Microsoft IDs Excel, Telegram Threat Targeting Crypto Startups

The hacker allegedly made use of Telegram and Excel to infect systems that it accessed remotely

article-image

Source: Shutterstock

share

Nefarious actors have been increasingly turning to Telegram, according to Microsoft — as well as one of the tech gian’s own products — in attempts to infiltrate crypto companies.

The tech giant categorized the pervasiveness of such hacks, typically driven by malware, as a barrier to widespread adoption of cryptocurrencies. More concerning, still, in Microsoft’s estimation: Hackers are becoming quite adept at their brands of trickery.

“We are also seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads,” Microsoft wrote in a blog Tuesday.

Microsoft detailed its own investigation of a would-be bad actor, “DEV-0139,” which the company said infiltrated Telegram chats between an unidentified crypto exchanges and their “VIP” clients, as well as the company’s other counterparties. The company said the hacker, or hacking collective, employed Excel files in bids to acquire valuable and private information. 

While pretending to represent a separate crypto company — with apparently passable knowledge of the operations and communications of both firms — Microsoft said they invited the target to a different chat, where DEV-0139 attempted solicited feedback on the fee structure used by the crypto exchanges.

Upon gaining the trust of the target, the malicious actor sent an Excel file called “OKX Binance & Huobi VIP fee comparison.xls” in an alleged bid to project credibility.

Opening the Excel file itself triggered a series of mishaps. A set of automatic actions contained in the file were used to obtain the user’s data, executed in invisible mode. This malicious “backdoor” allowed the bad actor to remotely access the infected system. 

Microsoft also found another older file using the same technique, suggesting the incident wasn’t isolated — and that the actor may be executing similar campaigns with other targets. 

It isn’t unusual for crypto scammers to use bots on Telegram to hoodwink users and lead them to malicious links. A 2021 report by digital threat detection firm Q6 Cyber found that bot services, which can be purchased for around $300, can also be used to target investors.

2022 has already gone down as a year full of high-profile thefts in the sector, including $600 million from FTX, $182 million from Beanstalk and $325 million from Wormhole. Interest in self-custody of assets has accordingly increased dramatically — boosted even more by user concerns of keeping crypto assets on centralized exchanges in light of FTX’s implosion.


Get the news in your inbox. Explore Blockworks newsletters:

Tags

Decoding crypto and the markets. Daily, with Byron Gilliam.

Upcoming Events

Old Billingsgate

Mon - Wed, October 13 - 15, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

Industry City | Brooklyn, NY

TUES - THURS, JUNE 24 - 26, 2025

Permissionless IV serves as the definitive gathering for crypto’s technical founders, developers, and builders to come together and create the future.If you’re ready to shape the future of crypto, Permissionless IV is where it happens.

Brooklyn, NY

SUN - MON, JUN. 22 - 23, 2025

Blockworks and Cracked Labs are teaming up for the third installment of the Permissionless Hackathon, happening June 22–23, 2025 in Brooklyn, NY. This is a 36-hour IRL builder sprint where developers, designers, and creatives ship real projects solving real problems across […]

recent research

Research Report Templates (19).png

Research

Suilend has grown into the top money market and liquid staking provider on Sui. STEAMM, Suilend’s Superfluid AMM, presents a compelling avenue for growing market share within Sui’s DEX landscape and revenue generation for the protocol. Suilend’s multi-product suite position it well for owning market share across key verticals. While current metrics across the Sui ecosystem are likely inflated due to Sui Foundation incentive programs, SEND trades at amongst the lowest multiples in the lend/borrow sector, suggesting that a bull case for continued growth in the ecosystem may be mispriced.

article-image

The best capital markets are open to the most people — and crypto capital markets are open to everyone

article-image

Post-conference musings on Firedancer, Kraken, Solana Mobile and Trump

article-image

Executives expect others to follow SharpLink Gaming’s lead in purchasing an asset that has surged this past month

article-image

After a weekend of tariff policy shifts, investors appear confident that trade deals are underway

article-image

Multiple rounds of prior audits did not catch the flaw, the DEX said

article-image

StarkWare launches new consumer-grade hardware ZK prover