Classiscam Operation Siphons .5 Million From Victims Across 79 Countries

The cybersecurity landscape in 2023 faces an increasingly sophisticated threat as the Classiscam operation, a scam-as-a-service platform, continues to expand its reach across 79 countries, amassing $64.5 million in illicit earnings since its emergence in 2019. With Bitcoin trading at $25,868 and Ethereum at $1,637 as of early September, the crypto ecosystem remains a prime target for organized fraud operations that blend social engineering with automated phishing infrastructure.

The Exploit Mechanics

Classiscam operates through a highly organized pyramid structure managed via 1,366 distinct Telegram groups. The operation relies on automated Telegram bots that generate phishing pages on demand, allowing even low-skilled criminals to participate. When a scammer identifies a target on a classified marketplace, the bot creates a convincing fake payment page within seconds. The victim receives a link — often shared through WhatsApp or Telegram — that mirrors a legitimate banking or payment portal.

What sets Classiscam apart from traditional phishing campaigns is its industrialization. The platform provides templates for 251 different brands, including major banks, e-commerce platforms, and cryptocurrency exchanges. Workers — the lowest tier in the criminal hierarchy — interface directly with victims, while “bombers” redirect them to spoofed pages. Supporters maintain the technical infrastructure, and administrators oversee recruitment and day-to-day operations.

A particularly insidious recent evolution involves a balance-check feature on phishing pages. Before charging the victim, the scam page asks users to verify their account, allowing criminals to assess how much money is available and tailor their theft accordingly. Some groups have also begun deploying stealer malware alongside their phishing campaigns, harvesting stored credentials and cryptocurrency wallet keys from infected devices.

Affected Systems

The geographic spread is staggering. European nations account for 62.2% of all fraudulent transactions, with Germany, Poland, Spain, Italy, and Romania experiencing the highest volumes. The Middle East and Africa represent 18.2% of victims, while the Asia-Pacific region accounts for 13%. The operation initially targeted Russia before expanding worldwide during the COVID-19 pandemic, capitalizing on the surge in online shopping and remote transactions.

Cryptocurrency users face heightened risk as Classiscam groups increasingly incorporate crypto-specific scams, including fake exchange login pages and fraudulent wallet verification portals. The connection to the broader cybercrime ecosystem is confirmed by Group-IB, which identifies Classiscam as the same operation tracked by ESET under the name Telekopye — a phishing kit that powers much of this criminal activity.

The Mitigation Strategy

Defending against Classiscam requires a multi-layered approach. First, never follow payment links shared through messaging apps, even if the sender appears legitimate. Always navigate directly to the official website or app. Second, enable two-factor authentication on all financial and cryptocurrency accounts using a hardware security key rather than SMS-based verification, which can be intercepted through SIM-swapping attacks.

For cryptocurrency holders specifically, hardware wallets remain the gold standard for asset protection. The recent wave of private key compromises — including the Stake.com breach that drained $41.3 million across multiple chains — demonstrates that even large platforms can fall victim to key theft. Storing private keys in cold storage, disconnected from internet-facing systems, eliminates the primary attack vector used by these criminal operations.

Organizations should implement domain monitoring to detect phishing sites impersonating their brand, and individuals should verify URLs carefully before entering any credentials. The automated nature of Classiscam means these phishing pages can be generated and discarded rapidly, making traditional blocklist approaches less effective than behavioral detection and user education.

Lessons Learned

The Classiscam operation illustrates the professionalization of cybercrime. With $64.5 million in cumulative theft, 1,366 active groups, and operations spanning 79 countries, this is not opportunistic fraud — it is an industry. The scam-as-a-service model lowers the barrier to entry for would-be criminals while generating recurring revenue for operators at the top of the pyramid.

The cryptocurrency community must recognize that threats extend beyond smart contract exploits and exchange hacks. Social engineering attacks targeting individual users through marketplace fraud represent a significant and growing vector. As Bitcoin hovers around $26,000 and the total crypto market cap exceeds $1 trillion, the financial incentives for these operations will only intensify.

User Action Required

If you have recently conducted transactions on classified marketplaces and followed links sent through messaging platforms, immediately check your financial accounts for unauthorized transactions. Change passwords for any accounts where credentials may have been entered on suspicious pages. For cryptocurrency users, transfer assets to a hardware wallet and generate new receiving addresses. Report any confirmed fraud to local law enforcement and relevant platforms. The fight against operations like Classiscam depends on both individual vigilance and coordinated international enforcement.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with qualified professionals before making security decisions.