Black Eats Black: Beware of Fake New Coin Guarantees and the Risk of Safew App Coin Theft

Written by Bitrace

Safew is a privacy messaging app similar in main function to Telegram, based on Telegram’s encryption technology (MTProto protocol). Messages, voice, video, and files are encrypted throughout transmission, and only the chat participants can see the content; servers cannot read it. Some enterprises, for privacy reasons, even deploy private versions to fully control data or evade compliance reviews.

Due to increasing law enforcement cooperation and community bans involving Telegram, Southeast Asia’s largest illegal cryptocurrency escrow platform—Xinbi Escrow—is attempting to migrate its Telegram public group merchants to Safew. This has led to a proliferation of fake Safew apps, posing a threat to the security of encrypted funds for black and gray market operators mainly using public groups.

This article aims to disclose part of this black market activity.

Timeline

On May 13, 2025, Beijing time, Southeast Asia’s two largest illegal cryptocurrency escrow platforms—Hao Wang Escrow and Xinbi Escrow—were sanctioned by Telegram officials. Many official customer service accounts and business groups were directly banned, causing a short-term halt in operations and widespread panic in the black and gray markets.

The two entities responded differently—

On the morning of May 13, Hao Wang Escrow announced it would cease operations and transfer all public group businesses to Potatoes Escrow, a related entity in which Hao Wang Escrow had previously invested 30%. Under the guise of a shutdown, Hao Wang Escrow effectively escaped, rebranding as Potatoes Escrow and continuing its illegal activities.

On May 14, Xinbi Escrow updated the homepage content of xinbi[.]com, announcing the official launch of Safew public groups to bypass Telegram’s ban on their illegal public groups. Although the website content was later invalidated, clues could still be seen through web archive tools.

Soon, the black and gray community began criticizing Xinbi Escrow for launching Safew, claiming it aimed to steal users’ crypto assets. These negative discussions peaked in early 2026 after Potatoes Escrow completely shut down and Xinbi Escrow accelerated its public group migration.

Counterfeit Safew Websites Emerge

Despite Xinbi Escrow repeatedly emphasizing the correct download address for Safew and claiming the app was available on the iOS App Store, many fake Safew groups created counterfeit unofficial websites and manipulated search engine keywords for promotion.

For example, the unofficial link safew-x[.]com. When analyzed with the online security sandbox tool ANY.RUN, malicious behavior was detected.

The sample, upon execution, released a Gh0stRAT SweetSpecter variant (a full-featured remote access Trojan) and established command and control communication with a C2 server, triggering the following Emerging Threats rules:

ET MALWARE [ANY.RUN] Gh0stRAT.Gen Server Response (SweetSpecter)

ET DROP Spamhaus DROP Listed Traffic Inbound group 2

This variant supports remote desktop, keystroke logging, file theft, and more. Once infected, the attacker can fully control the compromised device remotely, including real-time remote desktop, keystroke logging, camera/microphone monitoring, file exfiltration, arbitrary command execution, and further deployment of malicious tools. Infection allows long-term covert residence and sensitive data theft, classified as a high-risk remote access Trojan (RAT).

For many public group merchants and users engaged in black and gray activities using cryptocurrency wallets, this malware’s primary target is clearly the wallet private keys stored on their devices.

Analysis of Xinbi Escrow’s Safew Public Group Business

Bitrace has long monitored Xinbi Escrow’s fund activities. Investigations into Safew public groups’ deposit addresses show that although Xinbi Escrow launched Safew groups in May 2025, it only assigned a dedicated business address in August of that year, with a relatively low and decreasing scale over time.

By late 2025 and early 2026, after Wuhang Pay and Potatoes Escrow shut down successively, Xinbi Escrow heavily promoted its Safew public groups. Address activity increased, briefly reaching over 32 million USDT in monthly inflows in January 2026, then gradually declined.

Statistical analysis of all deposit addresses shows that the deposit volume via Safew in one month is only comparable to one day’s volume on Telegram, indicating that Telegram remains the preferred platform for Xinbi Escrow’s black and gray market public groups.

In Conclusion

In fact, black and gray market operators frequently engage in malicious activities—from fake wallets to fake Telegram, from offline wrench attacks to online social engineering. This group, operating outside legal boundaries, is increasingly targeted for attacks.

After Potatoes Escrow’s collapse, Xinbi Escrow has become Southeast Asia’s largest illegal cryptocurrency escrow platform. The phishing activities targeting Safew public groups are not the beginning, nor will they be the end.

Bitrace will continue to monitor.