Executive Summary
Between October 2025 and early 2026, a persistent cryptocurrency phishing campaign leveraged fake chatbot websites and phishing emails to target users, primarily using minimalist publishing platforms such as telegra.ph and Google Forms. The attackers distributed scam emails promising recipients substantial payouts in Bitcoin, directing them to malicious pages purporting to automate cryptocurrency mining profits. Victims were eventually asked to pay a fraudulent conversion fee to claim their non-existent funds, with payments funneled into wallets controlled by the attackers. The campaign’s simplicity and abuse of free digital services allowed it to evade basic filtering and reach a wide audience repeatedly.
This incident highlights an ongoing rise in abuse of cloud-based publishing and forms services for elaborate phishing scams. Attackers are increasingly automating social engineering techniques, combining chatbots and “cash out” lures that have proven cost-effective and resilient even as major platforms improve traditional anti-phishing measures.
Why This Matters Now
Phishing campaigns abusing low-cost publishing tools and automated chatbots present a growing threat for 2026, bypassing mainstream email security and enticing users with financial lures. Organizations must urgently adapt to evolving social engineering tactics that leverage cloud-hosted infrastructure and target crypto-curious users, especially as such trends are accelerating.
Attack Path Analysis
Attackers initiated the cryptocurrency scam by sending phishing emails with links to malicious telegra[.]ph pages. Victims who clicked these links were duped into providing more information and possibly funds, escalating attacker access. While no explicit cloud privilege escalation or lateral movement is documented, it is plausible attackers may attempt to extend their reach if internal web/email workflows were abused. Command and Control consisted of ongoing communication through web forms and chatbots. Exfiltration was realized as victims provided sensitive information or transferred cryptocurrency. The impact was financial loss and potential exposure of personal data.
Kill Chain Progression
Initial Compromise
Description
Attackers delivered phishing emails with malicious links to telegra[.]ph and Google Forms pages, aiming to compromise victims through social engineering.
MITRE ATT&CK® Techniques
Technique selection mapped to known crypto scam campaign TTPs; list optimized for SEO/filtering and can be extended with richer STIX/TAXII context.
Phishing: Spearphishing Attachment
Phishing: Spearphishing Link
Phishing
Acquire Infrastructure: Web Services
Trusted Relationship
User Execution: Malicious Link
Dynamic Resolution: Domain Generation Algorithms
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security Awareness Training
Control ID: 12.6.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9
CISA Zero Trust Maturity Model 2.0 – User Security Awareness and Social Engineering Resilience
Control ID: Identity Pillar – Training & Awareness
NIS2 Directive – Technical and Organizational Measures for Incident Handling
Control ID: Article 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
High risk from cryptocurrency phishing scams targeting payment processing systems, requiring enhanced egress security and threat detection capabilities to prevent financial fraud.
Banking/Mortgage
Critical exposure to social engineering attacks exploiting cryptocurrency investments, necessitating zero trust segmentation and encrypted traffic monitoring for customer protection.
Capital Markets/Hedge Fund/Private Equity
Significant vulnerability to Bitcoin-based scams targeting investment professionals, demanding multicloud visibility and anomaly detection to safeguard digital asset transactions.
Investment Management/Hedge Fund/Private Equity
Elevated threat from cryptocurrency fraud campaigns using fake platforms, requiring inline IPS and cloud firewall protections for investment communication channels.
Sources
- Cryptocurrency Scam Emails and Web Pages As We Enter 2026, (Sun, Jan 4th)https://isc.sans.edu/diary/rss/32594Verified
- Form-idable foe: Crypto scammers target users through Google Formshttps://me-en.kaspersky.com/about/press-releases/crypto-scammers-target-users-through-google-formsVerified
- Scammers Will Try to Trick You Into Filling Out Google Forms. Don’t Fall for Ithttps://www.wired.com/story/how-to-avoid-google-forms-scams/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust controls such as network microsegmentation, strict egress policy enforcement, and threat detection could have disrupted phishing link delivery, constrained potential misuse of harvested credentials, and flagged anomalous outbound activity related to data or cryptocurrency exfiltration.
Control: Cloud Firewall (ACF)
Mitigation: Outbound access to malicious domains could have been blocked at the perimeter.
Control: Threat Detection & Anomaly Response
Mitigation: Alerting on atypical credential harvesting or suspicious form usage.
Control: Zero Trust Segmentation
Mitigation: Blocked unauthorized workload-to-workload or service-to-service connections.
Control: Egress Security & Policy Enforcement
Mitigation: Restricted communications with attacker-controlled infrastructure.
Control: Inline IPS (Suricata)
Mitigation: Detection of data exfiltration patterns and known scam signatures.
Comprehensive auditing and proactive response to minimize user impact.
Impact at a Glance
Affected Business Functions
- Customer Communications
- Financial Transactions
Estimated downtime: N/A
Estimated loss: $100,000
Potential exposure of personal and financial information of victims who interact with the fraudulent forms and websites.
Recommended Actions
Key Takeaways & Next Steps
- • Implement URL and FQDN filtering at the cloud firewall to block access to known phishing and scam domains.
- • Utilize automated anomaly detection to identify suspicious outbound data submissions and unusual authentication patterns.
- • Apply zero trust microsegmentation to limit lateral movement from compromised endpoints or stolen credentials.
- • Enforce rigorous egress security policies to restrict unapproved communications and data exfiltration paths.
- • Maintain centralized, cross-cloud visibility to quickly identify, audit, and respond to social engineering and phishing campaigns targeting users.
