More and more people nowadays prefer to buy goods online. And why not? It’s convenient, goods will be delivered to your doorstep, and if you choose one of many online marketplaces, it’s even possible to save some money. Sadly, scammers abuse this, targeting these services and their customers for the scammer’s benefit. They can create a listing for goods they don’t own or don’t intend to sell. Once the victim pays, they seemingly disappear into the ether.

Recently we found the source code of a toolkit that helps scammers so much in their endeavors that they don’t need to be particularly well-versed in IT, but only need a silver tongue to persuade their victims. This toolkit is implemented as a Telegram bot that, when activated, provides several easy-to-navigate menus in the form of clickable buttons that can accommodate many scammers at once. In this blogpost we will focus on toolkit analysis and features, and on the structure of the group(s) that use itWe have named this toolkit Telekopye.

This blog post is the first of a two-part series where we take a closer look at Telekopye and show some of the key features that are very helpful to scammers. In the second part, we will focus more on group operations.

Key points of this blogpost

• Telekopye is a toolkit that operates as a Telegram bot and helps scammers scam their victims.
• Telekopye is designed to target online marketplaces; mainly (but not exclusively) those popular in Russia.
• Telekopye creates phishing web pages from predefined templates, and generates and sends phishing emails and SMS messages.
• Users and operators of Telekopye are organized in a clear hierarchy.

Overview

We devised the name Telekopye as a portmanteau of Telegram and kopye (копье), the Russian word for spear, due to the use of highly targeted (aka spear-) phishing. Victims of this scam operation are called Mammoths by the scammers (see Figure 1) and several leads point to Russia as the country of origin of the toolkit’s authors and users. For the sake of clarity, and following the same logic, we will refer to the scammers using Telekopye as Neanderthals.

Telekopye was uploaded to VirusTotal multiple times, primarily from Russia, Ukraine, and Uzbekistan, from where Neanderthals usually operate based on the language used in comments in the code (we have added machine translations to English in brackets in various images in this blogpost) and the majority of targeted markets. Even though the main targets of Neanderthals are online markets popular in Russia, like OLX and YULA, we observed that their targets are also online markets that are not native to Russia, like BlaBlaCar or eBay, and even others that have nothing in common with Russia, like JOFOGAS and Sbazar. Just to illustrate how big some of these marketplaces are, the OLX platform had, according to Fortune, 11 billion page views and 8.5 million transactions per month in 2014.

We were able to collect several versions of Telekopye, suggesting continuous development. All of these versions are used to create phishing web pages, and send phishing email and SMS messages. In addition, some versions of Telekopye can store victim data (usually card details or email addresses) on disk where the bot is run. Telekopye is very versatile but does not contain any chatbot AI functionality. Hence, it doesn’t actually perform the scams; it only eases the generation of content used in such scams. In July 2023, we detected new domains that fit the modus operandi of Telekopye operators, so they are still active. The latest version of Telekopye we have been able to gather was from April 11th, 2022. We assess that Telekopye has been in use since at least 2015 and, based on snippets of conversation between Neanderthals, that different scammer groups are using it.

Telekopye scam scenario

Thanks to human nature, scamming in online marketplaces seems to be very easy. It usually comes down to several key parts of the scam, as seen in Figure 2, that Neanderthals follow. First, Neanderthals find their victims (Mammoths). Then they try to earn their trust and persuade them that they are legitimate (why this is needed we will discuss in part 2). When Neanderthals think that a Mammoth sufficiently trusts them, they use Telekopye to create a phishing web page from a premade template and send the URL to the Mammoth (the URL can also be sent via SMS or email). After the mammoth submits card details via this page, the Neanderthals use these card details to steal money from the Mammoth’s credit/debit card, while hiding the money using several different techniques such as laundering it through cryptocurrency. Based on several conversation snippets, we assess that some crypto mixers are involved. There is a missing link between when money is scammed from the Mammoth and the payout to the Neanderthals, which is usually in cryptocurrency.

Telekopye functionality

Telekopye has several different functionalities that Neanderthals can use to their full extent. These functionalities include sending phishing emails, generating phishing web pages, sending SMS messages, creating QR codes, and creating phishing screenshots. In the following sections, we will focus on the most useful parts of Telekopye for the average Neanderthal.

Interface

Every Telegram group using Telekopye consists of one or more Neanderthals that operate simultaneously and independently. Functionality is offered through buttons, likely to make scamming easier for Neanderthals.

Figure 3 shows one of the menus of Telekopye in a working Telegram group. Particularly noteworthy are the buttons “My ads”, showing all opened listings (ongoing scam advertisements) each Neanderthal has, and “My profile”, allowing Neanderthals to see their profile information on this platform, such as the number of scams pulled off, amount of money ready for next payout, etc.

Phishing page generation

The core feature of Telekopye is that it creates phishing web pages from predefined HTML templates on demand. A Neanderthal needs to specify the amount of money, product name and, based on the template, additional information like location to which the product will be sent, picture, weight, and buyer’s name. Then Telekopye takes all this information and creates a phishing web page. These phishing web pages are designed to mimic different payment/bank login sites, credit/debit card payment gateways, or simply payment pages of different websites.

To make the phishing website creation process easier, these website templates are organized by countries they target. Figure 4 shows a simple creation menu where some templates are sorted according to different countries. The only outlier is BlaBlaCar for country-independent car-sharing services.

Figure 5 shows one such phishing web page, likely not fully perfected yet.

The finished product is seen in Figure 6, an eBay web page look-alike that is almost unrecognizable from the original (or at least looks like something one would expect from the legitimate website).  By clicking the Receive %amount2% EUR button, a Mammoth is shown a fake credit/debit card gateway.

These phishing domains are not easy to spot. Usually, Neanderthals register a domain and then create subdomains for each targeted marketplace in such a way that the final URL starts with the expected brand name. In Table 1 notice that only one domain – olx.id7423[.]ru – is used to target the popular marketplace OLX. An example of a legitimate domain for the OLX marketplace is olx.ua. In short, they usually use .ru as their top-level domains and move second-level domains to the third-level domain’s place.

Table 1. Examples of several domains used for phishing

Service name (RU)	Service name	Phishing domain	Legitimate domain
Авито	Avito	avito.id7423[.]ru	avito.ru
Юла	Youla	youla.id7423[.]ru	youla.ru
Боксберри	Boxberry	boxberry.id7423[.]ru	boxberry.ru
Сдек	Cdek	cdek.id7423[.]ru	cdek.ru
Авито Аренда	Avito-rent	avito-rent.id7423[.]ru	avito.ru
OLX KZ	OLX	olx.id7423[.]ru	olx.kz
Куфар	Kufar	kufar.id7423[.]ru	kufar.by
OLX UZ	OLX UZ	olx.id7423[.]ru	olx.uz
OLX RO	OLX RO	olx.id7423[.]ru	olx.ro
OLX PL	OLX PL	olx.id7423[.]ru	olx.pl
OLX UA	OLX UA	olx.id7423[.]ru	olx.ua
СБАЗАР	Sbazar	sbazar.id7423[.]ru	sbazar.cz
IZI ua	IZI ua	izi.id7423[.]ru	izi.ru
OLX BG	OLX BG	olx.id7423[.]ru	olx.bg

Transactions and payout

Neanderthals do not transfer money stolen from Mammoths to their own accounts. Instead, all the Neanderthals use a shared Telekopye account controlled by the Telekopye administrator. Telekopye keeps track of how successful each Neanderthal is by logging associated contributions to that shared account – either in a simple text file or a SQL database.

As a consequence, Neanderthals get paid by the Telekopye administrator. Payment is split into three parts:

1.    Commission to the Telekopye administrator.

2.    Commission to recommender (recommendation system is discussed later in the blog post).

3.    Actual payout.

The commission to the Telekopye administrator is 5–40%, depending on the Telekopye version and Neanderthal role (roles are also discussed later in the blog post).

Once a Neanderthal becomes eligible for a payout, he asks Telekopye for one. Telekopye checks the Neanderthal’s balance, final request is approved by the Telekopye administrator and, finally, funds are transferred to the Neanderthal’s cryptocurrency wallet. In some Telekopye implementations, the first step, asking for a payout, is automated and the negotiation is initiated whenever a Neanderthal reaches a certain threshold of stolen money from successfully pulled off scams (e.g., 500 RUB). The process of the manual payout request is illustrated in Figure 7 and the associated part of the Telekopye source code in Figure 8.

Telekopye keeps logs of processed payouts in a separate Telegram channel. A Neanderthal who is paid also receives a link to this channel, probably to be able to verify that the transaction is logged. Figure 9 shows an example of such a logs channel.

The Telekopye administrator does not transfer the money through Telekopye itself. Instead, the admin uses either a tool called “BTC Exchange bot”, likely an independent Telegram bot, or transfers the money manually. However, we have observed increasing integration of payout-related features into Telekopye, so this may change in the future.

Sending phishing email

Neanderthals can instruct Telekopye to create and send email messages. The sender is a predefined email account shared between all the Neanderthals. These email accounts are typically associated with the phishing domains set up by Neanderthals. Figure 10 shows the code to spoof the email headers From and Reply-To so that the email messages appear more legitimate.

Figure 11 shows one of many templates used to create phishing email bodies. No additional information has been given, so default values are shown, instead of user-defined text, for %title% and %amount%. A malicious URL is hidden behind the “Go to payment” button.

SMS support

Besides phishing emails, Telekopye allows Neanderthals to create and send SMS messages in a similar manner. Figure 12 illustrates the piece of code responsible for creating and sending such messages.

Some implementations of Telekopye even have predefined SMS texts in different languages. All SMS templates say more or less the same thing, for example, “Your item has been paid for. To receive funds, fill out the form: <malicious_link>”. Examples of several SMS templates are shown in Figure 13, where original Russian templates are shown.How this SMS looks when a Mammoth receives it can be seen in Figure 14.

Telekopye relies heavily on online services such as smscab.ru or smshub.org to send SMS messages. We have analyzed an older variant, where Telekopye used one hardcoded phone number shared among all Neanderthals. However, likely because blocking one phone number would result in blocking all Neanderthals’ messages, this feature was discontinued.

Image manipulation

In this section, we describe how simple it is for Neanderthals using Telekopye to create convincing images and screenshots. Some versions of Telekopye have a component called Render bot. Although Render bot could be classified as a standalone bot, we will handle it as part of Telekopye.

When Render bot is added to a Telegram chat, we are greeted with the initial message seen in Figure 15.

This gives us good insight into how this part of Telekopye works. We can classify the uses of Render bot into two categories. First, it can be used to mangle images so that they are not easy to cross-reference. Second, it can create fake images that are meant to look like legitimate screenshots. In this section, we will focus first on the creation of these fake screenshots, a feature similar to creating phishing websites.

Unlike fake web pages that are generated from HTML templates, the base for fake screenshots is a JPG image with some key parts removed. These parts include the supposed paid price, debit/credit card number, title, name, etc. This transformation is shown in Figure 16, where there is a side-by-side comparison of a plain template and a filled template. Because these are images, there are no interactive buttons, unlike the email and phishing web page counterparts.

 

There is a high emphasis on making the inserted text fit as well as possible, so Telekopye supports several different fonts. Just as previously, all behavior is hardcoded and no AI is used. We found nine templates for Sberbank, Avito, Youla, Qiwi, and a few other services.

From the Neanderthals’ perspective, creating these screenshots is no different from creating phishing web pages. A Neanderthal only needs to supply a few bits of information, and Telekopye creates a fake screenshot/image from them.

In Render bot folders it is also possible to see one of these templates in the process of creation. Figure 17 shows a photo of an invoice for a parcel, with numbered fields. Developers of Telekopye erase all fields with numbers next to them and try to fit their own font style and font size in them. When they are satisfied with how the final product looks, they add it to the bot for other Neanderthals to use as a new template.

Another no less important functionality of this part of Telekopye is image manipulation. From the code and its comments, it is possible to gather that it is able to change images of advertised goods so that search engines cannot cross-reference them. We assume that if the image was found on an online marketplace, AI antispam protection would flag it as malicious. This transformation is very simple and consists of a vertical flip of the image and a small change in contrast.

Experimental features

Thanks to content from Telekopye source files, we assess that the developers are trying to experiment with different types/variations of the scam. For example, in the code, we see QR code generation functionality (Figure 18). This might mean one of two things. Either it is part of the payout process or they are trying to make it a new trick for scamming. A probable reason is that Mammoths don’t think twice when paying via a QR code. So we estimate that there is going to be a small increase in scams using these kinds of tricks.

From Figure 15 it looks as if Render bot can create fake checks for Sberbank. But in reality, it can only create payment confirmations (Figure 19).

Roles

Groups of scammers using Telekopye are organized into a hierarchy with least to most privileges in order as follows:

1.    Administrators

2.    Moderators

3.    Good workers / Support bots

4.    Workers

5.    Blocked

We have observed some variants enriching this list with a few additions, but these five roles remain the basis. We focus on each role in more detail in the sections below.

Telekopye also employs a referral system. When a new Neanderthal wants to join the group, he needs to fill in an application (how much “industry” experience he has, who invited him, etc.). This application then needs to be accepted by Moderators or Administrators in order for the new Neanderthal to join.

Blocked

A user with this role is not able to use any part of the Telekopye toolkit. Rules that are part of Telekopye source code suggest this is some sort of punishment for breaking them (Figure 20).

Workers

This is the most common role that almost all new Neanderthals start with. With this role, Neanderthals are able to use every Telekopye feature, excluding moderation of the group. During payout, this role has the worst commission rates, as seen in Table 2.

Table 2. Example of payout rates

Role	Commission to owner	Commission to recommender	Actual payout
Workers	33%	2%	65%
Good workers/Support bots	23%	2%	75%

Good workers/Support bots

This role is a direct upgrade of the Worker role. The only difference is that Neanderthals with this role don’t have to give such a large percentage of their payout to the platform owner.

To get this role, Neanderthals must prove their usefulness – pull off a number of scams or achieve a certain amount of stolen funds.

Sometimes it is possible to see that this role is reserved for support bots. We are not certain what these bots are.

Moderators

Moderators can promote and demote other members and approve new members. They cannot modify Telekopye settings.

Administrators

Administrators are the highest role in the group. They can use Telekopye to its full extent. On top of moderators’ capabilities, they can modify Telekopye settings – add phishing web page templates, change/add email addresses that the bot uses, and change payout rates, payout type, etc.

How to avoid being scammed

The easiest way to tell whether you are being targeted by a Neanderthal trying to steal your money is by looking at the language used. It can be the language used in conversation, email, or on the web page itself. Sadly, this is not foolproof, and it has been observed that some of these scam attempts have ironed out grammar and vocabulary mistakes.

Insist on in-person money and goods exchange whenever possible when dealing with secondhand goods on online marketplaces. Such trades are not protected by well-known institutions or services. These scams are only possible because Neanderthals pretend they already paid online/sent an item. Sadly, sometimes in-person delivery is not possible and in that case you need to be extra careful.

Avoid sending money unless you are certain where it will go. When you need to send money somewhere, check the web page for grammatical errors and graphical disproportions. If you are lucky, a template can have some inaccuracies. Also check the website certificate and look closely at the URL, which can be made to look like a real link.

Watch out for strong-arm arguments like “I’ll send money through service XYZ. Do you know how it works?”. Ask if another payment type is possible and especially if they are willing to accept payment from a service you are familiar with. This is not foolproof because scammers have multiple templates, but you might be able to recognize a fake template more easily when you use a payment method known to you.

Be extra careful when clicking on links in SMS messages or emails, even if they look as if they come from a reputable source. Neanderthals are no strangers to email spoofing. A good rule of thumb is to ask yourself whether you bought something that would make reputable sources send you emails like that. If you are unsure, visit the supposed service’s website directly (not using the link in the email/SMS) and ask. Most of these pages have customer support and they will happily give you a hand.

Conclusion

We discovered and analyzed Telekopye, a toolkit that helps less technical people pull off online scams more easily. We estimate that Telekopye was in use since at least 2015. We focused on one version, analyzing its main capabilities and uncovering how Telekopye works internally. These capabilities include creating phishing websites, sending phishing SMS and emails, and creating fake screenshots. We also described the hierarchy of groups using Telekopye. Thanks to our telemetry, we also found out that this tool is still in use and in active development. The second Telekopye blog post, which will be released later, uncovers the inner working of the scam groups.

Acknowledgement

The author would like to thank Ondřej Novotný for the initial discovery.

For any inquiries about our research published on WeLiveSecurity, please contact us at [email protected].
ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.

IoCs

A comprehensive list of Indicators of Compromise and samples are available in our GitHub repository.

Files

SHA-1	Filename	Detection	Description
26727D5FCEEF79DE2401CA0C9B2974CD99226DCB	scam.php	PHP/HackTool.Telekopye.A	Telekopye scam toolkit
285E0573EF667C6FB7AEB1608BA1AF9E2C86B452	tinkoff.php	PHP/HackTool.Telekopye.A	Telekopye scam toolkit
8A3CA9EFA2631435016A4F38FF153E52C647146E	600be5ab7f0513833336bec705ca9bcfd1150a2931e61a4752b8de4c0af7b03a.php	PHP/HackTool.Telekopye.A	Telekopye scam toolkit

Network

IP	Domain	Hosting provider	First seen	Details
N/A	id23352352.ru	Cloudflare	2023-07-04	Domain that is used to test toolkit or scam victim.
N/A	id8092.ru	Cloudflare	2023-06-26	Domain that is used to test toolkit or scam victim.
N/A	id2770.ru	Cloudflare	2023-06-28	Domain that is used to test toolkit or scam victim.
N/A	id83792.ru	Cloudflare	2023-06-17	Domain that is used to test toolkit or scam victim.
N/A	id39103.ru	Cloudflare	2023-06-19	Domain that is used to test toolkit or scam victim.
N/A	2cdx.site	Cloudflare	2021-03-21	Domain that is used to test toolkit or scam victim.
N/A	3inf.site	Cloudflare	2021-03-12	Domain that is used to test toolkit or scam victim.
N/A	pay-sacure4ds.ru	Jino	2021-12-27	Domain that is used to test toolkit or scam victim.
N/A	id7423.ru	Cloudflare	2021-03-27	Domain that is used to test toolkit or scam victim.
N/A	id2918.site	Jino	2021-03-08	Domain that is used to test toolkit or scam victim.
N/A	formaa.ga	Zomro	2021-05-30	Domain that is used to test toolkit or scam victim.
N/A	id0391.ru	Cloudflare	2023-06-23	Domain that is used to test toolkit or scam victim.
N/A	id66410.ru	Cloudflare	2023-06-17	Domain that is used to test toolkit or scam victim.
N/A	id82567.ru	Cloudflare	2023-06-07	Domain that is used to test toolkit or scam victim.

MITRE ATT&CK techniques

This table was built using version 13 of the MITRE ATT&CK framework.

Tactic	ID	Name	Description
Reconnaissance	T1589	Gather Victim Identity Information	Telekopye is used to gather debit/credit card details, phone numbers, emails, etc. via phishing web pages.
Resource Development	T1583.001	Acquire Infrastructure: Domains	Telekopye operators register their own domains.
	T1585	Establish Accounts	Telekopye operators establish accounts on online marketplaces.
	T1585.002	Establish Accounts: Email Accounts	Telekopye operators set up email addresses associated with the domains they register.
	T1586.002	Compromise Accounts: Email Accounts	Telekopye operators use compromised email accounts to increase their stealthiness.
	T1587.001	Develop Capabilities: Malware	Telekopye is custom malware.
Initial Access	T1566.002	Phishing: Spearphishing Link	Telekopye sends links to phishing websites in emails or SMS messages.
Collection	T1056.003	Input Capture: Web Portal Capture	Web pages created by Telekopye capture sensitive information and report it to operators.

• SEO Powered Content & PR Distribution. Get Amplified Today.
• PlatoData.Network Vertical Generative Ai. Empower Yourself. Access Here.
• PlatoAiStream. Web3 Intelligence. Knowledge Amplified. Access Here.
• PlatoESG. Automotive / EVs, Carbon, CleanTech, Energy, Environment, Solar, Waste Management. Access Here.
• PlatoHealth. Biotech and Clinical Trials Intelligence. Access Here.
• ChartPrime. Elevate your Trading Game with ChartPrime. Access Here.
• BlockOffsets. Modernizing Environmental Offset Ownership. Access Here.
• Source: https://www.welivesecurity.com/en/eset-research/telekopye-hunting-mammoths-using-telegram-bot/