Written by: Bitrace

Safew is a privacy communication software with functionality similar to Telegram, based on Telegram's encryption technology (MTProto protocol), where messages, voice, video, and files are fully encrypted during transmission, and only the two chat participants can see the content, while the server cannot read it. Some enterprises, for privacy reasons, further privatize deployment to fully control data or evade compliance reviews.

Due to Telegram's increasing collaboration with law enforcement and community bans, the largest illegal cryptocurrency trading guarantee platform in Southeast Asia—New Coin Guarantee, is trying to migrate Telegram public group merchants to Safew, leading to a proliferation of fake Safew applications, posing a threat to the encryption fund security of black and gray industry practitioners who mainly rely on public group merchants.

This article aims to disclose part of this black-eats-black situation.

Timeline

On May 13, 2025, Beijing time, the two largest illegal cryptocurrency trading platforms in Southeast Asia, Hao Wang Guarantee and New Coin Guarantee, simultaneously faced sanctions from Telegram's official channel, with a large number of official customer service accounts and business public groups directly banned, resulting in a temporary halt in operations and causing widespread panic in the black and gray industry circle.

The two entities responded in different ways—

On the morning of May 13, Hao Wang Guarantee announced it would cease operations and hand over all public group business to Potato Guarantee, which is a related entity with a 30% investment from Hao Wang Guarantee made earlier. By nominally shutting down, Hao Wang Guarantee managed to escape scrutiny and rebranded as Potato Guarantee, continuing its illegal operations.

On May 14, New Coin Guarantee updated the homepage content of its official website xinbi[.]com, announcing the official use of the Safew public group to circumvent Telegram's ban on its illegal business public groups. Although the official website content has become ineffective, traces can still be found using web archiving tools.

Immediately, voices began to denounce New Coin Guarantee's launch of Safew as an attempt to steal users' encrypted assets, and this kind of negative discussion reached its peak in early 2026 after Potato Guarantee completely shut down, and New Coin Guarantee accelerated the migration of public groups.

Frequent Appearances of Counterfeit Safew Websites

Despite New Coin Guarantee repeatedly emphasizing the correct download address for Safew and claiming the software has been listed on the IOS application market, there are still many fake Safew groups creating counterfeit unofficial download websites and polluting search engine keywords for promotion.

Taking the unofficial link safew-x[.]com as an example. When analyzing the sample using the ANY.RUN online security sandbox detection tool (download link), malicious behavior was detected.

After executing the sample, it released the Gh0stRAT SweetSpecter variant (full-featured remote access trojan), establishing command and control communication with the C2 server, triggering the following Emerging Threats rules:

• ET MALWARE [ANY.RUN] Gh0stRAT.Gen Server Response (SweetSpecter)

• ET DROP Spamhaus DROP Listed Traffic Inbound group 2

This variant has capabilities such as remote desktop, keystroke logging, and file theft. Once the target device is infected, attackers can achieve complete remote control of the infected host, including real-time remote desktop access, keystroke logging, camera/microphone monitoring, file theft and transmission, arbitrary command execution, and further deployment of malicious tools. Once infected, threat actors can remain hidden for a long time and steal sensitive data. It is classified as a high-risk remote access trojan (RAT).

For public group merchants and users heavily using cryptocurrency wallets for black and gray business, the targets of such malware are clearly the wallet private keys stored on their devices.

Analysis of New Coin Guarantee's Safew Public Group Business

Bitrace has been monitoring fund activities of New Coin Guarantee, and investigations of the staking addresses on the Safew public group show that although New Coin Guarantee launched the Safew public group in May 2025, a separate business address was only allocated for this service in August of the same year, and the business scale was relatively low and decreasing month by month.

It wasn’t until the end of 2025 and early 2026 when Huiwang Payment and Potato Guarantee successively shut down, that New Coin Guarantee heavily promoted its Safew public group business, resulting in an increase in address activity, briefly achieving a monthly fund inflow of over 32 million USDT in January 2026, which then decreased month by month.

After tallying all staking addresses of New Coin Guarantee, it was found that the staking scale of the Safew channel in one month was only equivalent to that of the Telegram channel in one day, indicating that Telegram remains the preferred choice for public group merchants in New Coin Guarantee's black and gray industry.

In Conclusion

In fact, the phenomenon of black-eats-black targeting black and gray industry practitioners is very frequent, from fake wallets to fake Telegram, and from offline wrench attacks to online social engineering, this group, floating outside the legal rules, is becoming a target for attacks.

After the shutdown of Potato Guarantee, New Coin Guarantee has become the largest illegal cryptocurrency trading guarantee platform in Southeast Asia. The phishing activities targeting Safew public group merchants have neither just begun nor have they ended.

Bitrace will continue to monitor.