![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![[DEALS] The All-in-One Microsoft Office Pro 2019 for Windows: Lifetime License + Windows 11 Pro Bundle (89% off) & Other Deals Up To 98% Off](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![Is this too much for a modular monolith system? [closed]](https://i.sstatic.net/pYL1nsfg.png)
_Andreas_Prott_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![What features do you get with Gemini Advanced? [April 2025]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2024/02/gemini-advanced-cover.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Apple Shares Official Trailer for 'Long Way Home' Starring Ewan McGregor and Charley Boorman [Video]](https://www.iclarified.com/images/news/97069/97069/97069-640.jpg)
![Apple Watch Series 10 Back On Sale for $299! [Lowest Price Ever]](https://www.iclarified.com/images/news/96657/96657/96657-640.jpg)
![EU Postpones Apple App Store Fines Amid Tariff Negotiations [Report]](https://www.iclarified.com/images/news/97068/97068/97068-640.jpg)
![Apple Slips to Fifth in China's Smartphone Market with 9% Decline [Report]](https://www.iclarified.com/images/news/97065/97065/97065-640.jpg)
Hackers Attacking Investors Via Fraud Networks to Steal Financial Data
A sophisticated cybercriminal campaign targeting Indian investors through fraudulent stock and cryptocurrency schemes has escalated, with hackers leveraging social engineering, fake mobile applications, and compromised government websites to steal financial data. These attacks exploit the rapid growth of digital investment platforms, using Telegram channels, UPI payment systems, and fake trading apps to drain victims’ funds. […] The post Hackers Attacking Investors Via Fraud Networks to Steal Financial Data appeared first on Cyber Security News.
A sophisticated cybercriminal campaign targeting Indian investors through fraudulent stock and cryptocurrency schemes has escalated, with hackers leveraging social engineering, fake mobile applications, and compromised government websites to steal financial data.
These attacks exploit the rapid growth of digital investment platforms, using Telegram channels, UPI payment systems, and fake trading apps to drain victims’ funds.
The malware campaign has impacted thousands of investors, with losses exceeding ₹50 crore ($6 million) in verified cases.
The attackers operate by creating fake investment companies, impersonating legitimate entities like Binance and Tesla, and promoting unrealistic returns through Telegram groups such as “BITCOIN MONEY EARNING” (19,800+ subscribers) and “Wolf calls PAID Channel” (3,887 subscribers).
.webp)
These groups share fabricated UPI payment receipts and fake stock charts to lure victims into depositing funds.
Cyfirma analysts noted a network of 15+ fraudulent Android applications, including stockheaven[.]site, which impersonate legitimate trading platforms.
Once users deposit funds via UPI IDs like alomwebtechnology@upi, withdrawals are blocked, and personal data is harvested for further exploitation.
Infection Mechanism and Malware Behavior
The malware’s infection chain begins with victims clicking Telegram or WhatsApp links promising “guaranteed returns.”
.webp)
These links redirect to phishing pages mimicking government portals or compromised educational institution websites.
For example, attackers exploited an XSS vulnerability on an Indian engineering college’s domain to host a fraudulent stock analysis tool labeled “Top Agricultural Stocks Expert Trader Group.”
Users attempting to access this tool are redirected to a spoofed WhatsApp group named “Elite Stock Trading Group,” which distributes APK files disguised as trading apps.
.webp)
Cyfirma researchers decompiled one such APK (SHA256: 3adea28201bd604a8298d9336b592300fc09f4c53535ec3e7394f48c0fc00a60) and uncovered hardcoded redirection logic to malicious domains like etf99[.]xyz.
The app uses WebView to load external content, masking its malicious intent:-
if (dataString.startsWith("https://stockheaven.site/user/dashboard")) {
this.f657t.loadUrl(dataString);
this.f662y.setOnRefreshListener(new q0(22, this));
}This code injects a hidden WebView component that loads stockheaven[.]site, a fraudulent trading interface.
Users who enter UPI details or bank credentials have their data exfiltrated to a command-and-control server linked to Chinese operators, as evidenced by Mandarin comments in the APK’s source code.
The malware also employs persistence tactics by simulating legitimate app behavior, such as generating fake transaction histories and offering referral bonuses to encourage wider dissemination.
The campaign highlights the convergence of social engineering and technical sophistication in modern financial fraud.
Cyfirma recommends that investors verify platform legitimacy through regulatory bodies like SEBI and avoid unsolicited investment offers on messaging apps.
Enterprises are urged to monitor for domain impersonation and conduct regular vulnerability assessments to prevent website compromises.
As cryptocurrencies and digital trading gain traction in India, cybersecurity experts warn that such attacks will likely proliferate, necessitating coordinated efforts between regulators, platforms, and users to mitigate risks.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
The post Hackers Attacking Investors Via Fraud Networks to Steal Financial Data appeared first on Cyber Security News.
