This ongoing cryptocurrency scam campaign, documented by the SANS Internet Storm Center, uses phishing emails containing minimal messaging and links to free publishing platforms such as telegra.ph and Google Forms. The campaign began in October 2025 and persists into 2026, targeting potential victims with promises of substantial Bitcoin payouts allegedly owed to them from an automated Bitcoin mining cloud platform. The emails often contain links to Google Forms that funnel victims to telegra.ph pages hosting the scam content. These pages feature fake chatbots and interfaces designed to convince victims they have over $100,000 worth of Bitcoin. To access or convert these funds, victims are instructed to pay a fee, which is sent to wallets controlled by the scammers. The campaign leverages the ease of creating and hosting content on free platforms, making it cost-effective and scalable for attackers. The scam relies heavily on social engineering, exploiting victims' interest in cryptocurrency gains without deploying malware or exploiting software vulnerabilities. The campaign's persistence and use of trusted platforms like Google Forms increase its credibility to unsuspecting users. No technical exploits or vulnerabilities are involved, but the financial impact on victims can be significant. The campaign does not require victims to authenticate or perform complex actions beyond interacting with phishing content and sending payments.

European organizations and individuals face financial risks from this scam, particularly those involved or interested in cryptocurrency investments. While the campaign targets individuals rather than enterprise systems, employees falling victim could lead to indirect impacts such as financial loss, decreased trust in corporate communications, and potential exposure of corporate email addresses to further phishing attempts. The use of legitimate platforms like Google Forms and telegra.ph complicates detection and blocking efforts, increasing the likelihood of successful phishing attempts. The campaign's persistence suggests ongoing risk, especially as cryptocurrency remains popular in Europe. Financial institutions and cryptocurrency exchanges in Europe might see increased phishing attempts targeting their customers, potentially undermining trust in digital financial services. The campaign does not threaten system availability or integrity but poses a significant confidentiality and financial risk to individuals. Organizations may also face reputational damage if employees are compromised or if phishing emails spoof corporate domains.

European organizations should implement targeted phishing awareness training emphasizing cryptocurrency-related scams and the risks of interacting with unsolicited emails containing links to free publishing platforms. Email filtering solutions should be tuned to detect and quarantine messages containing links to known abused platforms like telegra.ph and suspicious Google Forms, using threat intelligence feeds and URL reputation services. Deploy advanced anti-phishing technologies that analyze email content and URLs dynamically to identify and block emerging scam campaigns. Encourage employees to verify unsolicited cryptocurrency-related communications through official channels before taking any action. Implement DMARC, DKIM, and SPF email authentication protocols to reduce the risk of domain spoofing in phishing emails. Monitor corporate email accounts for signs of compromise and unusual outgoing payments that could indicate successful scams. Collaborate with local law enforcement and cybersecurity agencies to report and track phishing campaigns. Finally, maintain updated threat intelligence on cryptocurrency scams to adapt defenses promptly as tactics evolve.