An elite group of investors, “analysts,” daily market commentary, regulations, contracts, and even an app available in an official store—this is what the latest scam powered by artificial intelligence looks like. Described by Check Point Research as the OPCOPRO “Truman Show Scam,” it is not a single phishing attempt but a synthetic world in which every element is designed to reinforce one lie.
The “Truman Show Scam” differs from what we are used to. Instead of malware or crude websites impersonating banks, criminals build a coherent narrative: a community, experts, documents, results, “partnerships,” and even media presence. Everything is generated or controlled by the attackers. The victim does not receive a single suspicious message, but is drawn into a series in which every episode is meant to lead to a payment.
How the “Truman Show Scam” works, step by step
The contact begins with SMS messages, messaging apps, or advertisements. The message is simple: an “exclusive program,” “above-average returns,” “limited spots.” The goal is not an immediate transfer, but moving the conversation into a private WhatsApp or Telegram group, where emotions and skepticism are easier to control.
Inside the group, a full performance awaits: “experts” and “participants” converse fluently in the local language, post professional-sounding market commentary, share daily “profits,” amplify enthusiasm, and apply social pressure. There is no criticism and no doubt—only constant positive reinforcement and the sense that “everyone is making money.” This is classic social engineering wrapped in modern tools.
According to security analysts at Check Point, a key twist then appears: the victim receives instructions to install an “official” OPCOPRO app from legitimate app stores. The app does not have to contain malicious code. It is “malicious by design”—often just a WebView, a shell that displays content from a server. There is no real trading, but there are server-generated charts, transactions, and balances. As a result, everything on the phone looks like a genuine investment platform.
After installing the app comes “identity verification” (KYC): an ID card or passport and a selfie or biometric data. Then comes the deposit—via bank transfer or cryptocurrency. In the end, the user loses money and personal data that can be used for further crimes.
Artificial intelligence is not a “gadget” here, but a force multiplier. It makes it possible to scale multilingual conversations, maintain consistent personas without a large human team, automate emotional manipulation, and quickly transfer the scheme between countries and brands. This shifts fraud from “opportunistic hunting” to repeatable systems that industrialize trust-building.
Although it may appear to be “just a consumer scam,” in practice the consequences can extend into organizational security:
- Identity theft facilitates account takeovers: an ID document plus a selfie is a powerful combination for attempts to bypass safeguards (e.g. attacks on account recovery processes, impersonation in contacts with help desks).
- Financial pressure creates insider risk: a person who has lost money and is being intimidated or “pushed” into further payments becomes more susceptible to blackmail and manipulation.
- The phone as the weakest link: an app that looks “normal” and is available in an official store can bypass user vigilance and some corporate controls, while still leading to high-risk actions.
- Social engineering against IT support becomes easier: when attackers have “evidence” (data, documents, a credible backstory), the effectiveness of fraud attempts increases.
How can you defend yourself against the entire fraud ecosystem?
As researchers at Check Point Research emphasize, simply saying “check whether the link looks suspicious” is far from enough. The scam works as a funnel (messenger → group → app → KYC → deposit), so the entire pattern and infrastructure must be considered—not just a single artifact.
Advice for individuals:
- Treat unsolicited “investment opportunities” as inherently risky.
- Verify companies through official registers and regulators, not through chat links.
- Do not send documents and selfies to unknown “KYC” platforms.
- Remember: crypto deposits are practically irreversible.
Advice for companies:
- Increase vigilance around WebView-based financial apps and the entire “ecosystems” built around them.
- Look for clusters of domains and infrastructure linked to apps and campaigns.
- Detect behavioral funnels: chat → app → KYC → payment (often more diagnostic than the code itself).
- Provide employees with an easy way to report incidents if they fall victim—because “shame” and silence increase the risk of secondary abuse.
In the “Truman Show Scam,” the victim is not deceived by a single lie. They are surrounded by lies so tightly that the world appears coherent: an app, a community, experts, results, documents—everything supports one narrative. And since trust can now be mass-produced, security must operate systemically—analyzing behaviors and ecosystems, not just “suspicious files.”
