Skip to main content

Choose your country

F-Secure research

Investigating a Telegram Trading Scam: How Instagram Ads Can Lead to Credential Theft

F-Secure

9 min read

What looked like a simple Instagram ad turned out to be the first step in a much larger scam operation.

During one of our recent investigations, we encountered a paid Instagram ad from an account called Propass offering to pass proprietary trading firm challenges on behalf of clients. The proposition was straightforward:

"I will pass your propfirm challenge in 2–3 days. You will pay me only once I validate the challenge. I can even manage the account afterwards for 20% of the withdrawals."

There were no celebrity endorsements or promises of overnight riches — just a service aimed at people who wanted a funded trading account but lacked the experience to pass a trading challenge themselves.

But behind that simple offer was a multi-stage operation involving Telegram voice messages, a fake PDF contract, an affiliate monetization structure, and a credential-harvesting process. What appeared to be a shortcut for aspiring traders was, in reality, a carefully constructed fraud funnel.

Here's how our investigation unfolded.

Part 1: Victim baiting on Instagram

The Propass ad appeared on Instagram, but its transparency panel revealed it was being served by a Facebook advertiser instead of a native Instagram account. The panel also exposed the destination URL: secretfundsociety[.]com/?fbp[...].

The website acted as a bridge site between the ad and the scammer's Telegram account. It served one purpose: moving the visitor into a Telegram conversation. At the bottom of the page, a prompt immediately pushed the visitor to download Telegram.

Propass Instagram ad promoting fraudulent prop trading services and revealing the advertiser transparency panel. The ad directed users to Telegram.

Using a Facebook account to run ads on Instagram, rather than building a native Instagram presence, is consistent with scammers who create and burn ad accounts at scale. When one account is flagged, the next is ready. This design is not incidental. By routing the victim through a bridge site and prompting them to open a Telegram conversation themselves, the scammer ensures that the victim remains the initiating party.

That matters because Telegram users cannot report contacts they themselves reached out to, and messages in a conversation initiated by the victim offer no direct reporting path. The result is a structural blind spot: the scammer moves the victim into a private messaging environment where the platform's own abuse-reporting mechanisms are effectively unavailable to the people being defrauded.

Part 2: First contact with the scammer on Telegram

Inside Telegram, we were connected to a contact named "Leon," operating under the Secret Funding Society brand. We opened with: "Hello, I want to get a funded account to start making money!"

Leon's first response was not text, but a voice message.

The scammer sent three voice messages followed by a contract and a pricing card. The combination of audio and formal documents helps project legitimacy and build trust.

Over the course of the conversation, Leon sent at least five separate voice messages totaling nearly three minutes of audio. The messages answered questions, explained the service, and built rapport. This was a deliberate trust-building strategy, which we'll examine in more detail later.

Inside Leon's pitch

We obtained and transcribed three voice messages sent in quick succession:

Message 1 (0:55) — the hook

"We pass your prop firm challenge for you. You can get access to a trading account between $10,000 and $300,000 without having to do anything... you don't pay anything until you receive your funded account. It's all secured by the contract I will send you. And if you fail, you can get a refund."

Message 2 (0:50) — the platform push

"I recommend you to sign up with [the platform] because right now, they have the easiest challenge rules, and it's the platform with which we constantly get results. We have 100% success rates... none of our clients ever had an issue with withdrawal... they have excellent 5-star reviews. I will give you a promo code for 20% off... And once you've purchased the challenge, just send us the login credentials."

Message 3 (0:35) — the close

"Once your challenge is successfully passed, that's when you pay the fees for the service... I recommend going on at least a 100K challenge since the real benefit is getting access to large capital... make sure you select the one-step challenge account, so the validation is quick."

How the voice messages build trust

The messages read more like a scripted sales sequence than a spontaneous conversation. Taken together, they form a carefully structured pitch: establish trust, recommend a platform, then request account access. Non-native English phrasing throughout also suggests a translated script being read aloud.

The credential request to "just send us the login credentials" is buried at the end of the second message, sandwiched between trust signals such as a claimed 100% success rate, positive reviews, withdrawal guarantees, and a discount code. A victim listening once will likely focus on the reassurances and miss the significance of handing over account access.

Part 3: The affiliate money trail

After the voice messages, Leon switched to text, delivering the only sustained written pitch in the conversation.

Pricing card provided by the scammer, showing fees charged for passing prop trading challenges at different account sizes.

We were directed to foxx-funded[.]com, a prop trading platform promising up to $300,000 in capital, along with affiliate discount code 'SFS20' for 20% off. The affiliate code means Leon earns a commission on every challenge fee paid through his referral.

Screengrab of foxx-funded[.]com. The site’s header promises up to $300,000 in trading capital, while MetaTrader 5 integration and a Discord support channel are also displayed.

Later in the conversation, Leon instructed us to "use the code SFS20 at checkout instead of KING." The comment appears incidental, but it may reveal something important. If SFS20 and KING are both active affiliate codes for the same platform, it suggests multiple operators are running parallel campaigns under different referral identities while directing victims to the same prop trading service.

Part 4: Manufacturing trust with a "contract"

Before requesting payment, Leon sent a PDF guaranteeing either a passed challenge or a full refund. He also sent a branded Secret Funding Society promotional card reproducing the pricing table.

The purpose of sending this PDF over a chat app is psychological. It gives the interaction a layer of formality at the exact moment a cautious victim might hesitate. The "contract" doesn't reduce the victim's risk; it helps make the next step feel safer.

Part 5: The payment and credential grab

When we indicated interest in the $300,000 account size, Leon's reply was direct: "Ok, so you can buy your challenge and send me your credentials."

This is the step most victims would not anticipate. After paying up to €800, the victim is asked to hand login credentials for a financial trading platform to an unknown contact on Telegram. The stated rationale — that Leon needs access to trade on their behalf — provides cover for what is effectively full account takeover.

Key takeaways

What initially appeared to be a simple "challenge passing" service was in fact a layered operation combining social engineering, affiliate monetization, and credential theft. The scam's effectiveness didn't rely on sophisticated malware or technical exploits. Instead, it used trust-building techniques: voice messages, formal-looking documents, affiliate discounts, and a gradual escalation of commitment.

The most notable finding was the use of voice messages. Beyond building credibility, they create challenges for moderation systems, increase reporting friction, and may become increasingly scalable as AI‑generated speech improves.

The operation demonstrates how modern scams increasingly combine social media advertising, private messaging channels, and legitimate third-party services to create a convincing path from first contact to credential compromise.

The scam succeeds not because any individual step looks obviously malicious, but because each step appears reasonable when viewed in isolation. An Instagram ad, a Telegram conversation, a discount code, a PDF contract, and even a request for account access to help with trading can all seem legitimate on their own. Only when viewed as a complete attack chain does the true intent become clear.

Anatomy of the scam

The full attack chain

The scammer’s end-to-end funnel: social media advertising moving victims to Telegram, Telegram-based social engineering, affiliate revenue generation, and credential theft.

Why do scammers use voice messages?

The almost exclusive use of voice messages during this scam appears to be intentional. Based on our investigation, the approach offers several advantages:

  1. Evading text-based detection – While Telegram's antispam system analyzes text in cloud chats for spam and phishing keywords, voice messages don't contain searchable text, URLs, or account identifiers. By moving key parts of the conversation into audio, scammers can make their most persuasive content harder to detect and analyze at scale.

  2. Credibility through a real voice – Tone, pacing, and personality come through in audio in a way that text can’t easily replicate. A voice message can make the interaction feel more like a conversation with a trusted advisor than a scripted sales pitch.

  3. A weaker evidence trail – A text message can be copied, searched, and attached to a fraud report in seconds. Audio requires additional effort to save, review, and transcribe, increasing the friction for victims trying to document what happened.

  4. Implied personal attention – Multi-minute voice notes that directly answer questions signal that a real person is investing time in the conversation. That perceived investment can lower a victim's guard at exactly the moment they are deciding whether to pay.

  5. A clear path to AI scaling – Advances in voice synthesis mean that personalized audio messages can increasingly be generated at scale. Techniques that once required significant manual effort are becoming easier to automate.

Mapping to the F‑Secure Scam Kill Chain

Mapped against the F‑Secure Scam Kill Chain, our framework for analyzing scam tactics and techniques, this operation touches every phase of the attack chain:

  • Targeting relies on Instagram's ad platform to reach a self-selected audience of aspiring traders (T1.1).

  • Resource development includes registered domains, a fake persona, a scripted voice pitch, and a third-party prop trading platform leveraged as a ready-made payment and commission infrastructure (T2.1, T2.3, T2.4, T2.5, T2.6).

  • Initial contact is made via a paid Meta ad that migrates the victim to a scammer-controlled Telegram conversation (T3.4, T3.5, T4.3).

  • Persistence is maintained through voice message rapport-building, a fake PDF contract, and gradual commitment escalation from enquiry through to credential handover (T4.1.2, T4.1.6, T4.1.7, T4.6).

  • Access is obtained when the victim voluntarily hands over trading platform credentials (T5.1, T5.4).

  • Monetization is dual-track: direct challenge fees of €170–€800 per victim, plus affiliate commission earned on every referral (T7.1, T7.2).

Indicators of compromise

Indicators of compromise identified during the investigation: the bridge site used to move victims to Telegram and the prop trading platform used for challenge fee payments and affiliate monetization.

Experts behind the insights

  • Amit Tambe

    Senior Researcher, F‑Secure

    Amit Tambe is a senior researcher specializing in digital scams and consumer-focused cyber threats. He co‑authored F-Secure's Scam Kill Chain, spoke on it at Microsoft's BlueHat 2024, has published papers at security conferences, and contributes regularly to F‑Secure Insights.

  • Richard Topchii

    iOS Developer, Consultant

    Richard Topchii is an Apple Platforms engineer and consultant with over 10 years of experience building iOS and macOS applications, SDKs, and developer tools. He is the creator of the open-source Swift library CalendarKit, widely used in the Apple developer community, and is a regular speaker at tech conferences and meetups across Europe.