Samfw.com Scam - Fraud & Trojan RAT Malware : SamFWTool Theft (XMR)

[craftyart1010]

Scammer name: Đặng Thanh Tùng (also shown as Tungtata / Đặng Thanh Tùng) Based in Hanoi Capital of Vietnam

https://talkimg.com/images/2026/06/24/U1KWz5.jpg

https://talkimg.com/images/2026/06/24/U1KBmC.png

Role stated: founder / main developer of “SamFW” and MiFirm.net (from About page at Samfw.com)
Education stated: Quang Ninh Industrial College (from About page at Samfw.com)
Named partner/founder: Thang; partner and founder of LeHuy Technology Company (from About page at Samfw.com)

Company / registered entity: SamFW Global LLC

Location listed publicly: Boulder, Colorado, United States

Developer country listed publicly for Đặng Thanh Tùng: Vietnam
Additional public connections: listings linking the service to Quynh Chi Investment and Technology Co. Ltd. (Hanoi, Vietnam); and repeating Boulder, Colorado for SamFW Global LLC.


A family member installed “SamFW Tool” from samfw.com on Jun 23, 2026. Shortly after installation, 10,000 XMR (about $3 million) were withdrawn from the Feather Wallet, and everything in victim’s computer data was deleted.

https://talkimg.com/images/2026/06/24/U1KIsD.png

After installing samfwtoolsetup_v5.4.zip, the scammer tungtata stole the funds from the Feather Wallet. After the theft, they removed and modified the original tool package to reduce evidence. The download is now replaced with a revised version labeled SamFwToolSetup_v5.5.1.zip.

After the scam, the photo of the incident was taken on a phone. Later, the scammer updated their website and removed that specific version of the tool.

Source: https://samfw.com/blog/samfw-frp-tool-1-0-remove-samsung-frp-one-click

We want to report a serious suspected theft and cybercrime to Vietnamese police (cyber unit). We believe the tool contains sophisticated malicious functionality, potentially including hidden remote access or wallet monitoring. We’re seeking help from the community to gather and document evidence, including additional information about the responsible parties. If you are in Vietnam and can assist, you will be rewarded for your help. Please share any relevant findings here. For urgent information, you can contact us via email: 96238132834@proton.me

We already reported this case to several Vietnamese crypto exchanges, but we still need further assistance. Any additional help would be greatly appreciated and will be rewarded.

After the scam, we contacted the Đặng Thanh Tùng, who responded that if we believed it was a scam, we should report it to the police and send laughing face emoji. Shortly afterward, he blocked us on Telegram.


Evidence links have collected:
https://t.me/samfwcom
https://www.buymeacoffee.com/tungtata
https://about.me/tungtata
https://t.me/tungtata
https://facebook.com/tungtata
https://github.com/tungtata
https://www.paypal.com/paypalme/DangThanhTung
Paypal: tungvn48@gmail.com
Skrill: tungvn48@gmail.com
https://www.tungtata.net/
Dang Thanh Tung
@DangThanhTung
Dong Da, HÀ NỘI
QUYNH CHI INVESTMENT AND TECHNOLOGY CO.,LTD - No. 26, Alley 89, Quan Nhan Street, Thanh Xuan Ward, Hanoi City, Vietnam
Tax Identification Number: 0110492308
https://xdaforums.com/m/tungtata.8243977/about
fb.com/ThanhTungOfficial
Whatsapp: +84.1296.935.935 and +84.967.888.448
https://www.youtube.com/@_tungtata
MiFirm, Phone Info Pro | SamFw, and Trạmsạc.app
dttung48@gmail.com
https://play.google.com/store/apps/details?id=com.samfw&hl=en_US
Birth Year: 1992
Registered to Binance


We need assistance making contact with Vietnam police officers and the cybercrime unit. Any help or introductions will be appreciated and will be rewarded.

Published at:
https://github.com/9623813/tungtata_scammer
https://96238132834.wixsite.com/samfwscam
https://www.tumblr.com/samfwtoolscam
https://github.com/tungtata/SamFw-Tool-Update/issues/1
https://github.com/chenxiaolong/BasicSync/issues/178
https://www.trustpilot.com/reviews/6a3e2e1f7bded8c96b894260


Keywords:
Tungtata scam, Tungtata fraud, Dang Thanh Tung scam, samfw scam, samfw malware, samfw trojan, samfw security risk, samfw suspicious software, Tungtata trojan virus, samfw warning, Đặng Thanh Tùng scammer, owner Đặng Thanh Tùng fraud, tungtata scam, DangThanhTung scammer, DangThanhTung fraud, DangThanhTung rat trojan

[craftyart1010]

We’re looking for a Vietnamese translator to translate this scam thread.

In addition reward, the translator should help us to contact the appropriate Vietnamese authorities to report this scam.

The scammer is Đặng Thanh Tùng (also shown as Tungtata / Đặng Thanh Tùng), based in Hanoi. He uses RAT (malicious remote access tool) by injecting his own tool to defraud victims. What he does is that he doesn’t always deploy ratted trojan tools. Instead, he shares them only in certain updates, and then removes them afterward scam. In our case, after he stole our money, he returned to the site to post an updated version of the tool and removed the virus one.

We plan to report this scam case to the relevant authorities, and we’d like additional suggestions from other users on Bitcointalk. We also need help from users in Vietnam to assist with outreach and coordination related to this scam.

Cong An (Vietnam Police) - Trình báo lừa đảo trực tuyến tới Công an.
Interpol
VNCERT/CC - Trung tâm ứng cứu khẩn cấp máy tính Việt Nam.
econsumer.gov

[albon]

What he does is that he doesn’t always deploy ratted trojan tools. Instead, he shares them only in certain updates, and then removes them afterward scam. In our case, after he stole our money, he returned to the site to post an updated version of the tool and removed the virus one.

I agree with that. In fact, if you try to open the following link now -> SamFwToolSetup_v5.4.zip, you will find that he has already removed version v5.4 from his website.

It is no longer available, and it is not even present on his Telegram channel, which has over 19K subscribers.



However, even with the SamFwToolSetup_v5.5.1.zip version, if you check VirusTotal, you will find that it is flagged as malicious by 2/57 security vendors. Among the threat categories, it is classified as a Trojan, and its popular threat label is trojan.packunwan. It is also associated with the tags detect-debug-environment, long-sleeps, and contains-pe.



I hope you can provide the TXID for the transaction in which 10,000 XMR was allegedly stolen, so that we can also verify the validity of your claim and see where those funds were sent. This is an extremely large amount of money. Before installing any software, it is important to verify that it is free of malware. Also, software like this should never be installed on a primary computer that contains wallets holding such significant amounts of funds.

[craftyart1010]

What he does is that he doesn’t always deploy ratted trojan tools. Instead, he shares them only in certain updates, and then removes them afterward scam. In our case, after he stole our money, he returned to the site to post an updated version of the tool and removed the virus one.

I agree with that. In fact, if you try to open the following link now -> SamFwToolSetup_v5.4.zip, you will find that he has already removed version v5.4 from his website.

It is no longer available, and it is not even present on his Telegram channel, which has over 19K subscribers.

https://www.talkimg.com/images/2026/06/24/U1Dvzd.png https://www.talkimg.com/images/2026/06/25/U1DJm2.png

However, even with the SamFwToolSetup_v5.5.1.zip version, if you check VirusTotal, you will find that it is flagged as malicious by 2/57 security vendors. Among the threat categories, it is classified as a Trojan, and its popular threat label is trojan.packunwan. It is also associated with the tags detect-debug-environment, long-sleeps, and contains-pe.

https://www.talkimg.com/images/2026/06/25/U1DcBG.png

I hope you can provide the TXID for the transaction in which 10,000 XMR was allegedly stolen, so that we can also verify the validity of your claim and see where those funds were sent. This is an extremely large amount of money. Before installing any software, it is important to verify that it is free of malware. Also, software like this should never be installed on a primary computer that contains wallets holding such significant amounts of funds.

Thanks so much author albon.

We are not making any false claims everything happened in front of my eyes. This scammer, TungTata, was controlling my computer, and unfortunately I couldn’t stop him. After he withdrew funds from the wallet, he deleted everything and wiped my whole computer. I couldn’t even control my mouse, and I wasn’t able to open Task Manager.

DangThanhTung scammer based in Hanoi damaged us so badly by what he did, and we’re going to go after him. Right now, I’m working with the Cyber Threat Intel team in Vietnam, and we’re contacting every relevant authority to report this case. We will not stop until this is fully investigated and the responsible person is held accountable.

I also plan to publish as much verified information as possible about this scammer to warn others not to use samfw.com or any related tools, including SamFwTool or other tools linked to his scam site.

[craftyart1010]

Cyber Threat Intel contacted confirm and briefed us on everything they’re actively working on.
Spoke with BitcoinVN and shared the scammer Đặng Thanh Tùng details, and trying connect with more Cyber Threat Intel contacts in Vietnam.
Reached people in Vietnam to discuss the details, found (1)
Seeking a translator to translate our thread into Vietnamese. 
Recruiting Vietnamese users to help post the scam in more Vietnamese websites/forums. 
Reported the scam site domain to Porkbun; Samfw.com distributing malware. 

Requesting more suggestions from users to expand impact.

[tungtata]

Hello @albon, or whoever is responsible for this forum or this section.

My name is Tung, the developer of SamFw Tool, SamFw.com, and a few other projects. It seems the person making these allegations has already listed most of them.

At first, I wasn't planning to respond. I believed the facts would speak for themselves. However, since these accusations directly affect my reputation and my projects, I would like to respond once, and only once.

First of all, I would like to state clearly and consistently:

I have never hacked anyone's computer, including the person making these accusations.

Below are my responses.

1. About SamFw Tool 5.5 and 5.5.1

Version 5.5, released the day before, simply introduced a new service called Exynos FRP Unlock. Version 5.5.1 only fixed a minor bug.

You can review the official changelog here:

https://samfw.com/blog/samfw-frp-tool-1-0-remove-samsung-frp-one-click

2. About removing older releases

I normally don't keep older installers on my server for long. This helps save storage space and encourages users to stay on the latest version.

Fortunately, I still have the original installer archived on my PC and I'm happy to provide it for verification. Its MD5 hash matches the one on VirusTotal, and the "First Submission" date is consistent with the release period of version 5.4.

https://transfer.it/t/HSRlIa9xFD7R

VirusTotal reports:

SamFwToolSetup_v5.4.zip: https://www.virustotal.com/gui/file/ede0b9c20ad6ad9d220d14c1b5ad2d46783739cb6304aa82ccd810f7d20d3d19/details

SamFwTool.exe: https://www.virustotal.com/gui/file/7bd9223fce3c81eb751d34ae8489f1c3669e31c3dbaf7520e14b04ad4dfad925

3. About antivirus detections

It is fairly common for Android servicing and unlocking tools to be flagged by some antivirus engines because they contain exploits or low-level device communication code.

You can observe similar detections with many well-known commercial tools such as Chimera, Z3X, UnlockTool, Octopus, and others.

4. About the claim that my software stole cryptocurrency

The individual contacted me claiming that my software was responsible for their financial loss.

However, they did not provide any technical evidence or information that could support or verify this claim. Instead, they immediately accused me and demanded compensation.

I will attach our conversation so everyone can judge it objectively.

https://iili.io/CAFmGHu.png
https://iili.io/CAFm1Se.png

5. About publishing my personal information

The post publicly exposes my personal information while making very serious accusations.

If these accusations cannot be supported with objective evidence, I will preserve all related materials and exercise my legal rights under the laws of my country, as well as report any violations of this forum's policies regarding privacy, defamation, or false accusations.

I also believe the forum administration should carefully review unsupported allegations of this nature.

6. Independent verification

If the person making these accusations wishes to authorize an independent individual or organization in Vietnam, and approaches this matter respectfully and professionally, I am fully willing to cooperate.

I am also willing to work with the appropriate authorities in my country if necessary.

7. Technical analysis

Anyone is welcome to unpack, reverse engineer, or analyze the original SamFw Tool 5.4 installer using any reputable security company or independent analyst.

If such an analysis proves that SamFw Tool contains wallet-stealing functionality, a keylogger, or any similar malicious component as alleged, I will personally cover the full cost of that investigation.

Finally,

SamFw currently serves over 1.2 million monthly users, with approximately 3 million active users. 4.9 stars on trustpilot base on 11670 review (https://www.trustpilot.com/review/samfw.com)

I don't know how much money the accuser claims to have lost, but I certainly have no reason to destroy the reputation that I have spent years building over something like this.

If my software actually contained wallet stealers, keyloggers, or similar malicious functionality, I believe it would have been identified long ago by security researchers or the wider community—not through a single forum post containing unverified accusations.

I will not engage in emotional arguments regarding this matter.

If there is any technical evidence to examine, I am more than willing to cooperate with the forum administrators or an independent third party to review it objectively.

Anyone directly involved—including the original reporter, the forum administrators, or an authorized third party—is welcome to contact me, provided the discussion remains respectful and professional.

Unfortunately, I'm not comfortable speaking English over the phone, so written communication is preferred.

Email: [me@samfw.com](mailto:me@samfw.com)

WhatsApp: +84 967 888 448

Telegram: https://t.me/tungtata

Vietnam: +84 967 888 448

[craftyart1010]

Hello @albon, or whoever is responsible for this forum or this section.

My name is Tung, the developer of SamFw Tool, SamFw.com, and a few other projects. It seems the person making these allegations has already listed most of them.

At first, I wasn't planning to respond. I believed the facts would speak for themselves. However, since these accusations directly affect my reputation and my projects, I would like to respond once, and only once.

First of all, I would like to state clearly and consistently:

I have never hacked anyone's computer, including the person making these accusations.

Below are my responses.

1. About SamFw Tool 5.5 and 5.5.1

Version 5.5, released the day before, simply introduced a new service called Exynos FRP Unlock. Version 5.5.1 only fixed a minor bug.

You can review the official changelog here:

https://samfw.com/blog/samfw-frp-tool-1-0-remove-samsung-frp-one-click

2. About removing older releases

I normally don't keep older installers on my server for long. This helps save storage space and encourages users to stay on the latest version.

Fortunately, I still have the original installer archived on my PC and I'm happy to provide it for verification. Its MD5 hash matches the one on VirusTotal, and the "First Submission" date is consistent with the release period of version 5.4.

https://transfer.it/t/HSRlIa9xFD7R

VirusTotal reports:

SamFwToolSetup_v5.4.zip: https[Suspicious link removed]: https://www.virustotal.com/gui/file/7bd9223fce3c81eb751d34ae8489f1c3669e31c3dbaf7520e14b04ad4dfad925

3. About antivirus detections

It is fairly common for Android servicing and unlocking tools to be flagged by some antivirus engines because they contain exploits or low-level device communication code.

You can observe similar detections with many well-known commercial tools such as Chimera, Z3X, UnlockTool, Octopus, and others.

4. About the claim that my software stole cryptocurrency

The individual contacted me claiming that my software was responsible for their financial loss.

However, they did not provide any technical evidence or information that could support or verify this claim. Instead, they immediately accused me and demanded compensation.

I will attach our conversation so everyone can judge it objectively.

https://iili.io/CAFmGHu.png
https://iili.io/CAFm1Se.png

5. About publishing my personal information

The post publicly exposes my personal information while making very serious accusations.

If these accusations cannot be supported with objective evidence, I will preserve all related materials and exercise my legal rights under the laws of my country, as well as report any violations of this forum's policies regarding privacy, defamation, or false accusations.

I also believe the forum administration should carefully review unsupported allegations of this nature.

6. Independent verification

If the person making these accusations wishes to authorize an independent individual or organization in Vietnam, and approaches this matter respectfully and professionally, I am fully willing to cooperate.

I am also willing to work with the appropriate authorities in my country if necessary.

7. Technical analysis

Anyone is welcome to unpack, reverse engineer, or analyze the original SamFw Tool 5.4 installer using any reputable security company or independent analyst.

If such an analysis proves that SamFw Tool contains wallet-stealing functionality, a keylogger, or any similar malicious component as alleged, I will personally cover the full cost of that investigation.

Finally,

SamFw currently serves over 1.2 million monthly users, with approximately 3 million active users. 4.9 stars on trustpilot base on 11670 review (https://www.trustpilot.com/review/samfw.com)

I don't know how much money the accuser claims to have lost, but I certainly have no reason to destroy the reputation that I have spent years building over something like this.

If my software actually contained wallet stealers, keyloggers, or similar malicious functionality, I believe it would have been identified long ago by security researchers or the wider community—not through a single forum post containing unverified accusations.

I will not engage in emotional arguments regarding this matter.

If there is any technical evidence to examine, I am more than willing to cooperate with the forum administrators or an independent third party to review it objectively.

Anyone directly involved—including the original reporter, the forum administrators, or an authorized third party—is welcome to contact me, provided the discussion remains respectful and professional.

Unfortunately, I'm not comfortable speaking English over the phone, so written communication is preferred.

Email: [me@samfw.com](mailto:me@samfw.com)

WhatsApp: +84 967 888 448

Telegram: https://t.me/tungtata

Vietnam: +84 967 888 448

Scammer Đặng Thanh Tùng (also shown as malware developer “Tungtata”). We’re already in contact with investigation team who works closely with Ao5 Police (Cyber Police). You’ll see what happens soon! I won’t drop this case.

You stole my money and wiped my whole computer. You know this, and this is exactly why your attempt to come here and fake claims doesn’t change anything. The truth will come out.

I didn’t know you, and this was our first time using your malware “trojan SamFWTool tool.” After I installed your tool, my entire funds were drained within a few hours. How is it that I lost access to everything on my computer just after installing your tool?

After my wallet was drained, your tool was suddenly deleted from your site. What a surprise. Luckily, I took this screenshot before you take off.

https://talkimg.com/images/2026/06/24/U1KIsD.png   You may be too busy to fix your scam tool and prove you were innocent.

Further, it was a clever move: after committing a crime, criminals often return to the scene to try to change some things.

You are a scammer, and you will be held accountable for what you did. Yes also you were waiting for a big wallet to drain for years, right?

You may think you’re very smart scammer, but this is your last attempt you’ll be exposed. This scammer used malware to steal my money, and for other users, he may listen to them, record their videos, or do other harmful things. This is very serious.

I will share your information everywhere online to show how much of a scammer you are, across the internet and throughout Vietnam. This cannot be a baseless accusation I know what you did, and I’m coming for you. You won’t be able to run away.

https://talkimg.com/images/2026/06/25/U10VHC.png

You drained my entire XMR wallet and wiped my whole computer, but you forgot one thing: it was me. I was in front of the computer and saw everything. No matter how much you talk or come here with fake nonsense, I will not let this case go.

[rat03gopoh]

I won't defend anyone here until I know the truth. I think this requires a comprehensive investigation, including the OP's device. The OP should also have an archive of the files suspected of containing malware.

Speaking of personal data disclosure, is there any information on the OP that hasn't previously been publicly available? I'm assuming it's just the tax ID, unless you've shared that somewhere. Either way, DOXes should be on the "Investigation" board.

[craftyart1010]

I won't defend anyone here until I know the truth. I think this requires a comprehensive investigation, including the OP's device. The OP should also have an archive of the files suspected of containing malware.

Speaking of personal data disclosure, is there any information on the OP that hasn't previously been publicly available? I'm assuming it's just the tax ID, unless you've shared that somewhere. Either way, DOXes should be on the "Investigation" board.

All information is publicly available, and there’s no to dox anyone. We’ll set up a dedicated domain for his scam site like (samfwscam.com - SamFWToolscam.com) to warn people worldwide to be careful and to avoid installing Trojans from a Vietnamese user.


Case continue  and we offer special thanks to the many individuals who helped us. We’ll also soon move on to create a private sub on dread to share information about this scammer. We’ll have a Vietnamese-language special report coming up soon as well.

[escrow.ms]

I won't defend anyone here until I know the truth. I think this requires a comprehensive investigation, including the OP's device. The OP should also have an archive of the files suspected of containing malware.

Speaking of personal data disclosure, is there any information on the OP that hasn't previously been publicly available? I'm assuming it's just the tax ID, unless you've shared that somewhere. Either way, DOXes should be on the "Investigation" board.

All information is publicly available, and there’s no to dox anyone. We’ll set up a dedicated domain for his scam site like (samfwscam.com - SamFWToolscam.com) to warn people worldwide to be careful and to avoid installing Trojans from a Vietnamese user.


Case continue  and we offer special thanks to the many individuals who helped us. We’ll also soon move on to create a private sub on dread to share information about this scammer. We’ll have a Vietnamese-language special report coming up soon as well.

You can download his 5.4 version from telegram, several public groups and channels keep files.

https://t.me/*** DA_Sign_B19/7311  ( WARNING: POSSIBLE MALWARE DO NOT INSTALL)

Remove ***

MD5 checksum is same of zip file.
c67c63e643106e868155b9f705f93f07

Malware scan result.

https://www.virustotal.com/gui/file/e640a65efcae264ad6f758bb3b9da0d37ed8c690bda6f113416558d4bcbbcf3a

[craftyart1010]

I won't defend anyone here until I know the truth. I think this requires a comprehensive investigation, including the OP's device. The OP should also have an archive of the files suspected of containing malware.

Speaking of personal data disclosure, is there any information on the OP that hasn't previously been publicly available? I'm assuming it's just the tax ID, unless you've shared that somewhere. Either way, DOXes should be on the "Investigation" board.

All information is publicly available, and there’s no to dox anyone. We’ll set up a dedicated domain for his scam site like (samfwscam.com - SamFWToolscam.com) to warn people worldwide to be careful and to avoid installing Trojans from a Vietnamese user.


Case continue  and we offer special thanks to the many individuals who helped us. We’ll also soon move on to create a private sub on dread to share information about this scammer. We’ll have a Vietnamese-language special report coming up soon as well.

You can download his 5.4 version from telegram, several public groups and channels keep files.

https://t.me/*** DA_Sign_B19/7311  ( WARNING: POSSIBLE MALWARE DO NOT INSTALL)

Remove ***


Malware scan result.

https://www.virustotal.com/gui/file/e640a65efcae264ad6f758bb3b9da0d37ed8c690bda6f113416558d4bcbbcf3a

Thank you author escrow.ms

could you please share the Telegram group link via pm?


To warn the whole community: please do not install SamFWTool. SamFWTool is a scam! Some people have contacted me saying they lost their social media accounts and malware was able to get into their phones all because of “samfwtool.” This is a very serious case.

This person distributing malware and Remote Access Trojan (RAT) to clients. If we investigate further, we will likely find more victims. Unfortunately, there’s no clear place to report these issues, so people are not reporting them and are trying to move on.

I use the internet for good, and I won’t allow this kind of malicious person to stay online and spread malware.

To the new people reading this: this story is not made up. I’m a victim, and I’m 100% sure he did this.