Finance
Share this article

Attacker Targets Wealthy Crypto Funds Using Telegram Chats

Exchange owners cautioned against downloads of malicious as attackers zeroed in on gullible users with a very relevant and specific narrative.

By Shaurya Malwa
Updated May 9, 2023, 4:04 a.m. Published Dec 7, 2022, 1:07 p.m.
jwp-player-placeholder

In the latest type of crypto-focused attacks, an attacker known as DEV-0139 has targeted wealthy cryptocurrency funds through the use of Telegram group chats, Microsoft's (MSFT) Security Intelligence team said in a report on Wednesday.

Fees levied by crypto exchanges on transactions are a big challenge for investment funds and wealthy traders. They represent a cost and must be optimized to minimize the impact on margins and profits. As is the case with many other companies in this industry, the largest costs come from fees charged by exchanges.

STORY CONTINUES BELOW
Don't miss another story.Subscribe to the Crypto Daybook Americas Newsletter today. See all newsletters
By signing up, you will receive emails about CoinDesk products and you agree to our terms of use and privacy policy.

The attacker or group of attackers capitalized on this specific problem to lure their crypto-fund targets.

DEV-0139 joined several Telegram groups, used by high-profile clients and exchanges for communication, and identified their target from among the group members. OKX, Huobi and Binance exchanges were targeted, data from the Microsoft report shows.

Posing as an exchange employee, DEV-0139 invited the target to a different chat group and pretended to ask for feedback on the fee structures used by exchanges. They then initiated a conversation to gain the target’s trust – using their knowledge of the industry and preparedness to lure victims gradually.

DEV-0139 then sent a weaponized Excel file containing accurate data on fee structures among cryptocurrency-exchange companies with the goal of increasing his or her credibility.

The Excel file initiated a series of activities, including using a malicious program to retrieve data and drop another Excel sheet. This sheet was then executed in invisible mode and used to download a picture file containing three executables: a legitimate Windows file, a malicious version of a DLL file and an XOR-encoded back door.

A DLL is a library that contains code and data that can be used by more than one program at the same time. On the other hand, XOR is an encryption method used to encrypt data and is hard to crack by the brute-force method

The threat actor was then able to remotely access the infected system through the use of the back door.

Microsoft said DEV-0139 may have also run other campaigns using similar techniques.

HackDeFiTradingCryptoCrypto Exchange

More For You

KuCoin Hits Record Market Share as 2025 Volumes Outpace Crypto Market

By CoinDesk Research
Dec 22, 2025
logo
Commissioned byKuCoin
16:9 Image

KuCoin captured a record share of centralised exchange volume in 2025, with more than $1.25tn traded as its volumes grew faster than the wider crypto market.

What to know:

  • KuCoin recorded over $1.25 trillion in total trading volume in 2025, equivalent to an average of roughly $114 billion per month, marking its strongest year on record.
  • This performance translated into an all-time high share of centralised exchange volume, as KuCoin’s activity expanded faster than aggregate CEX volumes, which slowed during periods of lower market volatility.
  • Spot and derivatives volumes were evenly split, each exceeding $500 billion for the year, signalling broad-based usage rather than reliance on a single product line.
  • Altcoins accounted for the majority of trading activity, reinforcing KuCoin’s role as a primary liquidity venue beyond BTC and ETH at a time when majors saw more muted turnover.
  • Even as overall crypto volumes softened mid-year, KuCoin maintained elevated baseline activity, indicating structurally higher user engagement rather than short-lived volume spikes.
View Full Report

More For You

How the ultra-wealthy are using bitcoin to fund their yacht upgrades and Cannes trips

By Ian Allison|Edited by Sheldon Reback, Aoyon Ashraf
10 hours ago
wealthtransfer

Cometh founder Jerome de Tychey is applying DeFi lending and borrowing on platforms like Aave, Morpho, and Uniswap to structures that help the ultra-wealthy secure loans against their massive crypto fortunes.

What to know:

  • Wealthy investors who hold much of their fortune in crypto are increasingly turning to decentralized finance platforms to secure flexible credit lines without selling their digital assets.
  • Firms like Cometh help family offices and other rich clients navigate complex DeFi tools, using assets such as bitcoin, ether and stablecoins to replicate traditional Lombard-style collateralized loans.
  • DeFi loans can be faster and more anonymous than traditional bank credit but carry volatility and liquidation risks, and Cometh is also experimenting with applying DeFi strategies to traditional securities via ISIN-based tokenization.
Read full story