Scoutinternal

Spam Campaign: Insider Threat Solicitation via Support Ticket Flood

Spam Campaign: Insider Threat Solicitation via Support Ticket Flood

Problem

The BitGo support queue received a mass-submitted spam campaign consisting of hundreds of identical fraudulent tickets (921 total in the cluster, with 50 sampled). Each ticket uses the subject line "Hey I have an issue I need help with." and contains a message attempting to recruit BitGo employees into selling customer account data. The messages direct recipients to a Telegram handle and offer a cash incentive. These are not legitimate support requests — they are a social-engineering / insider-threat solicitation attack delivered through the support ticket system.

Diagnostics

  • Identify the spam pattern: All tickets in this cluster share the exact same body text, the same subject line ("Hey I have an issue I need help with."), and were submitted in rapid succession (1–3 seconds apart) on 2026-02-14 between approximately 17:05 and 17:07 UTC.
  • Check the submitter: All 50 sampled tickets were created by the same actor (creator ID: 158009540847). Verify whether this ID maps to a known customer account or an unauthenticated/external submission.
  • Verify ticket content: The verbatim body of every ticket reads: "Hey, im looking for employees such as yourself who are interested in making THOUSANDS USD DAILY selling account data if this interests you message me on Telegram @Johnboss500 you will receive a $50 USD BONUS BEING COOPERATIVE IN PROVIDING ACCOUNT DATA."
  • Check for volume: Search for all tickets from the same creator ID and/or containing the string "@Johnboss500" or "THOUSANDS USD DAILY" to gauge the full scope of the spam wave.
  • Confirm no legitimate content: None of the sampled tickets contain any reference to a BitGo product, wallet, transaction, coin, or error. There is no legitimate support request embedded in any of them.

Resolution

Scenario: hey-telegram-usd-thousands#spam-insider-threat-solicitation

Trigger: Hundreds of identical tickets submitted within seconds from the same creator, containing a social-engineering message soliciting employees to sell account data via Telegram.

Signals: Hey I have an issue I need help with, THOUSANDS USD DAILY, selling account data, Telegram, @Johnboss500, $50 USD BONUS, COOPERATIVE IN PROVIDING ACCOUNT DATA, rapid ticket creation, identical body text

Steps:

  1. Do not reply to the ticket. These are spam and no customer interaction is warranted. Do not engage with the Telegram handle or any contact method referenced in the message.
  2. Bulk-close all matching tickets. Identify every ticket from creator ID 158009540847 (and any other creator IDs submitting the identical message). Mark them as spam/closed with no response. Use the Salesforce case numbers (SF#00369159 through SF#00369268 and beyond) or filter by the body text string to capture the full set.
  3. Block the submitter. If the ticketing system supports sender blocking or blacklisting, add creator ID 158009540847 and any associated email addresses to the block list to prevent further submissions.
  4. Escalate to the Security team. Report the incident to BitGo's internal Security / Information Security team. Include:
    • The creator ID (158009540847).
    • The timestamp range (2026-02-14, ~17:05–17:07 UTC and potentially beyond).
    • The total volume (921 tickets in this cluster).
    • The verbatim solicitation text and the Telegram handle @Johnboss500 referenced in the messages.
  5. Escalate to the Compliance team. This constitutes an attempted insider-threat recruitment campaign. Forward details to compliance@bitgo.com (or the appropriate internal compliance channel) so it can be documented and assessed for any regulatory reporting obligations.
  6. Review ticketing system intake controls. Coordinate with Engineering or the team managing the support portal to evaluate whether rate-limiting, CAPTCHA, or content-filtering rules should be added or tightened to prevent future automated mass-submissions of this nature.

Notes: - Every single ticket in the 50-ticket sample is byte-for-byte identical in body text and subject line. There is zero variation, confirming automated submission rather than manual entry.

  • No resolution details were recorded in the source tickets beyond the creation timestamp, suggesting tickets were either auto-acknowledged or left unactioned at the time of capture. Resolution confidence was rated "medium" across all samples.
  • This is NOT a phishing attack targeting customers — it is a social-engineering attack targeting BitGo employees via the support queue. Agents should be reminded that BitGo will never ask employees to sell data, and any such solicitation should be reported immediately.

"Hey, im looking for employees such as yourself who are interested in making THOUSANDS USD DAILY selling account data if this interests you message me on Telegram @Johnboss500 you will receive a $50 USD BONUS BEING COOPERATIVE IN PROVIDING ACCOUNT DATA." (ticket #300447)

Related

  • policy-structure — Understanding BitGo policy controls may be relevant if Security reviews whether any policy-layer defenses could flag anomalous ticket-originating activity.
  • none identified — This cluster is a pure spam/social-engineering event with no overlap to legitimate product support topics.