Microsoft IDs Excel, Telegram Threat Targeting Crypto Startups

The hacker allegedly made use of Telegram and Excel to infect systems that it accessed remotely

article-image

Source: Shutterstock

share

Nefarious actors have been increasingly turning to Telegram, according to Microsoft — as well as one of the tech gian’s own products — in attempts to infiltrate crypto companies.

The tech giant categorized the pervasiveness of such hacks, typically driven by malware, as a barrier to widespread adoption of cryptocurrencies. More concerning, still, in Microsoft’s estimation: Hackers are becoming quite adept at their brands of trickery.

“We are also seeing more complex attacks wherein the threat actor shows great knowledge and preparation, taking steps to gain their target’s trust before deploying payloads,” Microsoft wrote in a blog Tuesday.

Microsoft detailed its own investigation of a would-be bad actor, “DEV-0139,” which the company said infiltrated Telegram chats between an unidentified crypto exchanges and their “VIP” clients, as well as the company’s other counterparties. The company said the hacker, or hacking collective, employed Excel files in bids to acquire valuable and private information. 

While pretending to represent a separate crypto company — with apparently passable knowledge of the operations and communications of both firms — Microsoft said they invited the target to a different chat, where DEV-0139 attempted solicited feedback on the fee structure used by the crypto exchanges.

Upon gaining the trust of the target, the malicious actor sent an Excel file called “OKX Binance & Huobi VIP fee comparison.xls” in an alleged bid to project credibility.

Opening the Excel file itself triggered a series of mishaps. A set of automatic actions contained in the file were used to obtain the user’s data, executed in invisible mode. This malicious “backdoor” allowed the bad actor to remotely access the infected system. 

Microsoft also found another older file using the same technique, suggesting the incident wasn’t isolated — and that the actor may be executing similar campaigns with other targets. 

It isn’t unusual for crypto scammers to use bots on Telegram to hoodwink users and lead them to malicious links. A 2021 report by digital threat detection firm Q6 Cyber found that bot services, which can be purchased for around $300, can also be used to target investors.

2022 has already gone down as a year full of high-profile thefts in the sector, including $600 million from FTX, $182 million from Beanstalk and $325 million from Wormhole. Interest in self-custody of assets has accordingly increased dramatically — boosted even more by user concerns of keeping crypto assets on centralized exchanges in light of FTX’s implosion.


Get the news in your inbox. Explore Blockworks newsletters:

Tags

Upcoming Events

Old Billingsgate

Mon - Wed, October 13 - 15, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

recent research

Research

article-image

For just $54, you, too, could send a memecoin 500% higher

article-image

Memecoins, tech, and inflation have dominated the first half of the year

article-image

As the Trump administration continues to test Fed independence, markets are beginning to react

article-image

An Aave interest rate shock prompted over 475,000 validators to exit and pushed stETH into a prolonged depeg

article-image

While Roman Storm’s team is set to present its case, it’s not yet clear if the Tornado Cash founder will testify

article-image

A wireless network inspired by lost drones is now helping telco carriers reach your phone indoors