Quack toy: a phishing scheme with Pepe the Frog appeared in Telegram

The first cryptoaffairs with collectible gifts in Telegram - virtual items with unique codes assigned to them - have been detected in the Russian Federation. Attackers began to massively create phishing resources with malware that steals funds from the wallets of cryptocurrency users. Fraudulent sites promise free giveaways of virtual items with Pepe the Frog, a popular Internet character, the cost of which reaches tens of thousands of dollars. Experts described how cybercriminals have turned the first Telegram trend of 2025 into an effective way to deceive gullible users.

Who benefits from virtual frogs

In early January 2025, cybercriminals began distributing links to phishing resources and bot programs on the Internet, aimed at stealing funds from the crypto wallets of Telegram users. As Izvestia was informed by F.A.C.C.T., phishing resources with drainers (program complexes designed for quick and automated emptying of cryptocurrency wallets) appeared on the web, offering free rare NFTs with Pepe the Frog and cryptocurrency allegedly as part of the daily distribution of gifts from the Telegram community. The prizes require you to connect your cryptocurrency wallet to the site, which will eventually lead to the loss of all funds stored on it, experts warned. So far, the company's experts have detected at least nine such resources with Pepe.

- Attackers rarely miss infoprovods that they can use in their activities. Cryptodrainers are common malware used by cybercriminals to steal cryptocurrency. A user logs in to a fake website where they are prompted to sign a transaction, after which their wallet is accessed by malware that quickly empties the account. Scammers also create phishing authorization pages in Telegram, promising users various bonuses and gifts on the theme of Pepe the Frog. In addition, fraudulent crypto-exchange bots are active in the messenger, where funds can only be deposited, but you can't withdraw them," said Maria Sinitsyna, Senior Analyst at Digital Risk Protection.

Recently, gifts with NFT tags appeared in Telegram, which in turn can be resold. This was immediately used by attackers, said Alexei Gorelkin, CEO of Phishman.

- The main method of deception is related to the fact that the user receives a link to an alleged gift from a friend Telegram Premium, but after clicking on the link to receive it, they are asked to fill out a form. This is how attackers can steal your Telegram account. As for Pepe the Frog, this kind of thing is already encountered on profile forums. If interest in collectible frogs does not wane, it will become as popular as the "TG Premium gift" scheme," summarized Alexei Gorelkin.

Attackers have already started using the interest in the topic of collectible gifts for attacks, primarily in profile groups on cryptocurrency. Phishman specialists record an increase in the number of such incidents, but further predictions require time, at least four weeks. As the expert notes, this is consistent with the earlier prediction that attacks will become more personalized in 2025.

According to Roman Alabin, head of information security at InfoWatch, the collectible gifts gaining popularity in Telegram are of interest to fraudsters because they can be sold and resold. The same fraud boom was previously seen with the appearance of Premium accounts and Telegram Stars currency.

Schemes are also spreading with other digital objects that users can donate. Kaspersky Lab specialists have identified a new scam scheme (a method of direct deception) targeting cryptocurrency owners in various countries, where users are allegedly offered to "purchase Telegram Stars cheaper than in an official store with automatic delivery." However, as a result, the user gets nothing and risks losing their digital assets, notes Olga Svistunova, a senior content analyst at Kaspersky Lab.

How Pepe became a source of profit

As Pavel Durov said earlier on his blog, users exchanged 20 million gifts over the New Year holidays. The messenger allows converting rare gifts into collectible ones for a base fee of 25 Telegram stars, this corresponds to the standard blockchain fee.

After the introduction of collectible gifts, it was animated pictures with sad Pepe that became the leaders - at the beginning of the year they sold for hundreds of dollars, and recent transactions with individual lots reach up to $27 thousand, said the creator of the cryptogame Frogs Run in Telegram Sergey Kuznetsov. Another "golden" asset, according to him, was the Internet character Scared Cat, one of his illustrations was sold for $1.5 thousand.

The expert noted that there are simpler ways to deceive users. Usually a person comes directly to personal messages to a fraudster offering to buy a collectible gift cheaply. In exchange for a full prepayment , he sends an ordinary picture without an individual NFT number, that is, in the form of an animated or static file that does not correspond to the status of a collectible gift.

Another one of the ways is bots that offer to collect the gift after authorization. As part of the authorization process, the bot offers to connect Telegram Wallet or Ton Keeper, after accessing which it is recommended to make a basic transaction to confirm the validity of the account. In reality, the operation allows attackers to withdraw all crypto funds from the wallet.

According to Dmitry Kiryushkin, head of BI.ZONE Brand Protection, because of the leaks, fraudsters have new tools for point-and-click and elaborate scenarios. Since the beginning of the year, the company's specialists have already recorded more than 800 phishing domains.

- Last year, fraudulent scripts were spread under the guise of popular applications like Hamster Kombat and Notcoin. In 2025, attackers will continue to use Telegram and come up with new fraud schemes. This is due to the low threshold of entry, cheap implementation and the ability to gain access to many accounts of potential victims," the expert believes.

He recommends users to be on guard, download Telegram only in official application stores and not to store passwords, bank card data, documents and any other confidential information in the "Favorites" folder.