Other
The Impersonator Playbook: How Scammers Clone Identities in OFM Telegram Groups
One character swap. One fake screenshot. One trusted-sounding name. That's all it takes to drain an OFM operator's wallet before they realize what hit them.
Updated Jun 2026 · sourced from 17 YouTube creators and 8 operator groups
Key takeaways
- Scammers replace lowercase 'l' with uppercase 'I' in usernames — visually identical, totally different account.
- Real BTZ (@btzofm) never DMs you first and never sells directly — any DM is an impersonator.
- Fake middleman @marbal mimics @marshal; one operator lost $300 in a documented case.
- A fake OnlyMonster dashboard dated 2016 was used to social-engineer entry into a VIP group.
- Always verify the exact username, not the bio — and always create the middleman group yourself.
Someone messages you. The name looks right.
The profile picture looks right. The username looks almost right.
That's the whole game.
OFM Telegram groups have become a hunting ground for a specific, technically simple but socially devastating class of fraud — identity cloning. Not deep-fake AI, not elaborate hacking.
Just Unicode, patience, and the assumption that busy operators move fast and check slowly.
Here's exactly how it works, documented across multiple operator group conversations spanning December 2025 through May 2026.
The One-Character Trick That Keeps Working
The core technical exploit is embarrassingly low-tech: swap a lowercase letter 'l' for an uppercase 'I' (capital i).
In most Telegram fonts, the two characters are pixel-for-pixel identical.
So @liquidback becomes @iiquidback. @btzofficiai — note that last 'i' — mimics the real handle. Multiple operator groups flagged both examples across separate conversations between January and May 2026.
That's not one report. That's a pattern.
This isn't a one-off. Operators across at least four separate groups have flagged the uppercase-I-for-lowercase-L swap as the single most common username-spoofing method in use right now.
The defence is painfully simple and almost never applied: tap the username and read it character by character before any money moves.
The BTZ Ecosystem: Most-Cloned Brand in the Space
No single identity has been cloned more aggressively in these communities than BTZ — a known Telegram marketplace handle. The real account is @btzofm.
The impersonator account is @btzofficiai (that final 'l' is a capital I).
The core fact, corroborated across at least four distinct operator groups from December 2025 through May 2026: the real BTZ never DMs you, and never sells directly.
One group noted separately that the BTZ marketplace has been inactive, meaning any BTZ-branded account sliding into your DMs with an offer is — definitionally — not real.
The scam structure is simple. The impersonator DMs with a deal, builds rapport, collects payment, disappears.
One reported loss: $900, flagged by operators in early 2026. That's not the ceiling — it's just what got reported.
If @btzofm is in your DMs, close the conversation.
The Middleman Con: @marbal vs. @marshal
Middlemen — escrow figures who hold funds during a transaction and release them once both parties confirm — are a genuine trust infrastructure in OFM Telegram. The problem: they're also the perfect social-engineering target.
The widely vouched middleman in these communities is @marshal. The scammer account is @marbal.
This isn't the uppercase-I trick. It's a straight-up alternate username chosen to be misread at a glance.
One operator reported losing $300 to @marbal in late 2025 — the scammer had also built a fake vouch channel to simulate legitimacy. A separate operator group documented a different fake marshal variant where the scammer deleted the group after receiving payment.
**One loss. Two separate documented fakes.
Same underlying playbook.**
The operational rule that multiple groups have converged on: the buyer — not the seller — should create the middleman group. You add the middleman yourself.
If someone else proposes the MM and hands you a link, assume it's compromised.
Other vouched middleman handles mentioned across operator chatter (late 2025 – early 2026) include @laugh, @bluemm, and @henri77. Anyone pushing an unknown MM outside this set is, per operator consensus, a red flag.
That said: this is group chatter, not a verified registry. Treat it as a starting point for due diligence, not a guarantee.
The Fake OnlyMonster Dashboard
This one is creative, and worth understanding in full.
A scammer — identified in operator chatter as @OFmrW in early 2026 — sent a fabricated OnlyMonster revenue dashboard as proof of earnings to gain entry into a VIP operator group. The tell: the dashboard was dated 2016.
OnlyMonster didn't exist in 2016. The scammer either didn't check or didn't care, banking on the recipient not checking either.
This is a single reported incident — one group, one mention, not corroborated elsewhere in the evidence set. Treat it as one unverified data point. But the underlying tactic — screenshot forgery for social-proof access — is consistent with the broader pattern of identity fraud documented across the space.
The defence here isn't technical. It's epistemic: a screenshot proves nothing except that someone has Photoshop. Any claim of revenue, performance, or affiliation in a high-stakes context should be verified through a source you found independently, not a file someone sends you.
Fake Channels, Fake Bots, Fake Moderators
BTZ isn't the only brand being cloned. Operator chatter from early 2026 flagged @DropzyWorld and @DropzyWorldOF posing as a CupidBot moderator running fake 'identity checks' — a social-engineering pretext to harvest information or money under the guise of security.
Separately, one operator noted that Oura — a known group in the space — has no marketplace. Accounts claiming to run an Oura marketplace are, per this report, impersonators.
The common architecture: take a trusted brand name, build a lookalike channel or account, insert yourself into a transaction flow, collect. It works because OFM operators are busy, deals move fast, and nobody wants to be the person who held up a legitimate transaction by asking too many questions.
Being the person who asks too many questions is now a competitive advantage.
What Operators Disagree About
It's worth being honest about where the chatter diverges, because not everything is settled consensus.
On fake traffic vendors: Some operators flag specific accounts (@tosyme, @mmtosy) as fake-traffic sellers who caused OnlyFans chargebacks of around $2,000. Others in different groups mention entirely different scam accounts.
There is no single agreed list of bad actors — the names rotate, accounts get banned and reborn, and any list is stale within weeks.
On verification methods: Most operators agree on checking exact usernames. But the level of paranoia varies.
Some treat any new account as suspect; others note that brand-new Telegram accounts get restricted from messaging until aged, meaning a legitimate new contact might look suspicious by that metric alone. One group suggested adding and labelling contacts in Telegram so incoming messages whose display name doesn't match your saved label trigger immediate suspicion — a practical system, though it requires advance setup.
On middlemen: The vouched handles named across groups are consistent, but no one has a canonical source of truth. One group lists four trusted MMs; another mentions only one.
Whether these handles remain uncompromised is something operators cannot verify from the outside.
Where sources conflict, neither side gets a free pass. The honest position: maintain your own verification process, don't outsource trust to a group list you didn't build yourself.
The Verification Protocol: Minimum Standard
Across all the chatter, a practical checklist emerges. These aren't theoretical — they're the distillation of what operators who didn't get scammed apparently did.
Username verification:
- Read the username character by character. Not the display name — the @handle.
- Check for capital I substituting lowercase l. Check for zero substituting O. Check for rn substituting m.
- Verify in the username field, not the bio — bios can say anything.
Middleman hygiene: - You create the MM group. You add both parties. You add the middleman yourself from a handle you've independently verified. - Never accept a group link from a counterparty in a deal. - Message the MM directly before any transaction to confirm they're active and aware of the deal.
Screenshot scepticism: - Any dashboard, revenue proof, or vouch screenshot is unverifiable on its own. Check metadata where possible; look for anachronisms (a 2016 date on software launched in 2020, for example). - Ask for something dynamic — a live screen share, a timestamped action — if the stakes are high enough.
Account age signals: - Operator chatter consistently notes that brand-new Telegram accounts get messaging restrictions until aged. A zero-history account reaching out with an urgent offer is a compounded red flag. - Multiple groups suggest preferring accounts with at least verifiable group membership history in known communities.
The DM rule: - If a well-known marketplace admin, tool vendor, or channel owner DMs you first with an offer, that's the red flag, not the green light. Legitimate operations don't cold-DM. The BTZ case makes this explicit, but it applies broadly.
The Bottom Line
The scams documented here aren't sophisticated. That's what makes them dangerous.
A $900 BTZ impersonation. A $300 fake middleman loss.
A $1,400 taken by an account using a villain's display name. A fake revenue dashboard from a year the software didn't exist.
These aren't elaborate hacks — they're attention-economy attacks, exploiting the fact that operators in fast-moving group chats make split-second trust decisions.
The defence costs you thirty seconds per transaction: read the username, character by character, in the username field. Create the middleman group yourself.
Treat any unsolicited DM from a 'known' figure as an impersonation until proven otherwise.
Thirty seconds. Every time.
No exceptions.
The operators who got burned weren't careless people — they were busy people in a space that deliberately manufactures urgency. Slow down exactly once per deal, and the entire playbook falls apart.
Sources
Community intelligence: 53 operator claims aggregated from 8 separate private OFM groups (Dec 2025–May 2026), corroboration counted across groups. Group identities are withheld to protect sources; browse the underlying intel in the Community Intel Wiki.