Safew is a privacy messaging app similar to Telegram, based on Telegram’s encryption technology (MTProto protocol). Messages, voice, video, and files are encrypted throughout transmission, and only the chat participants can see the content; servers cannot read it. Some enterprises, for privacy reasons, even deploy private versions to fully control data or evade compliance reviews.

Due to increasing law enforcement cooperation and community bans on Telegram, Southeast Asia’s largest illegal cryptocurrency escrow platform—Xinbi Escrow—is attempting to migrate Telegram public group merchants to Safew. This has led to a proliferation of fake Safew apps, posing a threat to the security of encrypted funds for black and gray market operators mainly using public groups.

This article aims to disclose part of this black-market activity.

Timeline

On May 13, 2025, Beijing time, Southeast Asia’s two largest illegal cryptocurrency escrow platforms, Haowang Escrow and Xinbi Escrow, were sanctioned by Telegram officials. Many official customer service accounts and business groups were directly banned, causing a short-term halt in operations and widespread panic in the black and gray markets.

The two entities responded differently—

On the morning of May 13, Haowang Escrow announced it would cease operations and transfer all public group businesses to Potato Escrow, a related entity in which Haowang had previously invested 30%. Through a nominal bankruptcy, Haowang Escrow effectively exited, rebranded as Potato Escrow, and continued its illegal activities.

On May 14, Xinbi Escrow updated its website xinbi[.]com homepage, announcing the official launch of Safew public groups to bypass Telegram’s bans on their illegal public groups. Although the website content is now invalid, web archive tools still reveal clues.

Soon, the black and gray community began criticizing Xinbi Escrow for launching Safew, claiming it aims to steal users’ crypto assets. These negative discussions peaked in early 2026 after Potato Escrow’s complete collapse and Xinbi Escrow’s accelerated migration to public groups.

Counterfeit Safew Websites Emerge

Despite Xinbi Escrow repeatedly emphasizing the correct download link for Safew and claiming the app is available on the iOS App Store, many fake Safew groups have created counterfeit unofficial websites and polluted search engine keywords for promotion.

For example, the unofficial link safew-x[.]com. When analyzing the sample (download link: [.]com/_dl.php?t=win) using the ANY.RUN online sandbox, malicious behavior was detected.

The sample, once executed, releases a Gh0stRAT SweetSpecter variant (a full-featured remote access trojan) and establishes command-and-control communication with a C2 server, triggering the following Emerging Threats rules:

• ET MALWARE [ANY.RUN] Gh0stRAT.Gen Server Response (SweetSpecter)
• ET DROP Spamhaus DROP Listed Traffic Inbound group 2

This variant supports remote desktop, keystroke logging, file theft, and more. Once infected, attackers can fully control the compromised device, including real-time remote desktop, keystroke recording, camera/microphone monitoring, file exfiltration, arbitrary command execution, and deploying additional malicious tools. Infection allows long-term covert residence and sensitive data theft. It is classified as a high-risk remote access Trojan (RAT).

For many public group merchants and users engaged in black and gray activities with cryptocurrency wallets, this malware’s primary target is clearly the wallet private keys stored on the device.

Xinbi Escrow Safew Public Group Activity Analysis

Bitrace has been monitoring Xinbi Escrow’s fund activities. An investigation into Safew public groups’ deposit addresses shows that although Xinbi Escrow launched Safew groups in May 2025, it only assigned a dedicated business address in August of that year, with a relatively small scale that decreased month by month.

By late 2025 and early 2026, after Wuiwang Pay and Potato Escrow collapsed one after another, Xinbi Escrow heavily promoted its Safew public groups. Activity on these addresses increased, briefly reaching over 32 million USDT in monthly inflows in January 2026, then declining month by month.

Statistical analysis of all Xinbi Escrow deposit addresses shows that the deposit volume via Safew in one month is only equivalent to one day of activity on Telegram, indicating that Telegram remains the preferred platform for Xinbi Escrow’s black and gray market public groups.

In Conclusion

In fact, black and gray market operators frequently engage in malicious activities—from fake wallets to fake Telegram, from offline social engineering attacks to online scams. This group, operating outside legal boundaries, is increasingly targeted by law enforcement.

After Potato Escrow’s collapse, Xinbi Escrow has become Southeast Asia’s largest illegal cryptocurrency escrow platform. The phishing activities targeting Safew public groups are not new and are far from over.

Bitrace will continue to monitor.