Attackers are leveraging the Telegram messaging platform to target the crypto-wallets of users. The attackers behind the campaign are using the Echelon information stealer in an effort seeking to defraud new or unsuspecting users of a cryptocurrency discussion channel on the messaging platform. The attackers are using the Telegram handle “Smokes Night” to spread the infostealer. Security researchers at SafeGuard’s Cyber Division Seven threat analysis unit initially discovered a sample of Echelon posted to a Telegram channel focused primarily on cryptocurrency in October, according to an analysis released on Thursday.

The Echelon infostealer aims to steal credentials from multiple messaging and file-sharing platforms, including Discord, Edge, FileZilla, OpenVPN, Outlook, Telegram itself, and others. Echelon also seeks to obtain credentials from several different cryptocurrency wallets, including AtomicWallet, BitcoinCore, ByteCoin, Exodus, Jaxx, and Monero. Researchers at SafeGuard Cyber believe that the campaign is not coordinated or sophisticated, and is rather choosing victims based on their supposed level of knowledge of cryptocurrency and when they joined the channel.