Who are we dealing with?
The Mammoth scheme is not about fossils. It mirrors a mindset where greed outruns caution, a brutal reminder that many fall for scams. The idea that there will always be willing targets keeps fraud profitable for those who run these schemes. This truth explains why the scam continues to evolve and spread across many markets.
The early waves of this operation were identified in 2019 with a renewed surge in 2020. Experts from FACCT, formerly known as Group-IB, described the program at that time as being commonly labeled Courier. The name reflected the surface layer of the tactic: posing as a trusted courier service to lure victims into paying for non existent deliveries.
Fraudsters posted pages advertising popular products at strikingly low prices on pages that used targeted ads. Victims were redirected to messaging apps such as WhatsApp, Telegram or Viber, where they were sent a payment link. That link opened a counterfeit courier service site containing a form to enter bank card details. When the victim submitted the data, the site hid a card to card transfer system that moved money directly to the attacker, bypassing any real purchase. The result was not a purchase but a financial transfer to the fraudsters, justified by the imitation of a well known delivery brand. The scheme earned the name Courier because of the surface impression it created by mimicking courier services.
In 2020 the COVID-19 pandemic increased the demand for home delivery, helping the scheme spread rapidly across Russia. Platforms hosting classified ads began to crack down on scammers, which pushed the attackers to rebrand the operation as Mammoth and broaden their reach beyond ordinary product ads to include cars, apartment rentals, travel companions and more. The core strategy did not change: lure the victim into an official service, redirect to a messenger, and present a fake payment page that seizes funds instead of completing a purchase.
By 2021 the plan had global reach, affecting residents in countries including Romania, Bulgaria, France, Poland, the Czech Republic, the United States, Ukraine, Uzbekistan, Kyrgyzstan and Kazakhstan. The rapid expansion was fueled by the low barrier to entry into the ecosystem and the high potential returns for participants involved in the operation. At the height of that period, dozens of groups operated on the dark web, each led by a principal administrator who created scripts to manipulate victims and maintained dozens of fake sites and payment pages. Administrators on the darknet or via Telegram recruited workers who produced fake ads, located victims, and guided the fraud through its many stages. In this ecosystem more than five thousand workers operated within forty closed Telegram chats, with a single group earning as much as two hundred thousand rubles per day and millions of rubles per month. Workers took a large share of the profits, often around eighty percent, while organizers kept the rest to fund their operations.
Over time the business matured. Newcomers could gain access to advertising accounts, counterfeit phone numbers, and even legal support to contest potential cases. The overall system grew to resemble a large, organized network that stretched across multiple platforms and regions, with coordinated roles and payment pipelines that kept the frauds flowing.
New “Mammoth”
The method proved remarkably effective, prompting attackers to expand and refine it. As of November 1, 2024, FACCT reported sixteen distinct Mammoth groups operating mainly against Russia and the Commonwealth of Independent States, involving more than twenty thousand cybercriminals. Last year alone saw the scheme steal well over a billion rubles from Russian victims. The momentum did not fade; law enforcement labeled Mammoth a major cybercrime trend in 2024 as the pre‑Christmas shopping season approached, with attackers leveraging malware to automate the fraud once the file is installed on a target device. A delivery app download link would trigger the malicious software, enabling ongoing thefts without further direct intervention from the attacker.
Security authorities described spyware embedded in these apps as capable of stealing money from bank accounts by capturing entered card data and any SMS verification codes. The criminals used deceptive app installations that promised safe transactions, with examples including fake clients designed to lure users into downloading malicious Android packages. In other cases, victims were invited to download a bogus logistics app under the pretense of tracking shipments. In one approach, victims were urged to download a malicious file on the payment page of a fake order, rather than clicking a Google Play link as before. The consequence is grim: attackers can drain funds and potentially gain credit for further thefts, widening the damage they cause.
Anti-scrap techniques
The strongest defense against these frauds is sound digital hygiene and a healthy dose of skepticism. Profitable offers almost always merit extra verification, especially when the scheme targets buyers at the moment of purchase. On marketplaces, listing sites, or rental platforms, discussions should stay on the service’s site or app; moving to instant messengers or social networks opens the door to malicious links and files that are shielded by the platform’s protective algorithms.
If an offer arrives via social networks, messaging apps, or even email, it should be treated with suspicion and ignored unless it can be confirmed through official channels. A quick cross check against the company’s official site helps reveal typos, mismatched branding, or other telltale signs of a fraudster. A familiar contact may still be compromised, so it is wise to verify by calling through the official customer service line rather than replying to the message.
Brands themselves have become active defenders against Mammoth by deploying domain monitoring tools that identify fake sites quickly. Neural networks and other automated systems are increasingly used to spot new fraudulent domains and alert brand owners to block them before customers are harmed. Telegram recently began sharing the IP addresses and phone numbers of rule breakers, a move that dampened the revenue of many fraud groups after the policy change. Yet experts warn that this is only a temporary setback; fraudsters quickly adapt by migrating to other platforms and by setting up new forums on the darknet and other networks. In the view of security researchers, Mammoth will not disappear in the near term as long as profitable opportunities exist, and the attackers will migrate rather than retire their operations.