Telegram Bots at Heart of Classiscam Scam-as-a-Service

telegram bot scam as a service

The cybercriminal service has scammed victims out of $6.5 million and continues to spread on Telegram.

A new automated scam-as-a-service has been unearthed, which leverages Telegram bots in order to steal money and payment data from European victims.

The scam, which researchers call Classiscam, is being sold as a service by Russian-speaking cybercriminals, and has been used by at least 40 separate cybergangs – which altogether made at least $6.5 million using the service in 2020.

These groups have bought into full-fledged scam kits, equipping them with Telegram chatbots for automated communication with victims, as well as customized webpages that lead victims to phishing landing pages. These are all the tools needed to scam victims out of money – when in reality, the victims think they are buying online products.

2020 Reader Survey: Share Your Feedback to Help Us Improve

“Group-IB discovered at least 40 groups leveraging Classiscam, with each of them running a separate Telegram chat-bot,” said researchers with Group-IB, in a Thursday analysis. “At least 20 of these groups focus on European countries. On average, they make around $61,000 monthly, but profits may differ from group to group. It is estimated that all 40 most active criminal groups make $522,000 per month in total.”

The Scam

First, the cybercriminals who have bought these kits publish “bait ads” on popular marketplaces and classified websites, such as French classifieds site Lebencoin or German logistics industry giant DHL. Products such as cameras, game consoles, laptops or smartphones are posted at deliberately low prices.

If a victim contacts the seller, they are asked to continue communicating through a third-party messenger app, either WhatsApp or Telegram. If these communications occur via Telegram, the ploy uses Telegram chat bots. According to Telegram, bots are Telegram accounts operated by software – not people – that will often have artificial-intelligence features.

A Classiscam scam in action. Credit: Group-IB

The cybercriminals behind the ploy merely need to send a link with the bait product to the Telegram chatbot, which then generates a complete phishing kit.

Digging deeper, the phishing kit includes a link to either a fake popular courier service website, or a scam website that mimics a classified or a marketplace with a payment form, which is actually a scam page. A “refund” page meanwhile offers fake support lines for victims to call if they have realized they have been scammed; the “tech support team” is actually a member of the cybercriminal gang using the service.

“As a result, the fraudster obtains payment data or withdraws money through a fake merchant website,” said researchers. “Another scenario involves a scammer contacting a legitimate seller under the guise of a customer and sending a fake payment form mimicking a marketplace and obtained via Telegram bot, so that the seller could reportedly receive the money from the scammer.”

The Service

The hierarchy of the gangs behind the scam works in a pyramid, said researchers – admins at the top are responsible for recruiting members and creating scam pages and new accounts. Below them, workers communicate with victims and send them phishing URLs, while others pose as tech-support specialists who talk to victims about their “refunds.”

“Scammers are making their first attempts in Europe, [and] an average theft costs users about $120,” said researchers. “The scam was localized for the markets of Eastern and Western Europe.” 

Researchers said “the scheme is simple and straightforward, which makes it all the more popular.” The use of Telegram bots plays into its growing popularity, they said.  Telegram recently saw a surge in new users after WhatsApp came under criticism for its privacy policies.

Researchers said that more than 5,000 scammers were registered in 40 most popular Telegram chats by the end of 2020, showing that the ploy continues to grow on the Telegram platform.

Threatpost has reached out to Telegram for comment.

Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m. ET.

Suggested articles


  • Ombelico on

    Facebook, Twitter and WhatsApp are full of scam bots
  • Alok Sharma on

    How much did WhatsApp pay you for this article exactly at this point? Shame
  • Bryan on

    You guys need to improve you bot or anti cyber fraudulent system, there is tons of scammer regarding investment in here which is you never notified, there is a lot of people have been scammed to your app like FXTM STOCK TRADE it looks a lot of people are making money there once you talk to them they will tell yeah its a legit and I earn money but its a lie all of them are scammer One big group of scam, I checked the admin name and she just faking some one. This message is for the telegram app or company, there is a lot of innocent people there who been scammed.
  • Faizan Haider on

    I invested my money in company but I lost my money. He contacted me on telegram
  • Jake Viernes on

    So glad I came across this now just after going through the scheme as a victim. Having had an Atomic wallet for my cryptos for years was a very comforting thing. But once I had a problem with balances that showed as 'pending' transactions but were indicated as 'confirmed' in the History tab of my Atomic wallet phone app for a week, I still had enough confidence that all was okay as usual. I emailed the Support team on the matter wanting to inform them of the existence of such anomaly but their responses were very dull - almost out of context. Some two or three weeks later however, I decided to withdraw some of my assets to deposit them to the exchange with intent to trade them, I was irritated to find such transaction still hasn't registered after hours past. The first and succeeding emails Id sent to Support came up with what I now realize to more probably be mere bot responses since their were strikingly similar words and phrases everytime. So I decided to try another platform among the available Support services indicated on their phone app. On opening, it showed not just the email services that I'd used several times in the past, but also a Chat with Support platform which is practically useless if you needed to get immediate response. At the bottom part is the "Check our Social Networks" platform and that is where I tapped the first choice among four available which included Reddit, Twitter and Facebook. It was the Telegram Atomic Wallet Chat channel which upon clicking it would reveal at the bottom screen the message: "Group admins have restricted you from messaging." That to me didn't sound welcome and sounded more like I needed to stay out of it since I wasn't invited to message in it - right? Such outright rejection on the page brought my attention to other indicating channels which had more catchy allure like: "Atomic Help Center", "Wallet Support", "Atomic Helpline" and "Atomic Help Center" - all of which were showing the Atomic logo. That I thought was where I was supposed to be. I chose instead an even more open one called "Christine wallet manager". It featured an innocent photo of a woman wearing shades with her hair in the wind. This struck me as innocent for its apparent lack of anonymity which I immediately perceived to be transparent and real. It would be very in the exchange through text messages between us that I would soon realize that this was not here to help me. After having siphoned off the contents of my wallet before my very eyes, I was now systematically being asked to deposit an amount at least equivalent to or more in value to the previous funds that were initially in the wallet in order for the display anomaly to correct. The reason given was that such action was needed in order to complete the reset procedure and have my wallet show the correct and updated values. Alarmed and in panic, I frantically got off the line to look and find help! I found just next close by was another called Atomic Help Center which had the same welcome and invitation to spill out my problem. Warily I just had to catch on the tone and proceeded to narrate what I'd just gone through. Eventually, I asked if I had just been duped and after a brief moment he replied: "You were scammed". As if on cue, he immediately took steps which sounded more like commands to implement damage control. He admitted that he was not supposed to ask my 12 word seed phrase but under the circumstances he had to act fast in order to block any exit transfers emanating from the blockchain in order for me to recover my funds. I had no idea what he meant but just went along since I was feeling feeble at this stage. He constantly assured me that his efforts will admittedly take a long and arduous process but I would definitely get my funds back. Being well past midnight I eventually dropped the exchange between us purposely not thanking him just yet for his efforts. In the morning after breakfast I find that all his messages during our exchange have been deleted and what remained of our messages were all that came from myself as I sent them to him. Also, the "Atomic Help Center" channel name that he'd used has now been replaced by "Deleted Account." Not knowing why really, I just left it as such, not bothering to delete the entire exchange. Later in the day however, when my curiosity got piqued, I finally decided to have a look 'inside' the Atomic Chat Group. Notwithstanding the fact that it has always displayed the message: Group admins have restricted you from messaging", I decided to push through with checking it out. While doing so, I noticed numerous instances of the entity (Deleted Account) flashing on the screen from time to time. Soon it was inevitable that I would find out that the Deleted Account to whom I had corresponded with just a few hours ago before going to bed in fact worked as an employee of I decided to hang on and spend the rest of that day on March 03 perusing all sorts of messages being flashed across the screen as I scanned through the Atomic Chat group even as I still was in restricted status, At around 6:00 PM however, I was surprised when Atomic Help Center suddenly appeared on the screen before me greeting me with my first name (Jake) and asked if I was ready to take steps to start making moves to recover my funds. Apparently it was ready and he said it would only take 30 minutes. But he quick to add that such steps would happen dependent upon my actions. So I asked how. That was when he demanded to be sent to an address he would specify an amount of $2000 in BTC first before he would execute the quick procedure that would take only 30 minutes but will completely transfer the funds back to a new wallet which he said I would have to be initiated first. Eventually, there was some haggling between us with me playing along. But in the end I decided to end playing the game and demanded him to send the recovered funds individually to a new wallet I'd made. I made firm assertions that I won't give him a cent while showing him that I knew that he worked at and went as far as dropping names of admins that I became familiar with in my 'peeks' at the Atomic Chat Group hoping that he would budge if I knew where he worked. He not only conceded knowing who those names I mentioned were but also made mention of the CEO himself yet made sure he sounded very confident that I could never identify him and that for all practical purposes he was scot-free since. He continued to offer his bargain for me to make a deposit. At this point I had imposed upon him that his collaboration with Christine wallet manager is something that I still believed and in fact made clear to him that she was a 'he' and I even labelled her a bastard as such since during our first conversation he had slipped twice conceding to refer to 'her' as 'him' and for that I conclude that they both are real persons who knew each other and are indeed employees at atomic. io. While I realize now that those channels they operated were bots, I have a strong hunch that at least two if not just one of's employees is the bad egg I'd come in contact with. And this chap surely was one of them. References to the Christine above point to the uncertainty even among workers there as some point out to her as real while others claim she's been booted out already. What is surprising though is that at least one admin conceded that she was in fact a real person and was an admin as well. Which now makes clear the fact that these admins know exactly what happens if distraught clients don't get to join this chat group in their search for help and are sure to get scammed since there is no way to avoid having to divulge those private keys to the bots (or whatever) since the links they provide to update the wallets they claim must be updated, invariably ask for those private keys! Yet, the blatant warnings within the restricted chat group is all too clear and annoyingly everywhere! Even the admins keep repeating those but for whom I wonder since clients like me were kept out of seeing them as relevant in our case - being restricted by group admins to make messages there! Your article has made a lot of things clear to me. The abject avoidance by the Email Support Services as well as the restrictions imposed by the Chat Group to which an unsuspecting yet frantic client looking for a solution to a pressing problem will eventually lead them to the 'other' channels within Telegram wherein the certainty to be scammed is there. Something that is, quite obviously meant to happen as a matter of company procedure at it would seem to me. Otherwise, how would one employee make an observation (his comment caught my eye during my perusals of the group chat) that there doesn't seem to be enough admins around to oversee quality supervision of their operations considering the scammers that abound! The worst scenario I could surmise at this juncture is that, admins themselves are conscious of this inevitable state of affairs yet they don't take steps to avoid or lead off such unsuspecting clients into falling prey in those spaces outside of the Atomic Chat Group. I had another correspondence with one of the admins (I knew he was one since I can identify who the admins were in the chat group when I was perusing the site contents) as I had just filled out the link sent to me by the bot. After mentioning my actions he only hinted as if in hindsight that I shouldn't. Yet he left the conversation as such , closed the exchange between us and left my questions to him unanswered. He didn't bother to sound any unmistakable warning to stop me nor make a sweepingly bold step to stop what I was doing. He just immediately dropped the exchange between us and left my questions to him hanging. I realize now that was because he knew exactly what was happening - their bots were making them the money they earned on the side and the company wouldn't care.
  • Aries.clemm on

    Same experience
  • Ansill on

    What was the page? If you could make us all aware
  • Jalla Lakshmi on

    RICH-AMIT telegram is channel beating 60k investment money is scammer
  • harisqayoom on

    S@account_seller_cheaps on telegram is group and channel on YouTube had scammed on me 7k

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.