Cybercriminals Use Telecopy Telegram Bots to Conduct Phishing Scams on a Large Scale

Nov 24, 2023NewsroomThreat Analysis / Dark Web

Phishing Telegram Bot

More details have emerged about a malicious Telegram bot called Fax which threat actors use to pull off large-scale phishing scams.

“Telecopy is capable of phishing websites, emails, SMS messages, and more,” ESET security researcher Radek Jizba SAYS in the new analysis.

The threat actors behind the operation – codenamed Neanderthals – are known to run the criminal enterprise as a legitimate company, producing a hierarchical structure consisting of different members with different roles.

Once aspiring Neanderthals are recruited through advertisements on underground forums, they are invited to join designated Telegram channels used for communicating with other Neanderthals and tracking transaction logs. .

The ultimate goal of the operation is to get one of three types of scams: seller, buyer, or refund.


In the case of the former, the Neanderthals pretended to be salesmen and tried to persuade the unwary Mammoths to buy something they didn’t have. Buyer scams involve Neaderthals posing as buyers to trick Mammoths (ie, traders) into entering their financial details in order to split their funds.

Some scenarios fall into a category called refund scams where the Neaderthals trick the Mammoths a second time under the pretext of offering a refund, only to deduct the same amount of money.

Singapore headquartered cybersecurity firm Group-IB previously told The Hacker News that the activity being tracked as Telecopy is the same as Classiscam, which refers to a scam-as-a-service program that has earned criminal actors $64.5 million which is illegal profit since its inception. in 2019.

“For the Seller scam scenario, the Neanderthals are advised to prepare additional photos of the item to be prepared in case the Mammoths ask for more details,” Jizba said. “If Neanderthals were using pictures they downloaded from the internet, they should have edited them to make the image harder to find.”

Phishing Telegram Bot

Choosing a Mammoth for a buyer scam is a deliberate process that takes into account the gender, age, experience of the victim in online marketplaces, rating, reviews, number of completed trades, and the type of goods. which they sell, showing a preparation stage that includes extensive market research.

Neanderthals also used web scrapers to sift through online marketplace listings and pick out an ideal Mammoth who was likely to fall for the bogus scheme.

When a mammoth wanted personal payment and personal delivery for the goods sold, the Neanderthals claimed that “they were too far away or that they were leaving town for a business trip in a few days,” while simultaneously showing high interest in the item to increase the likelihood of the scam’s success.

Neanderthals have also been observed using VPNs, proxies, and TOR to remain anonymous, while also exploring real estate scams where they create fake websites with apartment listings and lure Mammoths into pay for a reservation fee by clicking on a link that points to a phishing website. .


“Neanderthals write to a legitimate owner of an apartment, pretending to be interested and asking for various details, such as additional photos and what kind of neighbors the apartment has,” said said Jizba.

“Then the Neanderthals took all this information and made their own listing on another website, offering the apartment for rent. They cut the expected market price by about 20%. The rest of the situation is similar to the scenario of Seller scam.”

The disclosure comes as Check Point details a rug pull scam that managed to steal nearly $1 million by luring unsuspecting victims into investing in fake tokens and executing simulated trades to create a veneer of legitimacy.

“When the token has attracted enough investors, the scammer executes the last step – withdrawing liquidity from the token pool, leaving the token buyers empty-handed and draining the funds,” the company said. SAYS.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment