🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Adversary Intelligence
7
mins read

Telegram Bots Masquerade as Digital Wallet Brands to push Referral Reward Scams to Indonesian Customers

In Indonesia, scammers are using Telegram bots to impersonate digital wallet brands, promoting fake referral reward schemes. These scams deceive users into sharing their account details, leading to significant financial losses. Discover the full details and protective measures in CloudSEK's comprehensive blog report.

Noel Varghese
July 22, 2024
Green Alert
Last Update posted on
August 21, 2025
Proactive Monitoring of Dark Web messaging platforms for your organization.

Proactively monitor and defend your organization against threats from messaging platforms in the dark web with CloudSEK XVigil.

Schedule a Demo
Table of Contents
Author(s)
No items found.

Category: Adversary Intelligence

Industry: Financial Services

Motivation: Financial 

Region: Indonesia

Source*

C - Fairly Reliable

3 - Possibly True

Executive Summary

A concerning trend has emerged in Indonesia, with fraudulent games centered around investment and referral-based tasks infiltrating the region and targeting the general public. These games are designed to potentially cause huge financial losses. Recent observations indicate that Indonesian payment gateways are being integrated into fake websites that serve as fronts for such scams. In one such instance, fraudulent campaigns targeting two Digital Wallet Brands have been discovered, under the guise of a promotional referral campaign on Telegram.

Analysis and Attribution

  • During regular XVigil Portal triaging activities centered around Social Media Discussions, CloudSEK’s Customer Research Team discovered mentionS of multiple fraudulent Telegram Bots that impersonated two Digital Wallet brands, used by millions of users in Indonesia.
  • The bots were being operated in the form of a barter system. In exchange for referring the wallet to individuals as part of the referral process, the bot would claim to be depositing an amount upwards of 100,000 to the wallet, upon exchanging Account Number associated with Digital Wallet. Upon further investigation, it was found that the bots were being operated by scammers to propagate and increase downloads / traffic for games and phishing domains cycling pig butchering scams.
Figure 1 - Introduction Message provided by the Bot

Indonesian

👋 Selamat Datang Eugene

EVENT adalah Bot Yang Di Selenggarakan oleh. Di Event ini Kamu Bisa Mendapatkan Saldo Secara Gratis Dengan Cara Membagikan Link Undangan Kamu.

Setiap Orang Yang Bergabung Menggunakan Link Kamu, Kamu Akan Mendapatkan Saldo Sebesar Rp10.000!

Saldo Dapat Ditukarkan Ke Dompet.

BOT Ini Dijamin 100% Menghasilkan Saldo. Tidak Ada Penipuan, Hoax, Phising Atau Apapun Yang Merugikan Kamu!

Untuk Dapat Melanjutkan atau Penarikan Saldo:

1 Bergabung ke Channel Utama Kami

2 Klik Verifikasi Setelah Bergabung

English

👋 Welcome 

<--> EVENT is a bot organized by <--> . In this event you can get free <-->  balance by sharing your invitation link.

Every person who joins using your link, you will get a balance of Rp10,000!

Balance can be redeemed to <-->  Wallet.

This BOT is 100% Guaranteed to Generate <--> Balance. There is no fraud, hoax, phishing or anything that harms you!

To be able to continue or withdraw balance:

1 Join Our Main Channel

2 Click Verify After Joining        


Exploring the Bot Infrastructure

Steps

  • The following are the steps stipulated by the bot to get the required cash prize:-some text
    • Obtaining your Invite Link
    • Sharing your invitation link to friends or family, if friends or family join using your link, you will automatically get a balance of IDR 10,000. A minimum count of 15 valid invitations are required
    • Collect accumulated Wallet Balance, once every 24 hours.
    • Minimum Withdrawal Amount is IDR 100,000
    • Not joining the main channel used to peddle the scam would result in disqualification from withdrawal.

Scam Progression

  • It is speculated that such channels provide initial payments for the tasks done, but these slowly dry up, as scam operators push commoners to download similar applications. Based on previous experience, people get compelled to enter the fraudulent investment ecosystem and proceed to invest and complete tasks, expecting prompt payments.
  • In this scam campaign,  games titled 7276 Slots, Super 5 and a task-based domain named EasyEarn were being promoted to individuals who had supposedly gained earnings from referring the digital Wallet Brand.

           

Figures 2 & 3 -  Screenshots from messages proceeding to direct gullible users to shady investment websites

                                

Figure 4 - Front page of Easy Earn Website

 

Deception through Digital Smokescreens

Telegram and WhatsApp groups have been commonly used by the scam operators to relay updates about the investment scheme. Users are added to the group, after making an initial deposit or after expressing an interest in the same. For some users, the initial withdrawal transaction is successful from the investment project, further heightening their trust in the investment project - leading them to invest more. Screenshots of withdrawal transactions from investors are asked to be shared, in a method to lend authenticity of the project and testimonies are shared on the groups. 

This investment project, with increasing rate of activity, progresses into an MLM Scheme where existing investors are asked to refer people and in the process are promised good referral bonuses. This not only extends the web of victims that the scammers can cheat, but goodwill is given a tradeoff here, as existing investors are convinced that the project is genuine, with initial withdrawals and bonuses given on time and would like to extend the benefits of the scheme to relatives and friends, with recommendations. 

 Figure 5 - Chatter from a YouTube Video - where a user details their experience dealing with the promotional event

Figure 6 - Insights from the Channels provided in the form of an Infographic

                                             

Figure 7 - Public Transaction records on Telegram Channel

Promotion on Social Media Platforms

It is increasingly become worrying to see the amount of promotion that such fraudulent ventures

receive on platforms such as Facebook and TikTok. Similar links for the new Internet sensation

‘Hamster Combat’ are being spammed as comments on TikTok videos made in Indonesia and which

focus around crypto investments and referral tasks. 

Figure 8 - Presence of a Telegram Bot link on the Comments section of a TikTok Video discussing Hamster Combat

                                       

Impact & Mitigation

It is important that we understand the impact that similar phony investment scheme campaigns can have on the industry/region economically or otherwise:-

  • This scam provides a gateway for Threat Actors to lure people, who are genuinely interested in improving personal finances and then scam them, by luring them with names of major brands into disrepute.
  • This reduces the brand reputation of globally established organizations from multiple industries, leading to decrement in trust from the general public

There are some proactive methods that can be used to monitor and mitigate these threats:

  • User Awareness is key. Issuing appropriate advisories forewarning customers of fraudulent ventures on Telegram should be followed.
  • Proactively takedown highlighted videos from YouTube, due to the amount of misinformation being spread, about investment schemes that are not endorsed by your brand.
  • Follow appropriate measures with corresponding proofs to takedown content from Telegram and other platforms that are infringing your brand and misusing the same to spread misinformation.

References

Author

Noel Varghese

Cyber Threat Researcher

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Adversary Intelligence
Breach
Data leaks
Emerging Threats
Hacktivism
October 10, 2024

Analyzing Recent Cyber Attacks in the United States Coinciding with Columbus Day Celebration

Over recent months, the United States has faced a surge in cyber attacks, with ransomware incidents rising sharply from June to October 2024. Prominent groups, including Play, RansomHub, Lockbit, Qilin, and Meow, have targeted sectors such as Business Services, Manufacturing, IT, and Healthcare, compromising over 800 organizations. Major attacks included a breach of the City of Columbus by Rhysida ransomware and data leaks impacting Virginia’s Department of Elections and Healthcare.gov. Additionally, China’s "Salt Typhoon" espionage campaign is aggressively targeting U.S. ISPs, further complicating the cyber threat landscape. Hacktivist groups advocating pro-Russian and pro-Palestinian positions have also increased their attacks, affecting government entities and critical infrastructure. This report highlights the need for enhanced security protocols, regular audits, and public awareness initiatives to mitigate the growing cyber risks. Key recommendations include implementing multi-factor authentication, frequent employee training, and advanced threat monitoring to safeguard the nation's critical infrastructure and public trust.

Blog Image
Adversary Intelligence
June 26, 2024

Cybersecurity Threat Advisory: Recent Attacks Targeting Indian BFSI Sector

This advisory highlights recent attacks on Indian banks, focusing on two primary attack vectors: geopolitical tensions and credential stealers/social media account takeovers.

Blog Image
Adversary Intelligence

Redirect Chain: Advertisement Services being Abused by Threat Actors to Redirect Users to Malware, Betting, Adult Websites

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Back
Scam

Telegram Bots Masquerade as Digital Wallet Brands to push Referral Reward Scams to Indonesian Customers

In Indonesia, scammers are using Telegram bots to impersonate digital wallet brands, promoting fake referral reward schemes. These scams deceive users into sharing their account details, leading to significant financial losses. Discover the full details and protective measures in CloudSEK's comprehensive blog report.
July 22, 2024
7
min
Table of Content
Example H2
Example H2

Category: Adversary Intelligence

Industry: Financial Services

Motivation: Financial 

Region: Indonesia

Source*

C - Fairly Reliable

3 - Possibly True

Executive Summary

A concerning trend has emerged in Indonesia, with fraudulent games centered around investment and referral-based tasks infiltrating the region and targeting the general public. These games are designed to potentially cause huge financial losses. Recent observations indicate that Indonesian payment gateways are being integrated into fake websites that serve as fronts for such scams. In one such instance, fraudulent campaigns targeting two Digital Wallet Brands have been discovered, under the guise of a promotional referral campaign on Telegram.

Analysis and Attribution

  • During regular XVigil Portal triaging activities centered around Social Media Discussions, CloudSEK’s Customer Research Team discovered mentionS of multiple fraudulent Telegram Bots that impersonated two Digital Wallet brands, used by millions of users in Indonesia.
  • The bots were being operated in the form of a barter system. In exchange for referring the wallet to individuals as part of the referral process, the bot would claim to be depositing an amount upwards of 100,000 to the wallet, upon exchanging Account Number associated with Digital Wallet. Upon further investigation, it was found that the bots were being operated by scammers to propagate and increase downloads / traffic for games and phishing domains cycling pig butchering scams.
Figure 1 - Introduction Message provided by the Bot

Indonesian

👋 Selamat Datang Eugene

EVENT adalah Bot Yang Di Selenggarakan oleh. Di Event ini Kamu Bisa Mendapatkan Saldo Secara Gratis Dengan Cara Membagikan Link Undangan Kamu.

Setiap Orang Yang Bergabung Menggunakan Link Kamu, Kamu Akan Mendapatkan Saldo Sebesar Rp10.000!

Saldo Dapat Ditukarkan Ke Dompet.

BOT Ini Dijamin 100% Menghasilkan Saldo. Tidak Ada Penipuan, Hoax, Phising Atau Apapun Yang Merugikan Kamu!

Untuk Dapat Melanjutkan atau Penarikan Saldo:

1 Bergabung ke Channel Utama Kami

2 Klik Verifikasi Setelah Bergabung

English

👋 Welcome 

<--> EVENT is a bot organized by <--> . In this event you can get free <-->  balance by sharing your invitation link.

Every person who joins using your link, you will get a balance of Rp10,000!

Balance can be redeemed to <-->  Wallet.

This BOT is 100% Guaranteed to Generate <--> Balance. There is no fraud, hoax, phishing or anything that harms you!

To be able to continue or withdraw balance:

1 Join Our Main Channel

2 Click Verify After Joining        


Exploring the Bot Infrastructure

Steps

  • The following are the steps stipulated by the bot to get the required cash prize:-some text
    • Obtaining your Invite Link
    • Sharing your invitation link to friends or family, if friends or family join using your link, you will automatically get a balance of IDR 10,000. A minimum count of 15 valid invitations are required
    • Collect accumulated Wallet Balance, once every 24 hours.
    • Minimum Withdrawal Amount is IDR 100,000
    • Not joining the main channel used to peddle the scam would result in disqualification from withdrawal.

Scam Progression

  • It is speculated that such channels provide initial payments for the tasks done, but these slowly dry up, as scam operators push commoners to download similar applications. Based on previous experience, people get compelled to enter the fraudulent investment ecosystem and proceed to invest and complete tasks, expecting prompt payments.
  • In this scam campaign,  games titled 7276 Slots, Super 5 and a task-based domain named EasyEarn were being promoted to individuals who had supposedly gained earnings from referring the digital Wallet Brand.

           

Figures 2 & 3 -  Screenshots from messages proceeding to direct gullible users to shady investment websites

                                

Figure 4 - Front page of Easy Earn Website

 

Deception through Digital Smokescreens

Telegram and WhatsApp groups have been commonly used by the scam operators to relay updates about the investment scheme. Users are added to the group, after making an initial deposit or after expressing an interest in the same. For some users, the initial withdrawal transaction is successful from the investment project, further heightening their trust in the investment project - leading them to invest more. Screenshots of withdrawal transactions from investors are asked to be shared, in a method to lend authenticity of the project and testimonies are shared on the groups. 

This investment project, with increasing rate of activity, progresses into an MLM Scheme where existing investors are asked to refer people and in the process are promised good referral bonuses. This not only extends the web of victims that the scammers can cheat, but goodwill is given a tradeoff here, as existing investors are convinced that the project is genuine, with initial withdrawals and bonuses given on time and would like to extend the benefits of the scheme to relatives and friends, with recommendations. 

 Figure 5 - Chatter from a YouTube Video - where a user details their experience dealing with the promotional event

Figure 6 - Insights from the Channels provided in the form of an Infographic

                                             

Figure 7 - Public Transaction records on Telegram Channel

Promotion on Social Media Platforms

It is increasingly become worrying to see the amount of promotion that such fraudulent ventures

receive on platforms such as Facebook and TikTok. Similar links for the new Internet sensation

‘Hamster Combat’ are being spammed as comments on TikTok videos made in Indonesia and which

focus around crypto investments and referral tasks. 

Figure 8 - Presence of a Telegram Bot link on the Comments section of a TikTok Video discussing Hamster Combat

                                       

Impact & Mitigation

It is important that we understand the impact that similar phony investment scheme campaigns can have on the industry/region economically or otherwise:-

  • This scam provides a gateway for Threat Actors to lure people, who are genuinely interested in improving personal finances and then scam them, by luring them with names of major brands into disrepute.
  • This reduces the brand reputation of globally established organizations from multiple industries, leading to decrement in trust from the general public

There are some proactive methods that can be used to monitor and mitigate these threats:

  • User Awareness is key. Issuing appropriate advisories forewarning customers of fraudulent ventures on Telegram should be followed.
  • Proactively takedown highlighted videos from YouTube, due to the amount of misinformation being spread, about investment schemes that are not endorsed by your brand.
  • Follow appropriate measures with corresponding proofs to takedown content from Telegram and other platforms that are infringing your brand and misusing the same to spread misinformation.

References

Noel Varghese
Cyber Threat Researcher

Related Blogs

This is some text inside of a div block.
Scam
March 13, 2025
5
min
Ramadan Scams on the Rise: Fake Giveaways, Crypto Traps & Fraudulent Donations
Read more
This is some text inside of a div block.
Scam
March 11, 2025
3
min
The Dark Side of eCommerce: How Fake Review Networks Manipulate Online Shopping
Read more
This is some text inside of a div block.
Scam
March 6, 2025
5
min
PrintSteal : Exposing unauthorized CSC-Impersonating Websites Engaging in Large-Scale KYC Document Generation Fraud
Read more