Scammers Launch Telegram-Style Investment Fraud Targeting Relocants and VPN Users

The company **F6**, a leader in developing technology to combat cybercrime, is raising awareness about a new investment fraud scheme. Fraudsters are enticing users on Telegram with promises of earning up to **350** euros per day through active content viewing. A notable feature of this scam is the leverage of social media and messaging apps to verify if potential victims have a premium account status. This scheme primarily targets Russian-speaking users of messaging services and social networks located outside Russia or using a **VPN**. At least **22** domains are involved in this investment scam.

Analysts from F6’s Digital Risk Protection department have identified a new method being employed by scammers to lure Telegram users into investment schemes.

The specialists discovered fake websites promising Telegram users earnings of up to **350** euros daily. The scammers claim that the revenue source is the «capitalization of the company» and that the guarantee of income is attributed to «neural technologies.»

Under the pretext of verifying account status, users are asked to input their names, but this step is fruitless. The subsequent page falsely indicates a successful verification and the existence of a Premium account, even for users who do not have a Premium subscription. The scammers claim that such status applies to less than 2% of users and request an email address and phone number to receive «income from the account,» supposedly generated through activity like content views, likes, and comments. After submitting this information, users are told to await a call from a «personal manager,» a common tactic in investment scams. This so-called «investment expert» is actually an employee of a fraudulent call center tasked with convincing the potential victim to invest money in a «profitable project» through promises of high returns.

The design of the fake websites incorporates Telegram’s branding colors and logos, but they do not explicitly mention that the misleading earnings offer is made on behalf of the messenger—likely to complicate detection and blocking efforts.

Additionally, F6 analysts have found similar fraudulent sites targeting **WhatsApp** and **Facebook** users, the latter being owned by Meta, a company labeled extremist and banned in Russia. The main distinction between these sites lies in the brand colors and iconography used for disguise, as well as the promised income amounts. WhatsApp users are promised up to **35** euros a day, while Facebook users could allegedly earn nearly 20 times more, up to **600** euros daily.

According to F6’s Digital Risk Protection analysts, at least **22** domains are affiliated with this investment scam scenario.

Potential victims are lured to these fake sites via social networks such as **Facebook** and **Instagram**, which are also owned by Meta. Scammers typically create accounts with generic names like «Urgent News» and «News Now,» posting messages about the high earnings users could supposedly acquire through their social media engagement. They enhance the visibility of these posts through advertising and create fake media pages with template headlines like «New income source revealed … (name of any well-known Russian figure) …». Links from these posts direct to fraudulent websites resembling those of Telegram, WhatsApp, and Facebook.

A distinctive aspect of this new fraud scheme is its strategy of attracting potential victims through social media account verification for premium status. This operation is aimed at Russian-speaking users who are abroad or using circumvention services that bypass restrictions established in Russia.

«Fraud schemes targeting Russian relocators have been on our radar since autumn 2022, when scammers began aggressively rolling out scenarios involving fake dating against Russian-speaking users in Georgia, Armenia, Azerbaijan, the UAE, Germany, the Czech Republic, and Central Asian countries. We have been documenting scams against Russian VPN users for the past three years, and now the perpetrators are shifting their focus to this category with investment schemes,» emphasizes **Evgeny Egorov**, senior analyst at F6’s Digital Risk Protection department.

F6 experts suggest several precautions to avoid falling victim to such fraud tactics:

— Do not believe promises of guaranteed high income in a short time frame.
— Only trust verified information sources.
— Avoid clicking on links from dubious messages on social media and messaging apps.
— Keep your financial information secure: never share personal details, bank card information, codes, or passwords from SMS with others, and do not enter them on unfamiliar websites.
— Never transfer money to strangers under any circumstances.
— In any confusing situation, consult with someone you trust before taking action.
— Remember that investing always carries risks, and actual expected returns will likely be much lower than those promised on questionable websites.
— Brokerage activities in our country are regulated by the state. Brokers must have a license from the Bank of Russia; a list of such brokers can be found on the Central Bank’s website, which also lists the broker’s official online resources.
— Fraudsters often use domain names similar to well-known brands for fake sites. Pay attention to the spelling of the domain and the registration date by utilizing Whois services.