Cryptocurrency firm impacted by Telegram impersonation.

 SafeGuard Cyber this morning released a report detailing an observed instance of impersonation of a cryptocurrency firm in Telegram that may have been the activity of threat actor DEV-0139.

Possibly DEV-0139.

In December 2022, Microsoft released research around a threat actor they’ve tracked as DEV-0139. The malicious actor is said to have “joined Telegram groups used to facilitate communication between VIP clients and cryptocurrency exchange platforms and identified their target from among the members. The threat actor posed as representatives of another cryptocurrency investment company, and in October 2022 invited the target to a different chat group and pretended to ask for feedback on the fee structure used by cryptocurrency exchange platforms.” An Excel file sent by the actor named “OKX Binance & Huobi VIP fee comparision.xls” contains malicious macros.

Malicious Excel file used impersonation.

SafeGuard researchers reported that a cryptocurrency firm utilizing their platform wanted to know if they were targeted by the threat actor following Microsoft’s report. They discovered that the malicious Excel file identified by Microsoft was used against the company in July of last year, and the threat actor was found to be impersonating an employee from the cryptocurrency firm.