Forbidden fraud: scammers disguise viruses as means of circumventing locks

Scammers began to use the topic of bypassing Internet locks as one of the main tools in attacks on potential victims. At the beginning of 2026, the number of such incidents increased by 38%, Izvestia found out. We are talking about phishing and the massive spread of malware — from stylers to hidden miners who disguise themselves as "accelerators", VPN services and alternative clients of popular messengers.

How scammers use the blocking theme

Scammers actively use the current news agenda to process their potential victims. As a result, in the first months of 2026, data theft programs (stylers) and other malware are distributed most often under the guise of tools to circumvent Internet blockages.

Photo: IZVESTIA/Dmitry Korotaev

— In the first two months of 2026 alone, about 4,800 episodes of cyber attacks related to the proposal to "unblock" or "accelerate" services were recorded. This is 38% more than in the same period last year," explained Igor Bederov, founder of the Internet Search company.

Taking money: how scammers use SMS bombing against Russians

The attackers are trying to cause panic in their potential victims

He explained that most attacks do not begin with hacking, but with a regular message. The main delivery channels are messengers (46% of cases), e—mail (28%) and social networks (18%). It is there, in discussions where people emotionally share problems with access, that scammers feel like fish in water. They offer a "special application", a "patch for acceleration" or "settings from the operator".

In particular, since the end of February 2026, the Arcane styler has been distributed on video hosting sites under the guise of utilities to circumvent restrictions, said Leonid Bezvershenko, an expert at Kaspersky GReAT. The program is capable of stealing logins and passwords, bank card data, information from browsers and crypto wallets, as well as collecting information about the system and taking screenshots.

Photo: IZVESTIA/Pavel Volkov

— At least twenty videos with advertisements for such software have been recorded, with a total of tens of thousands of views. In parallel, in March, a campaign was revealed to distribute the hidden SilentCryptoMiner miner, which is installed on the user's computer and uses its resources to mine cryptocurrencies. At the same time, infection often occurs unnoticeably — the malware disguises itself as a useful tool, and the installation process itself is accompanied by an imitation of "downloading" the desired application, he explained.

Such information campaigns are a classic example of the exploitation of social engineering. According to Positive Technologies analyst Anna Vyatkina, attackers play on two factors: emotional, i.e. fear of losing access to familiar services, and technical illiteracy.

Photo: IZVESTIA/Eduard Kornienko

— As a result, even obviously questionable proposals such as "offline messenger operation" or "full access without restrictions" find their audience. In addition to spreading malware through video hosting sites, phishing links with offers of free VPNs and proxies are widely used, which give attackers access to accounts, messages and banking applications, she said.

Fake user Help

A separate layer of threats is associated with messengers. As Evgeny Egorov explained, after Telegram was slowed down, the attackers began to massively distribute bots and channels with "circumvention of restrictions", which in fact hijack accounts or install Trojans. More complex schemes include installing modified versions of applications with supposedly enhanced features, from an integrated VPN to "anonymous" modes. In some cases, this ends up with the device being locked through ID substitution and extortion of money for unlocking.

Photo: IZVESTIA/Sergey Konkov

According to Sergey Trukhachev, head of Smart Business Alert at EA PRO, since mid—February, the topic of blocking has become a key trigger for fraudsters: in March alone, up to 150 new malicious and phishing resources appeared - from fake VPNs to sites with "offline versions" of online games. Additionally, attackers simulate file verification through well-known services to increase trust.

— At the same time, phishing is spreading under the guise of "official decisions": through hacked accounts, users are sent links to "votes" or contests leading to fake Telegram pages, where it is suggested to connect a proxy. In practice, this is used to intercept the verification code and hijack the account," said Sergey Trukhachev.

Disrupt the voices: how scammers use the topic of online petitions

Public initiatives on the Web are increasingly becoming an excuse for data theft

The scale of the problem is amplified by the demand economy. As Dmitry Zinoviev notes, the potential audience of paying users of such services reaches 10-15 million people, and the market volume is 60-90 billion rubles per year, which naturally attracts fraudsters.

Photo: IZVESTIA/Anna Selina

At the same time, it is impossible to estimate accurate statistics: a significant part of the victims do not report hacking, and the spread of malicious files occurs, including through closed chats, says Phishman CEO Alexey Gorelkin.

Experts expect a further increase in the popularity of such schemes and emphasize that the key protection remains a critical attitude towards any proposals to "circumvent" restrictions, especially when it comes to installing third-party software or entering data on unknown resources.