EverydaySecurity Blog

Security insights, fraud prevention strategies, and industry analysis from the Everyday Security team.

The Gentleman is a Bot and a Thief.

I’m kicking off EverydaySecurity’s blog with a post that pulls back the curtain on the AngelVanguard scam, revealing “Mr. Anthony, Senior Partner at Vanguard International and a long-time friend of yours” for what he is: a bot and a thief. Social engineering and crypto scams are top of mind for many of the fraud analysts I meet, so hopefully this resonates with you all.

Usually, Mr. Anthony is the fake account of an autonomous, human-assisted scam. While I hesitate to call him an “AI Agent” because of how little intelligence the bot demonstrates, Mr. Anthony probably meets the definition of one.

I’m calling this the AngelVanguard scam after the software package name used in the scam’s code. AngelVanguard is an autonomous scam software package that sends crypto-investing messages to victims via WhatsApp. It coordinates messaging across multiple accounts, some “human assisted”, to give the appearance of social proof in the scam. From what we can tell, nearly all of the WhatsApp accounts in their group chats are “sock puppets” - accounts created by the scam group to manufacture social proof of their legitimacy. Our analysis shows that both the original software was built by Chinese developers and that the current operator of the scam is based in Hong Kong.

When we first saw the AngelVanguard messages, it was clear that it was a scam, but it wasn’t clear HOW the group was monetizing their scam. Surely nobody would send (bad) investment advice for fun. And it was truly terrible investment advice. Many days, they pushed the target to trade an Ethereum contract with 50x leverage. For those not familiar with trading contracts, “50x leverage” means borrowing $50 for every $1 you put in, so you can lose fifty times your money. If you were trying to convince a mark you were a smart investor, this would backfire quickly when your mark lost all their money. But the sock puppet accounts exist to tempt victims before that happens:

Figure 1: Fake social proof of the “success” within the group. The most likely outcome of making such highly-leveraged trades regularly is large losses.

And the AngelVanguard scam tries to appear like a smart investor trading insider tips. Mr. Anthony, the primary voice of the scam, claims to work at “Vanguard International”, mimicking the brand trust of the real Vanguard. He posts long, technically detailed market analysis and investing advice on a daily basis. But Mr. Anthony isn’t a person, he’s a bot.

Figure 2: Fake profiles used in the scam. All appear to be human-operated in support of the autonomous scam software.

And Mr. Anthony's analysis isn't quite right. Not only does the bot use phrases no conversant English speaker would use, its math is really wonky (e.g., Intel is both up 3% and 200% for the year while being down in real life). His daily quotes are like clockwork, showing up every morning between 6 and 6:30 AM Pacific; for example:

Good morning, everyone. I'm Anthony Rodriguez, Senior Partner at Vanguard International and a longtime friend of yours. Life is too short and there are too many things to do. I have to size every second. (Edison) - Mr. Anthony

But the dead giveaway that this is software and not a human is a duplicated “Vince Lambardi” quote. Mr. Anthony sends out a daily inspirational quote, reusing quotes from time to time, and in two quotes “Lombardi” is spelled “Lambardi”, suggesting that this isn’t even an LLM-backed scam. The code probably isn’t more sophisticated than this pseudocode:

quotes = [
    "The difference between successful people and others lies not in their strength or knowledge, but in how persistent they are. (Vince Lambardi)",
]
msg = f"Good morning, everyone. I'm Anthony Rodriguez, Senior Partner at Vanguard International and a longtime friend of yours.\n\n{random.choice(quotes)}"
client = Client(ACCOUNT_SID, AUTH_TOKEN)
client.messages.create(body=msg, from_=f"whatsapp:{FROM_NUMBER}", to=f"whatsapp:{TO_NUMBER}")

What is this scam? Give people terrible investment advice? That can’t be right. How do these folks make any money?

One of the sock puppets gave us the answer: crypto account takeover and identity theft. The sock puppet accounts, which we believe were operated by a human, eventually all pushed an app called Onenco. Its website required registration with a legitimate email address (and even verified it) – fairly advanced for a scam website. Once registered, the target is pushed to install the Android or iOS app. The core apps purported to be crypto contract trading platforms.

By the time we interacted with this group, their APK had been removed from the Android store, so they were hosting it directly on the web and having the mark install it from the website. Interestingly, the IOS apps were still online when we investigated. We notified Apple and they took all three malicious apps down within a day.

From the four binaries we collected (one Android and three IOS), we identified that the scam does multiple things: steals the credentials of the account you use to fund the fake trading account, steals pictures of your state-issued ID, and installs a management profile on your device. Throughout the installation process, the sock puppet accounts offer to help the target setup and trade to ensure that they get past any installation hurdles and potentially to steal one-time codes sent to the target’s email.

Imagine the damage they could do with a picture of the target’s state-issued ID and bank login credentials. Not only could they steal money directly, the scammer could move on to identity theft either directly or by reselling the information to other criminal groups.


Figure 3: “Helpful” guidance from one of the sock puppet accounts includes annotated screenshots of how to install the malicious application.

Let’s step back a bit and pull apart the software from the operators, we’re confident the operator of the scam isn’t the originator of the scam - such packages are readily available on illicit marketplaces (perhaps on one of the Telegram Guarantee markets – see Gary Warner’s excellent work on those via his LinkedIn). The operator we identified appears to be based in Hong Kong but only posts during East Coast waking hours.

We filed takedown requests with Apple, Cloudflare, and (via Cloudflare) the underlying hosting provider. So far, only Apple has acted.


Figure 4: The malicious apps we downloaded from the Apple App Store

Our investigation yielded a few patterns:

  • Human-assisted autonomous scam software package manages the social engineering
  • Malicious web pages host the binary files that do the heavy lifting
  • Mobile apps steal credentials and the victim’s identity

With that pattern, it’s clear that we could protect more people by making the cost of operating such scams higher. Platform providers and security companies could make the world safer from these types of scams by doing the following:

  1. Apply threat intelligence and pattern matching to messaging platforms like WhatsApp. While WhatsApp happens to be the platform in this instance, most messaging platforms operate the same way.
  2. Make side-loading applications harder. Apple already disallows it and Google is implementing stricter side-loading requirements in September 2026 (kudos!).
  3. Improve vetting of apps in official stores - perhaps by blocking apps that reach out to command-and-control servers.
  4. Change the policies under which CDNs operate - while they don’t host the malicious servers, they certainly don’t have to offer their services to malicious actors (especially in situations where there’s observed malicious behavior).

Pulling the curtain back on scams and fraud only matters if we act. Publishing this post is part of that, but the intelligence shouldn't live in a blog post. It should be readily available in a technical form for analysts, investigators, and automated systems to leverage. If you're a fraud investigator or security analyst, the data is yours for free.


Figure 5: Mapping the technical details of the scam in Fraud Context

We've exposed the scam techniques and technical details of this scam in Fraud Context, our new platform for analysts and investigators. You can create a free account at https://context.everydaysecurity.ai/ to access the details of the AngelVanguard scam.

We’d love feedback on the blog and the details. Please reach out to me via LinkedIn or email (nick@everydaysecurity.ai). And if you’re interested in being a design partner or in having commercial discussions, please email info@everydaysecurity.ai.