top of page

Telekopye Malicious Telegram Bot Used by Threat Actors to Scam Victims

A fresh wave of financially driven cyberattacks has been recently detected, which involves the unique strategy of criminals using a malicious Telegram bot to facilitate their scams. The group behind this operation has been code-named 'Neanderthals' and the targeted victims 'Mammoths'. The toolkit of choice, which is utilized by the Neanderthals, is aptly designated as 'Telekopye'—a fusion of the words 'Telegram' and the Russian term 'kopye', translating to 'spear' in English.

Essentially, the specially crafted Telegram bot allows the scammers to engineer and deploy phishing web pages rapidly. It offers a user-friendly interface manifested in the form of clickable buttons, thus enabling multiple scammers to operate simultaneously. Respected ESET researcher, Radek Jizba, shared insights on this in a comprehensive report furnished to The Hacker News.

Although the precise origins of the Neanderthals are yet to be conclusively determined, the available shreds of evidence incline towards Russia. The toolkit carries shades of Russian influences, particularly in the SMS templates and the selection of targeted online marketplaces, which are chiefly popular within the country.

The existence of Telekopye dates back to 2015. From various versions detected thus far, it is apparent that the toolkit has been meticulously maintained and consistently employed over the years. This attack model rolls out in quite a predictable pattern: the Neanderthals first build trust with the Mammoths and subsequently send across a fraudulent link, created using the Telekopye toolkit. The gullible victims are then coerced into inputting their payment credentials into the deceitful credit/debit card gateway. The fraudsters manage to siphon funds from their victims and then launder it through cryptocurrencies.

Furthermore, Telekopye boasts a wide array of features, including generating web pages, dispatching phishing emails, crafting QR codes, and creating verisimilar checks images and receipts. To avoid suspicion, the final URL of the used phishing domains is constructed to appear genuine. However, it's critical to note that the stolen funds are channelled into an account supervised by the Telekopye administrator, thereby ensuring meticulous oversight into each Neanderthal's activity.

The settlement process has a centralized touch to it. Neanderthals send a payout request through the toolkit, and after the Telekopye administrator approves it, funds are transferred less a certain commission to the platform owner and referrer. Some implementations of Telekopye initiate payouts automatically when a Neanderthal reaches a pre-determined threshold of successfully scammed funds.

This operation highlights the increasing sophistication amongst cybercriminals, with them adopting corporate-style hierarchies and roles. However, you can evade being a potential Mammoth by being vigilant of the type of language employed in suspicious communications and insisting on verifiable transactions, primarily in-person when feasible.

Remember, today's cybersecurity landscape is constantly evolving, and you must stay updated to protect yourself effectively. At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design, and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.


Commenting has been turned off.
bottom of page