Despite falling prices, cryptocurrency remains a high value prize for cybercriminals. Threat actors are also targeting end users on communication channels they know are opaque to security teams, like Telegram and WhatsApp. Threat actors are leveraging the low-cost, high-return TTPs they’ve been using for email for these other channels. Recently, our Division Seven threat intelligence team was able to perform a lookback analysis in Telegram for a cryptocurrency investment firm. We were able to isolate an incidence of impersonation, in which a threat actor sought to deliver a malicious Excel file to employees, posing as another employee of the firm.

SafeGuard Cyber has several large cryptocurrency investment firms as customers. One such customer deploys our platform for content capture and archiving for Telegram, on behalf of its traders, to satisfy SEC recordkeeping requirements. However, in early December 2022, Microsoft published research on a threat actor the company tracks as DEV-0139. In its report, Microsoft noted the threat actor “joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members. The threat actor posed as representatives of another cryptocurrency investment company, and in October 2022 invited the target to a different chat group and pretended to ask for feedback on the fee structure used by cryptocurrency exchange platforms.” DEV-0139 sends a weaponized Excel file with the name OKX Binance & Huobi VIP fee comparision.xls armed with malicious macros. 

Event Analysis 

Our customer wanted to understand if its traders had been targeted by this threat actor. Using SafeGuard Cyber’s lookback capabilities and detection engine, the D7 team was able to locate and confirm an instance when traders were targeted with this malicious file in July 2022. Moreover, in this timeframe, we detected that the threat actor adopted the tactic of impersonating a known employee from our customer organization to deliver the payload.

We detected this impersonation because we track communications against “authors,” as defined by user metadata. The threat actor attempted the impersonation through use of the legitimate user’s initials. The impersonation, however, was detected because they’re recorded and flagged as a different unique author. The D7 team believes that DEV-0139’s use of detailed trust building, as reported by Microsoft, was likely an adaptation to less successful, albeit easier, impersonation tactics. 


The result of this analysis is a compliance customer has enabled deeper security detections for monitored Telegram users. This move is part of a larger trend we have observed over the course of 2022, a greater convergence of security and compliance functions in financial services to address overall business communication risks.

Threat-Report-Telegram-Impersonation-TNDownload Report

Telegram Impersonation Targets Cryptocurrency Employees with Malware


To learn more on how we can automate cybersecurity for your team’s digital communications, please get in touch with us.

If you are interested in learning more about the SafeGuard Cyber solution, you can take a quick 5-minute tour.

Explore Security Product