw the lowest monthly losses at $29 million
Security researchers have detected a major shift in cryptocurrency scamming tactics, with malware attacks through Telegram showing an unprecedented 2,000% increase since November 2023.
This new trend marks a departure from traditional phishing methods as scammers adapt their strategies to bypass growing user awareness.
Security firm Scam Sniffer reported on January 15 that crypto thieves are moving away from the common “connect wallet” schemes. These older scams typically tried to trick users into connecting their digital wallets to fake websites. The new approach uses sophisticated malware distributed through seemingly legitimate verification bots in Telegram groups.
1/6 ALERT: Our data shows a concerning trend—Telegram malware scams have surpassed traditional phishing!
From Nov 2024 to Jan 2025:
– Malicious Telegram group scams increased by 2000%+
– Regular phishing remained stable
Here’s why this matters… https://t.co/6MQkDWCLrr pic.twitter.com/U6YBtbaPHK
— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) January 16, 2025
Two specific fake verification bots have been identified as tools in these attacks: OfficiaISafeguardRobot and SafeguardsAuthenticationBot. These bots serve as entry points for malware that can access passwords, scan for wallet files, monitor clipboards, and steal browser data from unsuspecting users.
The evolution of these scams began with bad actors creating fake social media accounts that impersonated popular crypto influencers. These accounts would then invite users to Telegram groups with promises of exclusive investment insights and trading opportunities.
Once users join these groups, they encounter what appears to be a standard verification process. However, the verification step secretly installs crypto-stealing malware onto their systems, giving scammers access to private keys and crypto wallets.
A particularly deceptive variant of these scams uses fake Cloudflare verification pages. Users are asked to copy and paste verification text that contains hidden malicious code, which then compromises their system through their clipboard.
Attackers are impersonating multiple crypto influencers and using malicious bots for verification
By January 4, Scam Sniffer observed that these tactics had evolved further. Scammers began targeting legitimate cryptocurrency project communities, moving beyond influencer impersonation. They now send what appear to be harmless invitations to community members.
The security firm notes that this tactical shift reflects the scammers’ adaptation to increased user awareness about phishing links. Instead of relying on suspicious URLs, they now focus on social engineering through Telegram bots, making their attacks harder to detect and avoid.
In December, Cado Security Labs identified a related scheme where scammers used fake meeting applications to distribute malware. These apps served as vectors for stealing credentials to various websites, applications, and crypto wallets.
The financial impact of these attacks has been substantial. According to Cyvers’ 2024 Web3 Security Report, crypto thieves stole $2.3 billion across 165 separate incidents in 2024. This represents a 40% increase from the previous year’s total of $1.69 billion.
However, this figure still remains below the 2022 peak, when hackers made off with $3.78 billion in cryptocurrency assets. The 2024 total represents a 37% decrease from that high point.
December 2024 showed some positive developments, with both security firms reporting the lowest monthly losses of the year at approximately $29 million. This decrease in successful thefts suggests that some security measures may be having an effect.
Tracking the exact scope of these malware attacks presents challenges for security researchers. Scam Sniffer reports that losses from malware attacks are particularly difficult to measure accurately, unlike more traditional forms of crypto theft.
The security firm emphasizes that while precise numbers remain elusive, the dramatic shift in scammer tactics toward Telegram-based malware attacks indicates these methods are proving effective for the perpetrators.
Current security recommendations focus on careful verification of any Telegram bots or groups, particularly those promising exclusive access or requiring special verification steps. Users are advised to be especially wary of any verification processes that require downloading or running external software.
The latest data shows these scams continuing to evolve, with bad actors constantly refining their approaches to bypass security measures and user awareness. Security firms are actively monitoring these developments to identify new variants of these attacks as they emerge.
The post Warning: The Telegram Verification Bot Could Empty Your Crypto Wallet appeared first on Blockonomi.
