Telegram-based malware scams have now outpaced traditional phishing attacks, according to Scam Sniffers troubling findings. From November 2024 to January 2025, incidents involving malicious Telegram groups surged by over 2000%, while conventional phishing methods remained stable.

Unlike the typical connect wallet scams, these new tactics involve more sophisticated methods such as fake verification bots, fraudulent trading groups, bogus airdrop groups, and exclusive alpha groups.

From Bots to Bogus Groups

In its latest update, Scam Sniffer explained that once users interact with these malicious entities, whether by executing code or installing deceptive verification software, attackers gain extensive access to sensitive information. This includes passwords, wallet files, clipboard activity, and browser data.

The shift towards Telegram-based scams reflects a strategic move by attackers. With increasing user awareness of traditional signature scams, cybercriminals are now deploying malware, which provides broader access to victim data and makes financial losses harder to trace.

To protect against these evolving threats, the blockchain security firm advised users to exercise extreme caution. Key recommendations include avoiding running unknown commands, refraining from installing unverified software, steering clear of clipboard-based verification methods, and being skeptical of urgent group invites. Furthermore, using hardware wallets can offer an additional layer of security.

Cybercriminals Shift Tactics

Scam Sniffer had previously reported about a surge in crypto scams where attackers impersonate popular influencers on fake X accounts, luring victims into fraudulent Telegram groups. These groups use a malicious bot, OfficiaISafeguardBot, for a fake verification process that injects harmful PowerShell code into the user’s clipboard. The malware, once executed, compromises sensitive data, including crypto wallets.

More recently, Scam Sniffer observed that scammers have been targeting legitimate project communities with deceptive Telegram invites. Their new approach promises no wallet connections or signatures, instead urging users to run seemingly safe code for real-time updates. In addition to OfficiaISafeguardRobot, notable fake bots also include SafeguardsAuthenticationBot, both exploiting subtle misspellings.

This evolution in tactics highlighted a shift towards more sophisticated social engineering and bypassing phishing links to trick users into executing malicious code.