Microsoft IDs Excel, Telegram Threat Targeting Crypto Startups
The hacker allegedly made use of Telegram and Excel to infect systems that it accessed remotely
Source: Shutterstock
Nefarious actors have been increasingly turning to Telegram, according to Microsoft — as well as one of the tech gian’s own products — in attempts to infiltrate crypto companies.
The tech giant categorized the pervasiveness of such hacks, typically driven by malware, as a barrier to widespread adoption of cryptocurrencies. More concerning, still, in Microsoft’s estimation: Hackers are becoming quite adept at their brands of trickery.
“We are also seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads,” Microsoft wrote in a blog Tuesday.
Microsoft detailed its own investigation of a would-be bad actor, “DEV-0139,” which the company said infiltrated Telegram chats between an unidentified crypto exchanges and their “VIP” clients, as well as the company’s other counterparties. The company said the hacker, or hacking collective, employed Excel files in bids to acquire valuable and private information.
While pretending to represent a separate crypto company — with apparently passable knowledge of the operations and communications of both firms — Microsoft said they invited the target to a different chat, where DEV-0139 attempted solicited feedback on the fee structure used by the crypto exchanges.
Upon gaining the trust of the target, the malicious actor sent an Excel file called “OKX Binance & Huobi VIP fee comparison.xls” in an alleged bid to project credibility.
Opening the Excel file itself triggered a series of mishaps. A set of automatic actions contained in the file were used to obtain the user’s data, executed in invisible mode. This malicious “backdoor” allowed the bad actor to remotely access the infected system.
Microsoft also found another older file using the same technique, suggesting the incident wasn’t isolated — and that the actor may be executing similar campaigns with other targets.
It isn’t unusual for crypto scammers to use bots on Telegram to hoodwink users and lead them to malicious links. A 2021 report by digital threat detection firm Q6 Cyber found that bot services, which can be purchased for around $300, can also be used to target investors.
2022 has already gone down as a year full of high-profile thefts in the sector, including $600 million from FTX, $182 million from Beanstalk and $325 million from Wormhole. Interest in self-custody of assets has accordingly increased dramatically — boosted even more by user concerns of keeping crypto assets on centralized exchanges in light of FTX’s implosion.
Get the news in your inbox. Explore Blockworks newsletters:
- Blockworks Daily: The newsletter that helps thousands of investors understand crypto and the markets, by Byron Gilliam.
- Empire: Start your morning with the top news and analysis to inform your day in crypto.
- Forward Guidance: Reporting and analysis on the growing intersection of crypto and macroeconomics, policy and finance.
- 0xResearch: Alpha directly in your inbox. Market highlights, data, degen trade ideas, governance updates, token performance and more.
- Lightspeed: Built for Solana investors, developers and community members. The latest from one of crypto’s hottest networks.
- The Drop: For crypto collectors and traders, covering apps, games, memes and more.
- Supply Shock: Tracking Bitcoin’s rise from internet plaything worth less than a penny to global phenomenon disrupting money as we know it.
