ZachXBT shares video recording of jailed fake Safeguard Telegram bot scammer

Crypto security sleuth ZachXBT has shared a video recording on his X account, exposing a hacker known as vKevin during a sophisticated scam via a fake Safeguard Telegram bot. The exploiter was believed to be working with other actors in the con while he was in a New York school.

On January 23, ZachXBT, a well-known figure in the crypto investigative community, released a 31-minute long video on social media platform X that captured ‘vKevin’ using Telegram to swindle money from victims. In the video, ‘vKevin’ was seen collaborating with accomplices while engaging in phishing activities aimed at unsuspecting victims.

The crypto security analyst was responding to a post made by user @pcaversaccio, who had warned the crypto community about the new deceptive tactic on Telegram, which he described as the “biggest security threat right now.”

Folks, the biggest security threat right now is people blindly running code, invoking obscure commands, or installing applications just because some random person or website told them to. Example: Fucking stop blindly running those _malicious_ PowerShell commands just because… pic.twitter.com/vuBDabQJNY

— sudo rm -rf –no-preserve-root / (@pcaversaccio) January 23, 2025

The scam involved tricking victims into verifying their identity through a fake Safeguard bot. This allowed the hacker to gain unauthorized access to their Telegram accounts and, subsequently, their trading bot wallets. Once there, the exploiters could cart away victims’ assets, up to hundreds of thousands of dollars in some cases. 

Investigators identify new dangerous Telegram bot scam 

According to a medium explainer by blockchain security firm SlowMist, the fake safeguard Telegram scam has two infiltration methods. Scammers can leverage the bot to solicit users to give out private information, including passwords and verification codes. They can also plant malware viruses to hack into computers and directly steal information.

In the article published on January 18, SlowMist outlined how malicious actors create counterfeit accounts of key opinion leaders (KOLs) on X, strategically attaching Telegram group invitational links in comments to attract potential victims.

Users who join the “communities” through the link are then greeted with requests for a “verification” process. If they follow the steps, a malicious remote access Trojan (RAT) agent unleashes PowerShell commands that compromise any security installations, enabling the hacker to access the system without authorization.

Following ZachXBT’s post, one user inquired if the hacker ‘vKevin’ had been doxxed, to which ZachXBT confirmed with a simple “yes.” 

He's gonna be holding pockets in prison.

(and yeah, you do look ugly bro) pic.twitter.com/DKcomKIk6M

— ImNotTheWolf (@ImNotTheWolf) January 23, 2025

In one of the replies, a user shared a photo of the purported exploiter, although some specific details, like his immediate location or who he was working with, have yet to be disclosed.

The same hacker was responsible for Discord server breach in 2022

vKevin was purportedly responsible for another network breach that saw NFT holders lose over $300,000 on August 14, 2022. The update was revealed by X user @Iamdeadlyz. They explained how the hacker attacked DigikongNFT’s Discord when he deployed a webhook in the form of a fake MEE6 bot, within the server. 

This bot was designed to facilitate a phishing attack by using a bookmarklet to exfiltrate Discord authentication tokens from users. The phishing site linked to this attack was hosted at mee6.ca/verify, a domain registered through web service Namecheap and hosted on AWS with the IP address 23.22.5.68. 

.@DigikongNFT's Discord server is compromised

/famousfoxfedaration.netlify.app

🌐@Netlify @NetlifySupport

🚩 @solanafm
3HZmQ7TVkhcuPu5jb349LARJYP8LMVC7U31qsCuYCkso

Same malicious actor/s behind the @AI_Roulette attack

Impersonator's @Discord ID: 852413673053093908 https://t.co/3K6MiIE3Ky pic.twitter.com/NxENWxTrsW

— iamdeadlyz (@Iamdeadlyz) August 14, 2022

Evidence of vKevin’s actions was shared on the general channel of the Discord server, although most of the sensitive information was redacted.

Namecheap later confirmed that they had suspended the abusive service in response to this security breach, but vKevin and other hackers had already made away with the NFT collections.

From Zero to Web3 Pro: Your 90-Day Career Launch Plan