Researchers at SafeGuard Inc.’s threat analysis group Seven today detailed how customers of a crypto firm they work with were targeted by an attacker using a strange social engineering attack: Hackers impersonated a prominent employee. The investigation was launched after Microsoft Security reported on targeted attacks against the cryptocurrency industry in December. A threat actor tracked as DEV-0139 has joined Telegram groups targeting cryptocurrency investment companies, Microsoft researchers said.

It was found that DEV-0139 uses Telegram groups, which are used to facilitate conversations between VIP customers and cryptocurrency exchanges, to identify potential targets among its members. In Microsoft’s report, the threat actor masquerading as a representative of another cryptocurrency investment firm invited targets to another chat group and pretended to seek feedback on a free framework used by cryptocurrency exchanges. The information obtained was then used to send a malicious Excel file containing tables of fee structures between cryptocurrency exchange companies.

What the Chapter Seven researchers found was a little more relevant, where a threat actor impersonated a trusted person to more effectively execute a social engineering attack.

Using SafeGuard Cyber’s retrospective capabilities and detection engine, researchers discovered and confirmed a case where traders were targeted for freight delivery by impersonating a known employee from a company establishment.

In the example, an attacker attempted to impersonate another person using the initials of a legitimate user. However, impersonation was detected and the account was registered and marked as another unique author. The researchers believe that DEV-0139’s use of verbose trust-building is an adaptation of an easier, though less successful, impersonation attack.

“The result of this analysis is that the compliance client provides deeper security detection for monitored Telegram users,” the study concluded. “This move is part of a larger trend we’re seeing in 2022 – a greater convergence of financial services security and compliance to address common business communications risks.”