Full Report
ESET Research shares new findings about Telekopye, a scam toolkit used to defraud people on online marketplaces, and newly on accommodation booking platforms
Analysis Summary
# Threat Actor: Telekopye Scammer Network ("Neanderthals")
## Attribution & Identity
The activity is attributed to organized scammer networks referred to as "Neanderthals" who utilize the **Telekopye** toolkit. Multiple leads suggest the country of origin for the bot's author(s) and the scammers themselves is **Russia**. Telekopye is described as a Telegram-based toolkit that facilitates organized illicit business operations for numerous scam groups.
## Activity Summary
The core activity revolves around defrauding users ("Mammoths") on online marketplaces and, more recently, accommodation booking platforms.
* **Evolution:** The network has expanded its operations beyond traditional online marketplaces (like OLX, Vinted, eBay, Wallapop) to target users of popular accommodation booking platforms such as **Booking.com** and **Airbnb** (in 2024).
* **New Scenario:** For accommodation platform scams, they utilize a sophisticated twist involving **compromised accounts of legitimate hotels and accommodation providers**.
* **Scale:** The toolkit has been in use since at least 2016, supporting dozens of scam groups with thousands of members, aiming to steal millions.
* **Seasonal Impact:** Accommodation booking scams were particularly prevalent during the summer holiday season, surpassing standard marketplace scams in volume according to ESET telemetry.
* **Organization:** Groups operate with a business-like structure, including clear hierarchy, defined roles (Workers, administrators), internal practices, fixed working hours, and commission payouts. Workers manually execute scams but only transfer stolen sensitive information to other roles responsible for monetary theft.
## Tactics, Techniques & Procedures
The operations are managed via a Telegram bot UI that simplifies phishing material generation:
- Gathers payment card details, phone numbers, and emails via phishing web pages. (T1589 - Gather Victim Identity Information)
- Registers external domains for operations. (T1583.001 - Acquire Infrastructure: Domains)
- Establishes accounts on targeted online marketplaces. (T1585 - Establish Accounts)
- Sets up associated email accounts. (T1585.002 - Establish Accounts: Email Accounts)
- Utilizes compromised email accounts for increased stealth. (T1586.002 - Compromise Accounts: Email Accounts)
- Uses **Telekopye** as custom malware/tool development. (T1587.001 - Develop Capabilities: Malware)
- Leverages additional bots for tasks like money laundering, scraping, and DDoS protection. (T1588.002 - Obtain Capabilities: Tool)
- Executes phishing campaigns via email or SMS containing links to malicious websites. (T1566.002 - Phishing: Spearphishing Link)
- Captures sensitive information through web portals mimicking legitimate payment gateways. (T1056.003 - Input Capture: Web Portal Capture)
## Targeting
- Sectors: Online marketplaces, online accommodation booking (hotel/apartment reservations).
- Geography: Targeted services spanning **Europe and North America**. Victims are located "all over the world."
- Victims: Buyers and sellers ("Mammoths") on platforms like OLX, Vinted, eBay, Wallapop, Booking.com, and Airbnb. The accommodation scams specifically target users of these platforms, potentially using compromised hotel accounts.
## Tools & Infrastructure
- Malware families used: **Telekopye** (Telegram-based toolkit/bot).
- Infrastructure (C2, domains, IPs):
- `order-9362[.]click` (Cloudflare, Inc.)
- `shiptakes[.]info` (Cloudflare, Inc.)
- `quickroombook[.]com` (Cloudflare, Inc.)
- `validation-confi[.]info` (Cloudflare, Inc.)
- *Note: The article mentions an additional phishing domain ending in `com` hosted on Cloudflare, Inc., but the specific domain name is truncated in the provided context.*
Additional tools include bots for money laundering, scraping, and DDoS protection.
## Implications
This actor group poses a significant and organized financial threat due to the automation provided by the Telekopye toolkit, which lowers the barrier to entry for cybercriminals. Their expansion into travel/accommodation platforms, especially utilizing compromised legitimate business accounts, indicates a mature, adaptive approach focused on maximizing financial gain by exploiting seasonal opportunities and increasing targeting sophistication. They successfully steal payment card information and online banking credentials at scale.
## Mitigations
- Users should be wary of unexpected payment links or credential entry requests originating from online marketplaces or booking platforms, especially when dealing with sellers/hosts viewed as legitimate.
- Maintain vigilance during peak seasons (e.g., summer holidays) when scam activity relating to booking platforms increases.
- Organizations can reduce risk by ensuring online accounts (especially those linked to accommodation providers) are protected with strong authentication to prevent compromise and subsequent exploitation by the Telekopye network.