I. Targeted Entities

  • Telegram
  • Banks
  • Contactless payment systems

II. Introduction

Cybercriminals are stealing one-time password tokens (OTPs) in order to gain access to PayPal, Apple Pay, Google Pay, and other contactless payment services.

III. Background Information

Researchers from Intel 471 have discovered that cybercriminals are using Telegram bots to steal OTPs and defraud people through banks and online payment systems.[1] Intel 471 researchers reported that the thieves have been operational since June. The threat actors are using Telegram bots, and a range of other tactics, to gain account information, including calling victims and impersonating banks and legitimate services. The cybercriminals are also trying to bypass two-factor authentication by using social engineering and deceiving victims into giving them an OTP, or other verification code via a mobile device, which the criminals use to defraud accounts.[1]

This isn’t the first time that Telegram bots have been used to defraud victims. A similar campaign was discovered in January, called Classiscam, where bots were sold as-a-service by Russian-speaking cybercriminals with the purpose of stealing money and payment data from European victims. Other criminals have been discovered using Telegram bots as command-and-control for spyware.[1] Intel 471 researchers analyzed and found three bots in this campaign: SMSRanger, BloodOTPbot, and SMS Buster.[1]

Intel 471 researchers described SMSRanger as “easy to use,” and similar in nature to a bot in the collaboration tool Slack. By using a “/”, scripts can be accessed that can target specific banks or payment services, like PayPal, Apple Pay, or a wireless carrier.[1] SMSRanger sends a potential victim a text message requesting for their phone number. Once the phone number has been entered in the chat, the bot takes over, ultimately giving the threat actors access to whatever account has been targeted. Researchers say that approximately 80 percent of the users who are targeted by SMSRanger will provide their full and accurate information to the cybercriminals, allowing the cybercriminals to defraud the victims.[1]

BloodOTPBot has the ability to send users a fraudulent OTP code via SMS. However, this bot requires an attacker to spoof the victim’s phone number and impersonate a bank or company representative.[1] The bot attempts to call victims and uses social engineering techniques to gather a verification code from the targeted victim. The attacker will receive a notification from the bot during the call, and the bot will tell the attacker when to request the OTP during the authentication process.[1] The bot then texts the code to the attacker once the victim receives the OTP and enters it on the phone’s keyboard. BloodOTPBot runs at $300 a month. Users can also pay between $20-$100 more to access live phishing panels that target social media networks, like Facebook, Instagram, Snapchat, and financial services like Venmo, PayPal, Robinhood, and even cryptocurrency marketplaces like Coinbase.[1]

The third bot, SMS Buster, requires more effort than the other previously mentioned bots, Intel 471 researchers say. The bot provides options so an attacker can shroud a call made from any phone number to make it seem as though a legitimate contact from a specific bank is calling. Once a potential victim has been reached, attackers follow a script to try to fool the victim into providing sensitive information like an ATM card PIN, a credit card verification value, or an OTP.[1] Researchers also saw that criminals use SMS Buster against Canadian victims, using English and French to target them. Intel 471 researchers have seen eight different Canadian-based banks illegally accessed by SMS Buster.


  • T1528 – Steal Application Access Token
    Account access is dependent on threat actors stealing a user’s one-time password or OTP.
  • T1566 – Phishing
    Telegram bots are being used to call users and impersonate banks and other services.
  • T1078 – Valid Accounts
    Once an OTP has been compromised, attackers can use the client’s account to steal information, money, and potentially compromise other users.
  • T1199 – Trusted Relationship
    Account access allows attackers to breach the organization and access their intended victims.
  • T1036 – Masquerading
    Threat actors pretend to be the client’s bank to manipulate OTP controls and access the user.

V. Recommendations

  • Phishing Awareness Training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should alsobe educated about new types of attacks and schemes to mitigate risk.
    Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified.
    Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on Endpoint Protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

At the time of writing, no IOCs, or CVEs, have been issued.

VII. References

(1) Montalbano, Elizabeth. “Threat Actors Weaponize Telegram Bots to Compromise PayPal Accounts.” Threatpost English Global, September 29, 2021. https://threatpost.com/telegram-bots-compromise-paypal/175099/.

Threat Advisory created by the Cyber Florida Security Operations Center. Contributing Security Analysts: James Krepps, Orlando Huertas, Dorian Pope, Jessica Senatus, Sreten Dedic, EJ Bulut, Uday Bilakhiya and Tural, Hagverdiyev.