An investigation into a coordinated cluster of verified X accounts manufacturing fake trading "success stories" to funnel victims into Telegram drainer bots.
The hook
Scroll Crypto Twitter for ten minutes right now and you will meet them: the retired delivery driver who traded "temperature volatility" into $8,130 in seven days. The 53-year-old from Thailand who "quietly generated $869,000" with an arbitrage bot. The guy who "used Claude to build a Quant Bot" and made $209,777 in 29 days. The dentist's patient whose wallet "hit 65%." The marketer from Turkey who walked away from his job and pulled $360,000 in a month.
Different faces, different countries, different dollar amounts. One script.
Every post lands on the same two payloads: a Telegram "copytrade" link (t.me/PolyGunSniperBot, t.me/KreoPolyBot, and rotating variants) and a Polymarket wallet to "follow." Every post is illustrated with a screenshot of a neon, sci-fi "trading terminal" bearing names like SYNAPSE QUANT TRADING PROTOCOL // MATRIX v6.0 or DENTAL VOLTAGE TERMINAL. Several carry the small grey tag most readers scroll right past: Paid partnership.
This is not a series of lucky traders. It is a single, industrialized fraud funnel. Here is how it works, why it works, and how to take it apart on sight.
What the screenshots actually show
Start with the images, because they are the easiest tells once you know what to look for.
The numbers break math. One post in the cluster — a "BTC giveaway" account — displays a portfolio screenshot reading $1,263,684,453,788.94 with a holding of 11,000,000 BTC. Bitcoin's entire supply is capped near 21 million and only ~19.9 million has ever been mined. The screenshot depicts a single person holding more than half of all Bitcoin in existence. It is not an exaggeration or a rounding error; it is a generated image that nobody bothered to sanity-check.
Elsewhere the claims are subtler but equally impossible: a 99% win rate over 3,100+ trades; "51% win rate" paired with "+2,140% in 29 days"; a 78.4% hit rate across 3,464 trades. Real markets do not leave edges like that lying around. A genuine 99% win rate sustained over thousands of trades would mean the rest of the market is handing one wallet free money for a month straight — which would be arbitraged away almost instantly. The few legitimate big winners on prediction markets win on position sizing and conviction, not on near-perfect hit rates across thousands of micro-trades.
The terminals are AI-generated mockups. Zoom into any of the "trading terminals" and the text disintegrates: garbled labels (TRANSCEIVER ACTIVE, SYNAPSE DATA INGESTION HIGH-SPEED PIPEL), misaligned columns, numbers that do not add up between panels, and outright word-salad "formulas" like:
((BTC impulse speed × market hesitation) + volatility) × position scaling = asymmetric money glitch
That sentence is meaningless. "Impulse speed" and "market hesitation" are not quantities anything measures. The phrase "asymmetric money glitch" is the giveaway — it is marketing copy dressed as math. The image generators that produce these terminals cannot render coherent interface text, which is precisely why every panel looks like a screenshot from a movie about hacking rather than a real exchange.
Real Polymarket does not look like this. The actual Polymarket interface is a clean, light-or-dark web app showing markets, shares, average entry, and PnL. It has no neon force-graphs, no "NEURAL HFT DEEP INFERENCE ENGINE," no Matrix rain. When one of the posts does show what looks like a genuine Polymarket profile screen (the "Countryside" sports-betting profile, the "prostoludoman" PnL card), that is the tell in reverse: a real-looking profile is pasted in to lend credibility, but you are still being routed to a Telegram bot, not to anything you can independently verify.
The business model: why these posts exist
There are two revenue streams stacked on top of each other, and understanding both explains every design choice in the posts.
Stream 1: The Telegram drainer
The "copytrade" link is the actual weapon. Polymarket Telegram trading bots are a real product category — tools like PolyGun, Polycule, and PolyCop genuinely exist and let users browse markets, place orders, and mirror "profitable wallets" without leaving Telegram. That legitimacy is exactly what the scam borrows.
The problem is what these bots require to function: they create an in-app wallet, custody your keys in the background, sign transactions on your behalf, and ask you to deposit USDC or bridge funds in. Once you have funded a bot you do not control, the exit is trivial for whoever runs it. The risks are not hypothetical:
- In January 2026, the Polymarket Telegram bot Polycule was hacked for roughly $230,000 in user funds, forcing the team offline to patch and promise reimbursement.
- In December 2025, security researchers (including SlowMist's CISO) flagged a
polymarket-copy-trading-botGitHub repository carrying deliberately disguised malicious code that scanned local config files, extracted private keys, and shipped them to a remote server. The malicious logic was revised across multiple commits specifically to evade detection.
So even the "real" copytrade bot ecosystem has documented incidents of theft and key exfiltration. The scam accounts simply skip the pretense — the bot is the trap. Deposit, and your money is gone; connect a wallet, and a malicious approval drains it.
Stream 2: X's own engagement economy
The "Paid partnership" tag on several posts is not incidental — it points at the second income stream. X's creator monetization program shares ad revenue with verified accounts based on engagement from other verified (Premium) users. Crucially, finance and crypto command some of the highest CPMs on the platform, often many times higher than humor or general content. That single fact explains why this fraud genre is saturated with dollar amounts, BTC tickers, and "quant" jargon: high-value niche, high-value engagement, high-value payout.
The mechanics reward exactly the behavior we see:
- Eligibility requires an X Premium subscription and a few million impressions over 90 days — a low bar for a purchased account.
- Payouts scale with verified-user engagement (replies, quotes, bookmarks), so the posts are engineered to provoke responses. The "giveaway" posts asking you to like, retweet, and comment "Done," and the "pick a lucky number 29–70" reply bait, are pure engagement farming.
- X has publicly acknowledged the problem: in 2026 the platform discussed demonetizing AI deepfakes and assigning "permanent deductions" to habitual
BREAKING-style bait posters. The incentive to manufacture viral, advertiser-adjacent content is structural.
In other words: even followers who never click the Telegram link are monetized. Your outrage reply pays the scammer.
This is a known, mapped operation
The single most important piece of context: this is not a novel discovery, and the pattern has already been documented by on-chain investigators.
In March 2026, ZachXBT exposed a coordinated network of 10+ X accounts running precisely this playbook. His documented process:
- Buy aged accounts that already carry followers and a posting history.
- Post emotionally charged, viral-friendly content (his examples used war and geopolitics; the Polymarket cluster uses get-rich "trading" stories — same emotional lever, different bait).
- Repost it from sibling accounts in the network to amplify reach.
- Attach a fake giveaway or a direct scam, then change the username to cover tracks and recycle the account.
He also flagged the social-engineering multiplier: large, legitimate accounts that reply in the comments — to dunk, to question, to joke — unknowingly boost the post's reach, feeding the very algorithm the scammers are gaming.
The Polymarket "AI quant" cluster is a topical variant of the same machine. The structural fingerprints all match: AI-generated profile pictures, near-identical post architecture ("This guy used Claude…", "I found another trader on Polymarket…", "A 53-year-old from Thailand quietly…"), synchronized posting windows, the same handful of Telegram destinations, and "Paid partnership" disclosures betraying the monetization motive.
Regulators are moving on the broader category too. On December 22, 2025, the SEC charged three crypto trading platforms and four "AI investment clubs" over a $14M fraud that funneled retail victims from social media into sham platforms and "AI node" schemes. FINRA separately reported a 300% jump in complaints about fraudulent "investment groups" that originate on Instagram or Facebook and migrate into encrypted chats. The closed Telegram/WhatsApp funnel is now a primary venue for retail crypto fraud — and that is exactly where these posts push you.
The Anthropic / "Claude" angle
Several posts specifically invoke "Claude" — "This guy used Claude to build a Quant Bot," "связался с Клодом, за месяц 360 000 долларов" ("got into Claude, $360,000 in a month"). This is brand impersonation, and it follows a documented pattern: the SEC's December action centered on "AI-branded" group chats and deepfake guru marketing, because slapping a credible AI name on a scheme launders it.
There is a real, mundane phenomenon being parasitized here. People genuinely do use AI coding assistants to build market-monitoring tools — one widely-shared account described using Claude and Cursor to build a Polymarket alert system (it flagged unusual wallet activity; a human still made every trade and managed risk). That is a world away from "I plugged Claude into a money glitch and it printed $360K." The scammers compress the believable (AI helps you write code) into the impossible (AI guarantees returns) and bolt a Telegram drainer onto the end.
For the record: Anthropic does not produce trading bots, and no legitimate AI product delivers the returns these posts advertise.
A note on verification and method
In reporting this out, on-chain confirmation of the one fully-visible wallet (0x937bcac3a8a30c07d827ad0550c3fe3a6756bfab, the "bhuumi" profile) was attempted but the Polygon block explorer endpoint was unavailable at the time of writing. Readers can verify it themselves on Polygonscan or Polymarket's public analytics. This is worth stating plainly, because it is also the antidote to the whole genre: every claim in these posts is supposedly on a public blockchain, yet the posts route you to a private Telegram bot instead of a verifiable address. When the "proof" is a glowing PNG and the "opportunity" is a chat link, the burden of proof has been quietly inverted. A genuinely verifiable wallet needs no Telegram bot attached.
Note too that even the real Polymarket profile screenshots prove less than they appear to. A Columbia University study published in late 2025 estimated that roughly 25% of Polymarket's historical volume was likely wash trading, peaking near 60% of weekly volume in December 2024 — wallets trading with themselves to inflate stats and chase rankings or airdrop eligibility. A screenshot of a high-volume, high-PnL profile is not, by itself, evidence of a repeatable strategy you can copy.
How to dismantle one on sight
A field guide, in descending order of speed:
- Is there a Telegram "copytrade" link or a "follow this wallet" CTA? That is the payload. Stop here.
- Do the numbers obey reality? Trillion-dollar portfolios, 11M BTC, 99% win rates over thousands of trades, "+2,140% in 29 days." If the math is impossible, the post is fake.
- Zoom into the "terminal." Garbled text, nonsense "formulas," Matrix aesthetics, names like SYNAPSE/NEXUS/VOLTAGE = AI-generated mockup, not software.
- Check for "Paid partnership." It tells you the post exists to be monetized, not to inform.
- Look at the account pattern. AI-generated avatar, recent username changes, a cluster of near-identical posts from "different" people within hours.
- Apply the core axiom: Anyone with a real 99% / trillion-dollar / "money glitch" strategy has zero incentive to share it with strangers via a Telegram bot. The pitch is the scam.
If you have already engaged
- Do not deposit funds into any of these bots, connect a wallet, or send crypto to any "giveaway" address. The "send X to receive 2X back" giveaway is the oldest play in the book — documented losses include a single victim who sent 26.4 BTC (~$1.14M) to a fake Michael Saylor giveaway.
- If you connected a wallet to one of these bots: move your funds to a fresh wallet immediately and revoke all token approvals (via a tool like the standard approval-checker for the relevant chain) before the malicious contract can pull them.
- Report and block each account. On X, use the scam/financial-fraud report category. Reporting matters more than it feels like it does — the monetization program is impression-driven, and mass reports plus non-engagement are what actually starve it.
- Do not dunk in the replies. A quote-tweet calling it a scam still feeds verified engagement into the post's reach and the scammer's payout. Report, block, move on.
The takeaway
This is not a story about clever trading. It is a story about an assembly line: buy aged verified accounts, generate sci-fi "proof," wrap it in a believable-sounding AI narrative, post in synchronized waves, monetize the engagement on the way in, and drain the funds on the way out through a Telegram bot. The "weather markets" driver, the Thai arbitrageur, the dentist's wallet, the Claude quant — they are not people. They are templates.
The defense is unglamorous and total: treat any "I made $X on Polymarket, copytrade me on Telegram" post as fraud by default, verify nothing through a chat link, and remember that on a public blockchain, real proof never needs a private bot.
A small note on what I do build
I run PolySignal, a Telegram alert service for Polymarket. It is the opposite of what this article is about: it never holds funds, never asks for a wallet or a private key, never trades for you. It watches public on-chain activity on wallets you choose to follow and sends you a Telegram message when those wallets trade — with the wallet's actual track record attached, so you can judge the move yourself.
It is an information service, not a copytrade bot, and emphatically not a "money glitch." That distinction is the entire reason I'm publishing this piece.
Honest disclosure: PolySignal reports on public on-chain activity. It is an information service, not financial advice. Polymarket isn't available in every region — check yours.
Reporting notes: This investigation draws on public reporting of the Polycule bot hack (Jan 2026), the SlowMist-flagged malicious copy-trading repo (Dec 2025), ZachXBT's March 2026 thread on coordinated scam-account networks, the SEC's Dec 22 2025 action against AI-branded trading-club fraud, FINRA's alert on investment-group scams, the Columbia University study on Polymarket wash trading (Nov 2025), and X's published creator-monetization mechanics. On-chain wallet confirmation was limited by block-explorer downtime at the time of writing and is independently verifiable by readers.
Top comments (0)