Microsoft IDs Excel, Telegram Threat Targeting Crypto Startups

The hacker allegedly made use of Telegram and Excel to infect systems that it accessed remotely

article-image

Source: Shutterstock

share

Nefarious actors have been increasingly turning to Telegram, according to Microsoft — as well as one of the tech gian’s own products — in attempts to infiltrate crypto companies.

The tech giant categorized the pervasiveness of such hacks, typically driven by malware, as a barrier to widespread adoption of cryptocurrencies. More concerning, still, in Microsoft’s estimation: Hackers are becoming quite adept at their brands of trickery.

“We are also seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads,” Microsoft wrote in a blog Tuesday.

Microsoft detailed its own investigation of a would-be bad actor, “DEV-0139,” which the company said infiltrated Telegram chats between an unidentified crypto exchanges and their “VIP” clients, as well as the company’s other counterparties. The company said the hacker, or hacking collective, employed Excel files in bids to acquire valuable and private information. 

While pretending to represent a separate crypto company — with apparently passable knowledge of the operations and communications of both firms — Microsoft said they invited the target to a different chat, where DEV-0139 attempted solicited feedback on the fee structure used by the crypto exchanges.

Upon gaining the trust of the target, the malicious actor sent an Excel file called “OKX Binance & Huobi VIP fee comparison.xls” in an alleged bid to project credibility.

Opening the Excel file itself triggered a series of mishaps. A set of automatic actions contained in the file were used to obtain the user’s data, executed in invisible mode. This malicious “backdoor” allowed the bad actor to remotely access the infected system. 

Microsoft also found another older file using the same technique, suggesting the incident wasn’t isolated — and that the actor may be executing similar campaigns with other targets. 

It isn’t unusual for crypto scammers to use bots on Telegram to hoodwink users and lead them to malicious links. A 2021 report by digital threat detection firm Q6 Cyber found that bot services, which can be purchased for around $300, can also be used to target investors.

2022 has already gone down as a year full of high-profile thefts in the sector, including $600 million from FTX, $182 million from Beanstalk and $325 million from Wormhole. Interest in self-custody of assets has accordingly increased dramatically — boosted even more by user concerns of keeping crypto assets on centralized exchanges in light of FTX’s implosion.


Get the news in your inbox. Explore Blockworks newsletters:

Tags

Decoding crypto and the markets. Daily, with Byron Gilliam.

Upcoming Events

Old Billingsgate

Mon - Wed, October 13 - 15, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

recent research

Research Report Templates (2).png

Research

We’re bullish on the PUMP token. We believe Pump.fun's brand strength, existing integrations, product roadmap, and strategic levers justify PUMP's TGE valuation, and expect the token to re-rate meaningfully higher in the months ahead.

article-image

Big blockers wasted a bitcoin fortune trying to prove a point

article-image

Coinbase’s newest acquisition includes the CEO and Head of Research from Opyn

article-image

Crypto’s highest purpose might be to make markets better by making them bigger

article-image

The non-profit’s “Project Open” seeks to let stocks trade directly on Solana

article-image

The acquisition is Pump.fun’s first, and comes just days before its planned ICO

article-image

As Trump’s tariff war reignites, everyone is assuming the dollar will continue its path lower. But the journey might be bumpy