Author: Slow Mist Technology

Recently, we have received many requests for help from victims, all related to Telegram Related to the “fake Safeguard” scam on. Since many users do not understand this type of attack method, they are often not vigilant enough when encountering this scam. Both novices and experienced players are likely to be fooled. This article will deeply analyze the attack method of this scam and provide Effective prevention suggestions to help users protect assets from loss.

This type of scam is mainly divided into two types. One is to steal Telegram accounts. Scammers induce users to enter mobile phone numbers, verification codes, and even Two- Step Verification password to steal their Telegram account, the other is to implant Trojans into the user's computer, which is also a method that has appeared more recently. This article will focus on the second method.

In some popular token airdrop activities, users’ FOMO emotions When I was getting up, I saw the Channel interface below on Telegram, and I definitely clicked Tap to verify:

After clicking Tap to verify, a fake Safeguard will open The bot appears to be undergoing verification. This verification window is extremely short, giving people a sense of urgency and forcing users to continue the operation.

Continue to click, and the result "pretends" that the verification fails, and finally allows the user to manually verify The prompt interface appears:

The scammer thoughtfully configured Step1, Step2, Step3 , at this time there is already malicious code in the user's clipboard, as long as the user does not follow these steps There will be no problem if you do it:

But if the user obediently follows these fewIf you do this step, your computer will be infected with a virus.

Give another example - the attacker pretends to be a KOL and uses a malicious robot to verify and guide the running of Powershell malicious code. Scammers create X accounts pretending to be KOLs, and then they attach Telegram links in the comments section to invite users to join an “exclusive” Telegram group to obtain investment information. For example, the Scam account appeared in the comment area of ​​@BTW0205. Many users will see "exciting news" in the comment area:

Then enter the corresponding Telegram Channel to guide the user to verify.

When the user clicks Verify, a fake Safeguard appears, similar to the above process , Step1, Step2, and Step3 appear to guide the verification operation.

At this time, the user's clipboard has been secretly implanted with malicious code content . If the user actually opens the run box according to the guide, and pastes the malicious code content into the run box with Ctrl + V, the status at this time will be as shown below. Not all the content can be seen in the run box, and there is a large blank space in front of it. Telegram wording and malicious code.

These malicious codes are usually Powershell instructions, which will silently download updates after execution. Complex malicious code eventually infects computers with remote control Trojans (such as Remcos). Once a computer is controlled by a Trojan, hackers can remotely steal sensitive information such as wallet files, mnemonic words, private keys, passwords, etc. in the computer, and even commit asset theft. (PS. Regarding the "fake Safeguard" Trojan behavior, you can refer to the analysis of white hat Jose in the slow fog area for guidance: https://jose.wang/2025/01/17/%E4%BC%AASafeguard%E7%97%85 %E6%AF%92%E5%88%86%E6%9E%90/)

The comment area of ​​the Ethereum Foundation account @ethereumfndn has also been contaminated by this scam, which presents a huge Scope net harvesting mode.

The latest comments such as Trump's X comment section are also polluted by this scam:

p>

If you open it on your mobile phone, the scam will get your Telegram permissions step by step. If discovered in time, you need to go to Privacy and Security -> Active sessions -> Terminate all in Telegram settings as soon as possible. other sessions, and then add or modify Two-Step Verification.

If you are not a Windows computer, but a Mac computer, there is a similar method To induce virus in your computer. The routine is similar. When the following picture appears in Telegram, your clipboard has been secretly implanted with malicious code content.

There is no risk at this time, but if you follow the steps given , the following consequences will occur:

We select several hacker addresses and use the on-chain tracking and anti-money laundering platform MistTrack for analysis.

Solana hacker address:

HVJGvGZpREPQZBTScZMBMmVzwiaVNN2MfSWLgeP6CrzV

2v1DUcjyNBerUcYcmjrDZNpxfFuQ2Nj28kZ9mea3T36W

D8TnJAXML7gEzUdGhY5T7aNfQQXxfr8k5huC6s11ea5R

According to MistTrack's analysis, the above three hacker addresses have currently made a total profit of more than 1.2 million US dollars, including SOL and multiple SPL Tokens.

Hackers will first exchange most of the SPL Tokens into SOL:

Then transfer SOL to multiple addresses, and the hacker address also exists with Binance, Huobi, and FixedFloat platforms Interaction:

In addition, the current address HVJGvGZpREPQZBTScZMBMmVzwiaVNN2MfSWLgeP6CrzV still has a balance of 1,169.73 SOL and Token worth more than 10,000 US dollars.

Let’s analyze one of the Ethereum hacker addresses 0x21b681c98ebc32a9c6696003fc4050f63bc8b2c6. The first transaction time of this address is In January 2025, multiple chains were involved, and the current balance is approximately US$130,000.

This address transfers ETH to multiple platforms such as: ChangeNOW, eXch, Cryptomus. com:

If your computer is infected, you need to do this immediately:

1. The wallet and funds used on this computer are all transferred in time. Don’t think that it will be fine if the extended wallet has a password;

2. The passwords saved by each browser or the logged-in accounts, passwords or 2FA should be modified as much as possible;

3. On the computer Other accounts, such as Telegram, etc., can be changed.

Just make the most extreme assumption. Anyway, if your computer is infected, your computer will be transparent to scammers. So thinking backwards, what would you do if you were a scammer and took complete control of a computer active in the Web3/Crypto world. Finally, after backing up important computer data, you can reinstall it, but after reinstalling it is best to install internationally renowned anti-virus software, such as AVG, Bitdefender, Kaspersky, etc. Under full anti-virus, the problem will not be big after the processing is completed.

The fake Safeguard scam has developed into a mature hacker attack model. From counterfeiting comments to diverting traffic, to implanting Trojan viruses, to stealing assets, the entire process is concealed. And efficient. As attack methods become increasingly sophisticated, users need to be more vigilant about various inductive links and operating procedures on the Internet. Only by increasing vigilance, strengthening protection, and promptly discovering and dealing with potential threats can we effectively prevent such scams.