New Methods | Telegram Fake Safeguard Scam

Author: SlowMist Technology

Recently, we have received many victims' help messages, all of which are related to the "fake Safeguard" scam on Telegram. Since many users are not familiar with this type of attack method, they are often not vigilant enough when encountering this scam. Both novices and experienced players are likely to be fooled. This article will deeply analyze the attack method of this scam and provide effective prevention suggestions to help users protect their assets from loss.

Scam Analysis

This type of scam is mainly divided into two types. One is to steal Telegram accounts. Scammers steal their Telegram accounts by inducing users to enter their mobile phone numbers, verification codes, and even Two-Step Verification passwords. The other is to implant Trojans into users' computers, which is also a method that has appeared more recently. This article will focus on the second method.

In some popular token airdrop activities, when users’ FOMO emotions are getting high, when they see the following Channel interface on Telegram, they will definitely click Tap to verify:

After clicking Tap to verify, a fake Safeguard bot will open, which ostensibly shows that verification is in progress. This verification window is extremely short, giving people a sense of urgency and forcing users to continue the operation.

Continue clicking, and the result is "pretended" to show that the verification failed, and finally a prompt interface for the user to manually verify appears:

The scammers have configured Step1, Step2, and Step3 very considerately. At this time, the user's clipboard already has malicious code. As long as the user does not really follow these steps, there will be no problem:

But if the user follows these Steps obediently If you do this, your computer will be infected with a virus.

Another example - attackers impersonate KOLs and use malicious robots to verify and guide the execution of Powershell malicious code. Scammers create X accounts impersonating KOLs, and then they attach Telegram links in the comments section, inviting users to join "exclusive" Telegram groups to obtain investment information. For example, the Scam account that appears in the comment section of @BTW0205, many users will see "exciting news" in the comment section:

Then they enter the corresponding Telegram Channel and guide users to verify.

When the user clicks on the verification, a fake Safeguard appears. Similar to the above process, Step1, Step2, and Step3 appear to guide the verification operation.

At this time, the user's clipboard has been secretly implanted with malicious code content. If the user really opens the run box according to the guide and presses Ctrl + V to paste the malicious code content into the run box, the status at this time is as shown in the figure below. The entire content cannot be seen in the run box. In front of a large blank space is the word Telegram and malicious code.

These malicious codes are usually Powershell instructions, which will silently download more complex malicious codes after execution, and eventually infect the computer with remote control Trojans (such as Remcos). Once the computer is controlled by the Trojan, hackers can remotely steal sensitive information such as wallet files, mnemonics, private keys, passwords, etc. in the computer, and even steal assets. (PS. For the behavior of the "fake Safeguard" Trojan, please refer to the analysis of the white hat Jose in the slow fog area, which points to: https://jose.wang/2025/01/17/%E4%BC%AASafeguard%E7%97%85%E6%AF%92%E5%88%86%E6%9E%90/)

The comment area of ​​the Ethereum Foundation account @ethereumfndn has also been contaminated by this scam, which presents a large-scale net-casting and harvesting model.

The latest one, such as Trump’s X comment area, has also been contaminated by this scam:

If you open it on your mobile phone, the scam will get your Telegram permissions step by step. If you find it in time, you need to go to Privacy and Security -> Active sessions -> Terminate all other sessions in Telegram settings as soon as possible, and then add or modify Two-Step Verification.

If you are using a Mac computer instead of a Windows computer, there are similar ways to trick your computer into being infected. The routine is similar. When the following image appears in Telegram, your clipboard has been secretly implanted with malicious code content.

There is no risk at this time, but if you follow the steps given, the consequences shown in the figure below will appear:

MistTrack Analysis

Solana hacker address:

HVJGvGZpREPQZBTScZMBMmVzwiaVNN2MfSWLgeP6CrzV

2v1DUcjyNBerUcYcmjrDZNpxfFuQ2Nj28kZ9mea3T36W

D8TnJAXML7gEzUdGhY5T7aNfQQXxfr8k5huC6s11ea5R

According to MistTrack's analysis, the above three hacker addresses have currently made a total profit of more than 1.2 million US dollars, including SOL and multiple SPL Tokens.  

The hacker will first convert most of the SPL Tokens into SOL:

Then the SOL will be dispersed and transferred to multiple addresses, and the hacker’s address also interacts with Binance, Huobi, and FixedFloat platforms:

In addition, the current address HVJGvGZpREPQZBTScZMBMmVzwiaVNN2MfSWLgeP6CrzV still has 1,169.73 SOL and a token balance worth more than $10,000.

Let's analyze one of the Ethereum hacker addresses 0x21b681c98ebc32a9c6696003fc4050f63bc8b2c6. The first transaction of this address was in January 2025, involving multiple chains, and the current balance is about $130,000.

This address transfers ETH to multiple platforms such as: ChangeNOW, eXch, Cryptomus.com:

How to prevent

If your computer is infected, you need to do this immediately:

1. Transfer all wallets and funds used on this computer in a timely manner. Don't think that it's okay to have an extended wallet with a password;

2. Change the passwords saved in each browser or the account you have logged in, the password or 2FA as much as possible;

Just make the most extreme assumption. Anyway, your computer is infected, and your computer is transparent to the scammers. So think in reverse. If you are a scammer and have complete control over a computer active in the Web3/Crypto world, what would you do? Finally, after backing up important data on the computer, you can reinstall it, but after reinstalling it, it is best to install internationally renowned antivirus software, such as AVG, Bitdefender, Kaspersky, etc., and after the full disk antivirus, there will be no major problems.

Summary

The fake Safeguard scam has developed into a mature hacker attack model. The entire process from fake comments to implanting Trojan viruses to stealing assets is concealed and efficient. As the means of attack become increasingly sophisticated, users need to be more vigilant to various misleading links and operation steps on the Internet. Only by raising awareness, strengthening protection, and timely discovering and handling potential threats can we effectively prevent the harm of such scams.