Microsoft IDs Excel, Telegram Threat Targeting Crypto Startups

The hacker allegedly made use of Telegram and Excel to infect systems that it accessed remotely


Source: Shutterstock


Nefarious actors have been increasingly turning to Telegram, according to Microsoft — as well as one of the tech gian’s own products — in attempts to infiltrate crypto companies.

The tech giant categorized the pervasiveness of such hacks, typically driven by malware, as a barrier to widespread adoption of cryptocurrencies. More concerning, still, in Microsoft’s estimation: Hackers are becoming quite adept at their brands of trickery.

“We are also seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads,” Microsoft wrote in a blog Tuesday.

Microsoft detailed its own investigation of a would-be bad actor, “DEV-0139,” which the company said infiltrated Telegram chats between an unidentified crypto exchanges and their “VIP” clients, as well as the company’s other counterparties. The company said the hacker, or hacking collective, employed Excel files in bids to acquire valuable and private information. 

While pretending to represent a separate crypto company — with apparently passable knowledge of the operations and communications of both firms — Microsoft said they invited the target to a different chat, where DEV-0139 attempted solicited feedback on the fee structure used by the crypto exchanges.

Upon gaining the trust of the target, the malicious actor sent an Excel file called “OKX Binance & Huobi VIP fee comparison.xls” in an alleged bid to project credibility.

Opening the Excel file itself triggered a series of mishaps. A set of automatic actions contained in the file were used to obtain the user’s data, executed in invisible mode. This malicious “backdoor” allowed the bad actor to remotely access the infected system. 

Microsoft also found another older file using the same technique, suggesting the incident wasn’t isolated — and that the actor may be executing similar campaigns with other targets. 

It isn’t unusual for crypto scammers to use bots on Telegram to hoodwink users and lead them to malicious links. A 2021 report by digital threat detection firm Q6 Cyber found that bot services, which can be purchased for around $300, can also be used to target investors.

2022 has already gone down as a year full of high-profile thefts in the sector, including $600 million from FTX, $182 million from Beanstalk and $325 million from Wormhole. Interest in self-custody of assets has accordingly increased dramatically — boosted even more by user concerns of keeping crypto assets on centralized exchanges in light of FTX’s implosion.

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the On the Margin newsletter.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.


Upcoming Events

Salt Lake City, UT

MON - TUES, OCT. 7 - 8, 2024

Blockworks and Bankless in collaboration with buidlbox are excited to announce the second installment of the Permissionless Hackathon – taking place October 7-8 in Salt Lake City, Utah. We’ve partnered with buidlbox to bring together the brightest minds in crypto for […]

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

recent research

Unlocked by Template.png


With the spot ETH ETF approval, the institutions are coming. stETH - given its dominance in marketshare, existing liquid market structures, and highly desirable properties - is poised for institutions.


Plus, Solana set a record for weekly unique active addresses on the network last week


Launching cryptocurrencies the old fashioned way may soon make a return


Kraken and CertiK brought their beef to social media after Kraken said researchers exploited $3 million through a bug


NVIDIA’s historic run is only deepening the divide between mega-cap tech stocks and the rest of the market.


EIP-7702 was quickly adopted for the next Ethereum upgrade, but developers haven’t quite locked it down