Bad actors are deploying cryptocurrency-stealing malware using a sophisticated combination of fake X accounts and malicious Telegram bots.

Web3 security firm ScamSniffer has warned of a new scam targeting cryptocurrency users by mimicking popular influencers in the space and draining their wallets using stealthy malware.

The attack begins when the scammers create fake X accounts posing as popular cryptocurrency influencers and promoting Telegram groups that promise to offer investment advice. These groups are often touted as “exclusive” and are typically promoted under the posts of the influencers that the scammers are imitating to make them look legitimate.  

When unsuspecting users join the group via the invite link, they are asked to verify using a Telegram verification bot dubbed “OfficialSafeguardBot” which, according to ScammSniffer, “creates artificial urgency” by giving users very little time to complete the captcha.

You might also like: Cado Security Labs flags new malware targeting crypto wallets on Windows and macOS

During this phony verification process, the bot injects “malicious PowerShell code,” a scripting language used for task automation in Windows, into the victim’s clipboard, and victims are tricked into executing it on Windows as the bot prompts it as a step required to complete the verification process. See below.

Telegram verification bot prompting users to run malicious code. Source: ScamSniffer on X

According to ScamSniffer, there have been “numerous cases recently” where similar tactics have been used to steal a user’s private keys. The malware has also managed to bypass several antiviruses, with only VirusTotal flagging it as malicious.

To protect oneself, it advised users to use hardware wallets, avoid executing unknown commands, and avoid installing unverified software.

The report follows an earlier warning for ScamSniffer about a surge in fake X accounts in December. Notably, impersonation accounts have spiked over 87% since November, and two victims lost over $3 million by clicking malicious links promoted via some of these accounts.

Over the past months, threat actors have increasingly resorted to using malware designed to drain crypto assets. This surge coincides with Bitcoin’s rally to $100,000 and a broader rise in altcoins, making the crypto sector increasingly lucrative for scammers.

On Dec. 9, Cado Security Labs flagged the Realst malware infiltrating users’ systems using a fake meeting application after social engineering them into believing they needed to download the application for a legitimate business opportunity or interaction with a trusted contact. 

Once deployed, the malware steals crypto assets, browser-stored credentials, banking card details, and other sensitive information.

In October, the decentralized finance protocol Radiant Capital lost over $50 million after the systems of some of the platform’s developers were compromised via a zipped PDF file containing malware. The attack involved social engineering, with the infected file being promoted via Telegram by an attacker impersonating a trusted former contractor.

Read more: Post-mortem reveals stealthy malware injection led to $50m Radiant Capital exploit