Chinese Hackers Use Fake Skype To Deceive Crypto Investors

The SlowMist Security Team has discovered that a fake version of Skype is being heavily distributed on the internet in China.

Due to local regulations, several international marketplaces are inaccessible in China, which has created an opportunity for bad actors to exploit this gap. They are flooding the market with phishing applications that target crypto investors.

According to SlowMist, a blockchain security firm, a group of Chinese scammers have started distributing a fake version of Skype for Android devices on multiple local marketplaces.

The fake version, version 8.87.0.403, tricks victims into believing they have downloaded a legitimate version of the video chat application. The local marketplaces where the fake version of Skype is being distributed include 51pgzs, siyuetian, and others.

After the malicious application is installed on an Android phone, it obtains images from various directories and continuously monitors for new images. Once it detects new images, it uploads them to the backend interface of the phishing gang.

SlowMist analysts discovered that the same gang behind the fake Skype application also targeted users with its scam version of Binance in 2022.

They noted that both malicious applications had similar backend domains, specifically “bn-download3[dot]com.” Further analysis revealed that “bn-download[number]” is a series of fake domains used by this phishing gang specifically for Binance phishing, indicating that this gang is a repeat offender targeting Web3.

The malicious application sends images and sensitive data to the hackers’ backend, including device information, user ID, and phone number. Moreover, the fake Skype app monitors incoming and outgoing messages and replaces TRON or Ethereum-type address format strings with pre-made addresses by scammers.

According to SlowMist, the scammers’ TRON chain address has received around $193,000 in Tether (USDT) with 110 transactions. The scammers are still receiving funds, with the most recent transaction being Nov 8, 2023. Most of the stolen funds were laundered through BitKeep’s Swap service, with the transaction fees paid by a user registered on the OKX crypto exchange, as reported by SlowMist.