Home Cyber Security Telekopye: Chamber of Neanderthals’ secrets and techniques

Telekopye: Chamber of Neanderthals’ secrets and techniques

Telekopye: Chamber of Neanderthals’ secrets and techniques


We not too long ago revealed a blogpost about Telekopye, a Telegram bot that helps cybercriminals rip-off folks in on-line marketplaces. Telekopye can craft phishing web sites, emails, SMS messages, and extra.

Within the first half, we wrote about technical particulars of Telekopye and hinted at hierarchical construction of its operational teams. On this second half, we deal with what we had been in a position to find out about Neanderthals, the scammers who function Telekopye, their inner onboarding course of, completely different tips of commerce that Neanderthals use, and extra.

Key factors of this blogpost:

  • How aspiring Neanderthals be part of Telekopye teams.
  • Detailed view of the entire scamming operation from the Neanderthals’ perspective.
  • Evaluation of the rip-off situations and what every Neanderthal has to do so as to achieve success.
  • The instruments utilized by senior Neanderthals.
  • Insights into tips that Neanderthals use to lure their victims.
  • Highlights from an interview with one of many Telekopye directors.


Lately, we revealed an evaluation of Telekopye; on this follow-up blogpost, we deal with the Neanderthals’ techniques and modus operandi. Our info comes from three essential sources:

  1. supply code of the bot itself,
  2. evaluation of Neanderthals’ conversations from scamming teams we’ve infiltrated, and
  3. our evaluation of Neanderthals’ inner documentation – a set of paperwork, graphs, footage, and extra – that they use as their very own private information base. Such info is offered to newcomers to assist them with onboarding.

We might additionally prefer to thank Flare, who helped us in our analysis.

Becoming a member of a bunch

Telekopye teams recruit new Neanderthals through commercials in many alternative channels, together with underground boards. These commercials clearly state the aim: to rip-off on-line market customers, as seen in Determine 1.

Figure 1 Recruitment Telekopye scamming group
Determine 1. Recruitment for a Telekopye scamming group

Aspiring Neanderthals are required to fill out an software, answering primary questions like the place they discovered concerning the group and what expertise they’ve on this line of “work”. If permitted by current group members with sufficiently excessive function, the brand new Neanderthals can begin utilizing Telekopye to its full extent. Moreover, each Neanderthal is required to affix two channels: a bunch chat the place Neanderthals talk and the place guidelines and manuals are stored, and a separate channel the place transaction logs are stored. The method is demonstrated in Determine 2.

Figure 2 Application accepted
Determine 2. Accepted software that allows a brand new Neanderthal to affix group chat and transaction logs chat through hyperlinks within the message

Varieties of scams

There are three essential rip-off situations:

1. Vendor, internally known as 1.0.

2. Purchaser, internally known as 2.0.

3. Refund.

Determine 3 is the creation menu for the primary two rip-off situations, the place column 1 on the backside represents Vendor scams (1.0). The Refund rip-off situation is then tied to every rip-off situation individually. These rip-off sorts are described within the following subsections.

Figure 3 Example of creation menu
Determine 3. Instance of creation menu for various rip-off situations

Vendor rip-off

On this situation, Neanderthals pose as sellers and attempt to lure unsuspecting Mammoths into shopping for some non-existent merchandise. When a Mammoth exhibits curiosity within the merchandise, the Neanderthal persuades the Mammoth to pay on-line slightly than in particular person. If the Mammoth agrees, the Neanderthal supplies a hyperlink to a phishing web site offered by Telekopye and thoroughly crafted to resemble the fee web page of the respectable on-line market itemizing the reputed merchandise. In contrast to the respectable internet web page although, this web page asks for a web based banking login, bank card particulars (typically together with steadiness), or different delicate info. If the Mammoth enters this information, the phishing web site routinely steals it. Apparently, this information doesn’t turn into obtainable to the Neanderthal providing the merchandise on the market, however is processed by different Neanderthals. Determine 4 exhibits the Telekopye menu with already created phishing hyperlinks and Determine 5 demonstrates the communication throughout this rip-off situation.

Figure 4 Example of phishing links
Determine 4. Instance of phishing hyperlinks created by Telekopye for the Vendor rip-off situation
Figure 5 Fabricated example
Determine 5. Fabricated instance of dialog for the Vendor rip-off situation

Purchaser rip-off

On this situation, Neanderthals pose as patrons they usually analysis a Mammoth to focus on. They present curiosity within the merchandise a Mammoth is promoting and declare they already paid through the offering platform. The Neanderthals proceed to ship the Mammoths electronic mail or SMS messages (created through Telekopye) with a hyperlink to a fastidiously crafted phishing web site (additionally created through Telekopye; see Determine 6), claiming the Mammoth must click on this hyperlink so as to obtain their cash from the platform. The remainder of the situation is similar to the Vendor rip-off with slight variations throughout dialog (depicted in Determine 7).

Figure 6 Example of Buyer scam scenario
Determine 6. Instance of the Purchaser rip-off situation phishing web site
Figure 7 Example of conversation for Buyer scam scenario
Determine 7. Instance of dialog for the Purchaser rip-off situation

Refund rip-off

On this situation, Neanderthals create a scenario the place the Mammoth is anticipating a refund after which sends them a phishing electronic mail with a hyperlink to the phishing web site, as soon as extra serving the identical objective. Neanderthals both ship such emails to Mammoths they didn’t contact earlier, relying on them getting grasping and making an attempt to get this “refund” or they mix it with the Vendor rip-off situation – when Mammoths complain that they didn’t obtain their items, Neanderthals ship them refund phishing emails in an try and rip-off them for a second time.

Modus operandi

Now that now we have described the completely different rip-off situations, let’s take a look at what information the Neanderthals have gathered all through the years of their operation. Their inner documentation consists of photos, graphs, brief guides, and even advanced paperwork – the desk of contents of 1 such doc is illustrated in Determine 8.

Figure 8 Table of contents
Determine 8. Desk of contents from onboarding supplies (translated from Russian)

We additionally found that there are two sorts of Neanderthals. The primary form writes to each potential Mammoth and the opposite one is way pickier on the subject of searching for a possible Mammoth. There’s a little bit of rivalry between them because the extra cautious form argues that the “reckless” habits of the much less cautious scammers would possibly deliver a bit extra revenue, however it creates rather more public consciousness.


Getting ready for a rip-off differs based mostly on the chosen situation. For the Vendor rip-off situation, Neanderthals are suggested to arrange extra pictures of the merchandise to be prepared if Mammoths ask for extra particulars. If Neanderthals are utilizing footage they downloaded on-line, they’re purported to edit them to make picture search tougher.

For the Purchaser rip-off situation, the important thing a part of a Neanderthal’s preparation is how they select the Mammoth. Over time, Neanderthals have created tips to observe when selecting their targets – they contemplate gender, age, expertise in on-line marketplaces, ranking, opinions, variety of accomplished trades, and lots of extra indicators.

Market analysis

In virtually each group of Neanderthals, we are able to discover references to manuals with on-line market analysis from which Neanderthals draw their methods and conclusions. The supply of this analysis is normally a examine from 2017 by Avito and Information Perception company. Determine 9 illustrates the outcomes of 1 such analysis, depicting graphs of gender, age, expertise, and revenue distribution on a selected on-line market.

Figure 9 Neanderthals’ analysis of typical buyer
Determine 9. Neanderthals’ evaluation of a typical purchaser (translated from Russian)

Through the Purchaser rip-off situation, Neanderthals select their targets based mostly on the kind of gadgets they’re promoting. As an example, some teams keep away from electronics utterly. Then again, cellular gadgets are a valued class for different teams. The value of the merchandise can also be necessary – if too excessive, then Neanderthals is not going to goal such Mammoths, as they consider that the Mammoths’ vigilance will probably be a lot larger by default. Manuals suggest that Neanderthals, within the Purchaser rip-off situation, decide gadgets with a value between 1,000 to 30,000 rubles (€9.50 to €290 as of 20th October, 2023).

The placement of the Mammoth can also be necessary. Neanderthals focus extra on richer cities the place they anticipate extra listings and folks not preserving such an in depth eye on their very own funds.

Lastly, the scammers take the day of the month into consideration too. They purpose at days proper after folks obtain their paychecks, as they naturally anticipate they’re going to have extra money of their financial institution accounts.

Net scraping

Neanderthals make the most of internet scrapers to rapidly go although many on-line market listings and decide an ideal Mammoth who will fall for the rip-off; that is, as now we have already written, an important preliminary a part of the Purchaser rip-off situation.

We’re not conscious of customized internet scrapers carried out by Neanderthals, however their documentation mentions a couple of provided as respectable companies. Neanderthals scrape the focused market for listings, particulars of things, and consumer info, which ends up in a CSV or XML file. Neanderthals then use the outcomes to rapidly discover the fitting targets. We offer an instance of such a file in Determine 10.

Figure 10 Parsed info from Avito website
Determine 10. Parsed data from Avito web site within the class “cellphones” (translated from Russian)

Consumer rankings and expertise are of specific curiosity to Neanderthals, as they use this info to keep away from targets that they deem prone to spot the rip-off.

Avoiding in-person supply

For security causes, many Mammoths desire each in-person fee and in-person supply for offered items. That poses a problem for Neanderthals as they should persuade Mammoths to agree to make use of a supply service and on-line fee, in order that they will direct them to the phishing web site. Often, they declare they’re too distant or that they’re leaving the town for a enterprise journey for a couple of days. On the similar time, they attempt to look very within the merchandise to extend the probabilities that the Mammoth will conform to their suggestion.

Phishing internet web page hyperlink supply

Many respectable on-line marketplaces have an built-in chat characteristic and, alongside, moderation in place. Sending somebody a hyperlink by such a chat is normally a crimson flag and should very effectively lead to a ban. Neanderthals attempt to overcome this impediment by persuading Mammoths to proceed their dialog on a distinct chat platform that has much less monitoring.

Their arguments are similar to these towards in-person supply. They declare that they should go away their dwelling and can’t entry the chat from their cell phone, however are in a position to proceed their speak on one of many chat apps.

By their very own statistics, Neanderthals declare that about 50% of Mammoths will conform to a platform change and 20% of these will fall for the rip-off. This ends in a ten% success price general.

One other favored methodology of supply is utilizing electronic mail or SMS. Telekopye is ready to rapidly generate convincing phishing messages. Neanderthals use tips (a few of them illustrated in Determine 11) to study Mammoths’ electronic mail addresses or telephone numbers so as to ship them such messages. The benefit of this method is that asking for a telephone quantity or electronic mail handle will possible not set off any crimson flags for neither Mammoth nor chatting platform and the Neanderthal doesn’t want to influence the Mammoth to switch to a distinct chat platform.

Figure 11 Copy-n-paste text example
Determine 11. Copy-and-paste textual content instance (translated from Russian)


No AI is utilized by Telekopye. This can be stunning, however Neanderthals consider that their method is superior and fewer prone to be noticed by monitoring mechanisms. Because of this, the huge portion of their inner documentation is concentrated on communication strategies to realize the very best outcomes.

Incomes the Mammoth’s belief is essential to the success of a rip-off. Neanderthals typically deliberately don’t instantly reply to each message however wait (typically even a couple of hours) to create the phantasm that they’re busy with common on a regular basis life. Talking of time: they attempt to adapt to the Mammoth’s time zone so as to not increase suspicion.

They typically interact in chitchat first; they might even share a pretend private story. The entire objective is to search for crimson flags – indicators that may inform the Neanderthal that the Mammoth is just too suspicious or skilled. Since Neanderthals are targeted on revenue, they don’t need to spend time on Mammoths who find yourself recognizing the lure.

One other nice instance is that when Neanderthals make the most of the Purchaser rip-off situation, they guarantee Mammoths that they’ve already paid for the merchandise. This, mixed with the design of the phishing electronic mail that guarantees fast cash retrieval, ends in Mammoths being much less vigilant.

Skilled Neanderthals present newcomers with full conversations to take inspiration in; one such instance is offered in Determine 12.

Figure 12 Suggested conversation with Mammoth
Determine 12. Urged dialog with a Mammoth (translated from Russian)

Neanderthals solely tolerate a sure stage of resistance from Mammoths – in the event that they deem the rip-off just isn’t prone to succeed, they transfer to a distinct goal. Nonetheless, in the event that they really feel like they’ve virtually received, they’re very persuasive. An ideal instance is their documented method to conditions the place they efficiently harvest the Mammoth’s delicate information, however both the financial institution blocks the transaction or there are inadequate funds. In that case, Neanderthals could go so far as asking the Mammoth to make use of a member of the family’s card and even name their financial institution and authorize the switch themselves.

Neanderthals are able to reply many surprising questions concerning the legitimacy of their requests (see Determine 13).

Figure 13 Suggested way to scam
Determine 13. Urged strategy to rip-off extra perceptive Mammoths (translated from Russian)


As this operation targets Mammoths internationally, Neanderthals have to create the phantasm that they communicate the Mammoth’s language effectively sufficient. It’s fairly frequent to come across Russian-speaking Neanderthals who can write in English. Apparently, we had been in a position to cross-reference the Telegram nicknames of many Neanderthals with language-learning platform profiles. These accounts normally acknowledged that the proprietor speaks Russian and English. Clearly, the connection could be coincidental.

For a few years Neanderthals used Google Translate. Since at the least 2021, Neanderthals moved in the direction of different translators, resembling DeepL, as (of their opinion) it understands context higher.

In addition to utilizing translators, they’ve created many translation tables over time, with verified translations of frequent phrases into a number of languages. These translations are mostly from Russian to European languages (see Determine 14). Neanderthals simply copy and paste these translated sentences into the chat with the Mammoth.

Figure 14 Romanian-Russian and Portuguese-Russian
Determine 14. Instance of Portuguese-Russian and Romanian-Russian translation tables

Group particular options

We also needs to point out that completely different teams have completely different quality-of-life enhancements to Telekopye. For instance, when producing a phishing hyperlink (a end result might be seen in Determine 15), Neanderthals from one in every of these teams are requested a number of questions that allow them to have sure diploma of customization of every phishing web site. Essentially the most fascinating is the query about guide/computerized phishing web site technology. Within the case of guide technology, the Neanderthal should specify all info wanted to create the phishing web site. For Neanderthals posing as patrons, this takes from 10 to fifteen questions (Determine 16).

Figure 15 Example of phishing website creation process
Determine 15. Instance of computerized phishing web site creation course of by Telekopye, the place Neanderthal poses as a purchaser
Figure 16 Manual of phishing link creation process
Determine 16. Handbook phishing hyperlink creation course of

Within the case of computerized web page technology, the Neanderthal solely must specify the URL of the merchandise to “purchase” and to reply 5 questions (like what the customer’s title and telephone quantity are). Telekopye then scrapes all info from the web site and creates the phishing web site.

Anonymity and evasion

Neanderthals consider their teams are stuffed with “rats” (for instance, regulation enforcement or researchers). So, they religiously keep on with the principles, primarily no probing for info that would determine different members of the group. Breaking such guidelines could very effectively lead to being banned. The golden rule is “work extra speak much less”. As well as, they’re inspired to make use of VPNs, proxies, and TOR to remain secure. Neanderthals present newcomers with intensive guides and even interact in heated discussions over what packages or companies to make use of and why, together with browser preferences. Some Neanderthals even make the most of Orbot, a TOR variant for Android.


Neanderthals want to cover not solely their identities and placement, but additionally their cash. Naturally, cryptocurrencies are the reply to that. We weren’t ready to attract any conclusions concerning cryptocurrency desire.

Lastly, Neanderthals desire companies for which they will register utilizing solely a cell phone quantity. They contemplate this the very best method, since it’s comparatively straightforward to purchase a SIM card whereas not disclosing their identification.

Bypassing computerized detection

On-line market scams are nothing new. Over time, the platforms offering these companies have carried out a variety of strategies to counter scammers and improve their prospects’ safety. The Neanderthals are conscious of this and proceed to experiment with completely different approaches to beat the platforms’ moderation insurance policies. One early and slightly silly try was to make the most of Google Types to phish private info from Mammoths (as seen in Determine 17). Contemplating the data they focused, the objective was to acquire a way to speak by a distinct channel – electronic mail or SMS – the place strict moderation wouldn’t happen.

Figure 17 Phishing with Google Forms
Determine 17. Instance of phishing with Google Types


These days, virtually all Neanderthals attempt to switch their Mammoths to much less policed, respectable chat platforms. Neanderthals select them as a result of they consider banning accounts there takes time. Moreover, sending varied hyperlinks over chat platforms is frequent apply slightly than suspicious habits. As a bonus, virtually everyone is aware of such purposes, so Neanderthals don’t have to elucidate how they work.

Regardless of contemplating these platforms a lot safer, Neanderthals tread fastidiously nonetheless. They keep away from sending too many messages in a brief time period and attempt to personalize messages for various Mammoths – Telekopye aids them tremendously on this effort.

Exploring new territories: Actual property rip-off

Among the Neanderthals’ teams point out a distinct type of rip-off situation – one which targets actual property renters. The rip-off works as follows. Through the preparation stage, Neanderthals write to a respectable proprietor of an condominium, pretending to have an interest and ask for varied particulars, resembling extra footage and what sort of neighbors the condominium has. The Neanderthals then take all this info and create their very own itemizing on one other web site, providing the condominium for hire. They lower the anticipated market value by about 20%. The remainder of the situation is similar to Vendor rip-off situation – the Neanderthal waits for a Mammoth to point out curiosity, and directs the Mammoth to pay a reservation payment through a hyperlink that, in fact, really factors to a phishing web site.

Due to ESET’s telemetry we discovered that the phishing web sites used on this rip-off situation are suspiciously much like those Telekopye creates for the Purchaser and Vendor situations. This, mixed with the rip-off being marketed by Telekopye teams, leads us to consider that there’s a connection. Nonetheless, we neither infiltrated any group specializing on this situation nor obtained a Telekopye variant designed for it.


When crawling by completely different manuals, teams, and extra supplies, we discovered an interview with a Telekopye administrator that was finished on the finish of 2020. This helped us get a novel perception into the thoughts of a high-ranked Neanderthal. The interviewed Telekopye administrator operated a Telekopye group specializing in instructing new Neanderthals.

The administrator is at one level requested how he sees the way forward for this line of “work”. To that, he responds that “On-line market scams will at all times be current. It’s a lot tougher [to scam] than it was once due to banning insurance policies on completely different websites. However it’s simply not potential to cease all phishing on these websites”. He additionally says that he doesn’t rip-off anymore. He simply obtained uninterested in it and now works solely as administrator/tutor and that’s why his group is so distinctive. “I don’t worry Mammoths. Each different Mammoth will threaten you after they notice they’ve been scammed. Apparently, everybody today is a spouse or a good friend of a minister of inner affairs”, says the administrator.

When requested whether or not he is considering creating a brand new rip-off venture, he says that he doesn’t have time for that. He moderates two channels, has an lively life-style, does a whole lot of coaching, and he has solely 4 hours a day at dwelling.

He additionally confesses that he’s totally conscious that this sort of a job isn’t sincere however finds a typical excuse for himself. “… some folks will continually pay for hyperlinks, and somebody will continually throw them. Whoever tries arduous in life will succeed.”. On high of that he says that if he feels sorry for Mammoth, he asks himself: “Why am I scamming them within the first place? Nicely… I solely steal from the wealthy (analysis word: Mammoths that most likely have at the least €200 of their account) and if my conscience had been that fragile, I’d go work as a supply man”.


On this second installment devoted to Telekopye, now we have targeted on what we discovered about Neanderthals. Due to getting access to each their inner communication and their information base, now we have offered not solely descriptions of various rip-off situations, however primarily a novel perception into their modus operandi and mindset.

We have now demonstrated how the admission course of for newcomers seems like and the way Telekopye aids Neanderthals of their each day work. As well as, now we have proven that they most likely are experimenting with actual property scams as effectively.

On-line market scams are possible not going away. As we demonstrated in the primary installment, we had been in a position to uncover dozens of teams working Telekopye. That mentioned, by having our distinctive perception into the scammers’ operation, we consider lots might be discovered so as to shield customers of such platforms from hurt.

IoCs and a MITRE ATT&CK strategies desk had been offered within the first a part of this evaluation, and are unchanged, so please seek advice from that article for these.

For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Analysis gives personal APT intelligence experiences and information feeds. For any inquiries about this service, go to the ESET Risk Intelligence web page.



Please enter your comment!
Please enter your name here