What Is Classiscam? Inside the Automated Scam-as-a-Service That Has Stolen $64.5 Million

What Is Classiscam?

Classiscam is an automated scam-as-a-service program that runs entirely on Telegram. Group-IB’s Computer Emergency Response Team (CERT-GIB) and Digital Risk Protection specialists first identified it in 2019 and named it after its original hunting ground: classified ad platforms.

The franchise model works like this. An admin, the scheme’s organizer, provides the infrastructure: Telegram bots, phishing page templates localized for any target market, and a payment system to track and distribute stolen funds. Workers access those tools and run the actual fraud campaigns. 

Admins keep 20-30% of everything workers steal. Fake support staff round out the operation, posing as customer service agents to run secondary refund scams on victims who have already been defrauded once. The financial draw lies in near-zero automation overhead, allowing admins to pocket passive income while low-level workers shoulder the frontline risks.

Classiscam scales basic phishing into a systemic threat by automating the backend. A worker with no technical skill can generate a convincing, brand-specific phishing page in minutes because the system automatically pulls the victim’s item name, photo, and price directly into the template. Victims willingly hand over their payment data because the design closely mirrors the legitimate platform. By the time anyone notices the deception, the funds are already gone.

Group-IB researchers have tracked Classiscam from a single-country operation into a global franchise active across more than 7990 countries, with no sign of slowing.

How Classiscam Works: The Four-Step Attack Chain

A typical Classiscam attack follows four steps: initial contact, platform migration, phishing page generation, and payment theft. In an earlier variant, scammers flipped the dynamic, posting fake ads as sellers and waiting for real buyers to contact them. The steps below describe the predominant workflow, though it is not the only one.

Step 1: Initial contact

A fake buyer reaches out to a real seller on a classified ads platform, expressing interest in the listed item. The message is convincing: friendly, specific to the listing, and designed to build trust quickly.

Step 2: Platform migration

The fake buyer pushes the conversation to a third-party messenger such as Telegram, WhatsApp, or Viber, claiming it is more convenient. This move is deliberate. It takes the conversation off the marketplace’s monitored environment and onto a channel the scammer controls.

Step 3: Phishing page generation

Once in the third-party messenger, the scammer triggers a bot. In seconds, the bot generates a phishing page that precisely mimics the legitimate marketplace or delivery service, pulling in the real item name, photo, and price from the original listing.

The scammer then sends the link to the victim with a pretext, typically that payment has been arranged and the seller needs to click through to confirm their details and receive it. The victim clicks the link and lands on the generated page, which is indistinguishable from the real platform’s page.

Step 4: Payment theft

The seller enters their card or banking credentials on the phishing page, but those details are not processed instantly. They go to a specialist within the Classiscam hierarchy known as a “vbiver,” a Russian term for someone who verifies that submitted credentials are real and usable.

While the check runs, the worker keeps the victim occupied in the messenger, ready to request corrections or additional details if the credentials fail verification. The victim has no reason to suspect anything is wrong and is simply waiting for a payment to go through.

The Telegram-Powered Criminal Franchise

Classiscam scales because its underlying infrastructure is available for purchase. At the top of the hierarchy sit scam kit developers: specialists who build the Telegram bots, phishing page generators, and payment-tracking systems that power the scheme, and then sell them to others for a fixed fee. They rarely operate groups themselves. Their product is the toolkit.

Below them, admins buy that toolkit and run their own groups. They recruit workers, manage the operation, and take a 20-30% cut of everything their workers steal. The admin also provides scripts for callers and refunders, fake customer service agents who contact victims after the initial theft, posing as support staff to process a “refund” that charges the card a second time.

Workers do the frontline work: finding targets on classified platforms, making contact, and sending phishing links. The phishing templates are platform-specific, built to mimic the exact services victims in a given market already use and trust. For multinational platforms operating across several countries, templates can be adapted to match local versions of those platforms. One international logistics brand was impersonated across 21 countries this way.

The result is a scheme that requires no technical skill to operate. A new worker can launch a campaign within minutes of joining. Group-IB analysts found that many Classiscam groups offer onboarding instructions and in-channel expert support, lowering the barrier of entry to near zero.

This structure is what separates Classiscam from individual phishing. Any single campaign can be disrupted, but the franchise keeps recruiting and keeps generating new phishing pages across new markets. The infrastructure that powers it stays intact regardless of how many individual workers are caught or quit, which is what makes it durable.

Scale and Global Reach: Key Statistics from Group-IB’s Research

The figures below represent a snapshot from Group-IB’s most comprehensive Classiscam research to date, tracking the scheme’s expansion from H1 2020 to H1 2023. Between those dates, Group-IB identified 1,366 separate Classiscam groups on Telegram. Analysts directly infiltrated 393 of them, gaining access to channels with more than 38,000 combined participants and tracking transactions in real time. Those 393 groups generated combined earnings of $64.5 million, representing 251 unique brands across 79 countries.

The regional breakdown from that period tells its own story. Europe accounted for 62.2% of all schemes. Germany led by transaction volume at 26.5%, followed by Poland (21.9%), Spain (19.8%), Italy (13.0%), and Romania (5.5%). The average victim globally lost $353. UK victims lost the most of any country at $865 per incident, followed by Luxembourg ($848), Italy ($774), and Denmark ($730).

By 2023, the scheme had also expanded beyond payment card theft. Group-IB researchers identified fake bank login pages targeting 35 banks across 15 countries, adding credential harvesting to Classiscam’s capabilities.

Group-IB’s ongoing monitoring of international Classiscam activity confirms the threat has continued to expand well beyond what that research window captured, with active campaigns now documented across more than 90 countries.

How Classiscam Has Evolved

Since its inception in 2019, Classiscam has gone through four distinct stages of evolution. 

The first stage was its origin. In the summer of 2019, Classiscam was a Russia-only operation, run manually by small criminal groups targeting buyers and sellers on Russian classified platforms. The scheme relied on social engineering rather than automation, and its geographic reach was limited to a single country.

The second stage was its pandemic-driven expansion. Online shopping volumes surged in spring 2020, and Classiscam surged with them. Groups expanded beyond classified platforms into courier and delivery services, where victims expected to receive payment links as a normal part of the transaction.

CERT-GIB took down 280 Classiscam phishing pages in the summer of 2020. By December that year, the number had grown 10-fold to more than 3,000. International expansion into Europe began in this period.

The third stage was its full automation and global reach. By 2022-2023, Telegram bots had entirely replaced manual page creation. Phishing pages could now be generated in seconds. The hierarchy deepened, with specialized roles for callers, refunders, and fake bank support.

Classiscam added fake bank login pages to harvest credentials, not just card data, targeting 35 banks across 15 countries. The scheme reached 79 countries and 251 brands, illustrating the full scale of scam-as-a-service brand impersonation phishing at industrial volume.

The fourth is the current wave. Group-IB’s High-Tech Crime Trends Report 2025 documents Classiscam’s active expansion into Central Asia, with operations in Uzbekistan confirmed as recently as November 2024. The broader fraud ecosystem Classiscam operates within has incorporated AI-generated content and deepfake videos to build social proof, a pattern Group-IB researchers have documented in related investment scam infrastructure.

Classiscam’s core automation makes it well-positioned to absorb these techniques as they become cheaper and more accessible to low-skill operators.

The scheme, which started with one country and manual social engineering, now reaches victims in more than 90 countries. The infrastructure becomes easier to operate with each iteration, and the barrier to entry is now nearly zero.

Protect Your Brand from Classiscam Impersonation

Protection against Classiscam requires three layers: real-time brand monitoring to catch phishing infrastructure before it reaches victims, fast takedown of fraudulent pages once detected, and user-level awareness of the attack’s signature moves.

Monitoring

Classiscam phishing pages go live in seconds. By the time a victim reports one, dozens more are already active. Group-IB Digital Risk Protection uses AI-driven detection to identify look-alike domains and fake brand pages across marketplaces, social media, app stores, and the dark web before they reach users.

Takedown

Detection without removal is incomplete. CERT-GIB’s takedown infrastructure scales with the threat, which is the only way to stay ahead of a scheme that regenerates phishing pages on demand.

User awareness

Three red flags apply to every Classiscam attack, regardless of the brand being impersonated. A buyer or seller pushes the conversation from the marketplace to an external messenger. A payment or confirmation link redirects to an external website. The URL does not match the official platform domain. Any one of these is a strong indicator of fraud. Transactions that display even one of these patterns warrant extreme caution and independent verification before any payment details are shared.

Stop Classiscam Before It Reaches Your Customers

What began in 2019 as a localized, manual hustle has evolved into a global criminal franchise spanning more than 90 countries and siphoning over $64.5 million from targeted brands. The scam works because automation makes it fast: a Telegram bot generates a brand-specific phishing page in seconds, and a worker with no technical skills can run campaigns continuously. Traditional brand monitoring, scanning for fake pages and filing takedown requests one at a time, cannot keep pace with a scheme that regenerates infrastructure on demand. 

Group-IB Digital Risk Protection (DRP) neutralizes Classiscam by cutting off the attack chain before it reaches your audience. Unlike traditional monitoring, DRP works from the inside out: analysts actively infiltrate Classiscam Telegram channels to map fraud networks at the source, then execute takedowns across entire infrastructures rather than individual pages. 

• Cross-channel monitoring. The platform monitors domain names, search engines, social media, online classifieds, marketplaces, mobile app stores, instant messengers, and the dark web around the clock for unauthorized brand usage.
• Network-level detection. A proprietary neural network automatically flags up to 90% of violations. Rather than treating phishing sites as isolated incidents, it uses network graph analysis to map entire Classiscam fraud networks.
• Rapid enforcement. Phishing is Classiscam’s primary attack category. For phishing violations, CERT-GIB achieves a 100% pretrial takedown rate. Group-IB also engages law enforcement directly, using network attribution data to build cases against leaders of criminal groups. 

Don’t let an automated franchise compromise your brand equity and customer trust. Contact our experts today to deploy a proactive, network-level defense against Classiscam.