Share this article
Attacker Targets Wealthy Crypto Funds Using Telegram Chats
Exchange owners cautioned against downloads of malicious as attackers zeroed in on gullible users with a very relevant and specific narrative.
Updated May 9, 2023, 4:04 a.m. Published Dec 7, 2022, 1:07 p.m.
In the latest type of crypto-focused attacks, an attacker known as DEV-0139 has targeted wealthy cryptocurrency funds through the use of Telegram group chats, Microsoft's (MSFT) Security Intelligence team said in a report on Wednesday.
Fees levied by crypto exchanges on transactions are a big challenge for investment funds and wealthy traders. They represent a cost and must be optimized to minimize the impact on margins and profits. As is the case with many other companies in this industry, the largest costs come from fees charged by exchanges.
STORY CONTINUES BELOW
Don't miss another story.Subscribe to the Crypto Daybook Americas Newsletter today. See all newsletters
The attacker or group of attackers capitalized on this specific problem to lure their crypto-fund targets.
DEV-0139 joined several Telegram groups, used by high-profile clients and exchanges for communication, and identified their target from among the group members. OKX, Huobi and Binance exchanges were targeted, data from the Microsoft report shows.
Posing as an exchange employee, DEV-0139 invited the target to a different chat group and pretended to ask for feedback on the fee structures used by exchanges. They then initiated a conversation to gain the target’s trust – using their knowledge of the industry and preparedness to lure victims gradually.
DEV-0139 then sent a weaponized Excel file containing accurate data on fee structures among cryptocurrency-exchange companies with the goal of increasing his or her credibility.
The Excel file initiated a series of activities, including using a malicious program to retrieve data and drop another Excel sheet. This sheet was then executed in invisible mode and used to download a picture file containing three executables: a legitimate Windows file, a malicious version of a DLL file and an XOR-encoded back door.
A DLL is a library that contains code and data that can be used by more than one program at the same time. On the other hand, XOR is an encryption method used to encrypt data and is hard to crack by the brute-force method
The threat actor was then able to remotely access the infected system through the use of the back door.
Microsoft said DEV-0139 may have also run other campaigns using similar techniques.
More For You
What to know:
- As of October 2025, GoPlus has generated $4.7M in total revenue across its product lines. The GoPlus App is the primary revenue driver, contributing $2.5M (approx. 53%), followed by the SafeToken Protocol at $1.7M.
- GoPlus Intelligence's Token Security API averaged 717 million monthly calls year-to-date in 2025 , with a peak of nearly 1 billion calls in February 2025. Total blockchain-level requests, including transaction simulations, averaged an additional 350 million per month.
- Since its January 2025 launch , the $GPS token has registered over $5B in total spot volume and $10B in derivatives volume in 2025. Monthly spot volume peaked in March 2025 at over $1.1B , while derivatives volume peaked the same month at over $4B.
More For You
Interactive Brokers Now Accepts Stablecoins in a Bid to Remain Competitive
The firm has begun offering stablecoin account funding for U.S. retail clients, joining a growing list of brokerages racing to keep pace with crypto-native rivals.
Top Stories
