Telegram scams turn app trust against users

Cybercriminals are exploiting Telegram Mini Apps to run a large fraud and malware network called FEMITBOT, using familiar in-app screens to lure users into cryptocurrency scams, fake investment platforms and Android malware downloads. The operation shows how lightweight web apps embedded inside messaging platforms can be weaponised to blur the line between legitimate services and criminal infrastructure.

FEMITBOT relies on Telegram bots and Mini Apps that open phishing pages inside Telegram’s built-in browser, making scam dashboards appear native to the platform. Users who tap a bot command or launch button are taken to polished interfaces showing fabricated account balances, mining income, VIP rewards or limited-time offers. The deception is designed to reduce suspicion by keeping victims within Telegram rather than sending them immediately to an external website.

The campaign has been built around a modular, template-driven system that allows operators to change brands, domains, languages and themes without rebuilding the core infrastructure. More than 60 domains, over 140 Telegram bots and at least 15 Mini App skins have been tied to the same backend, with a common API response referencing the FEMITBOT platform. That shared architecture gives the network the scale of a commercial marketing operation rather than a one-off phishing campaign.

The lures span fake cryptocurrency platforms, financial services, AI tools and streaming sites. Fraudsters have impersonated brands associated with technology, entertainment, payments and digital assets, including Apple, Coca-Cola, Disney, eBay, IBM, MoonPay, NVIDIA, BBC, Netflix, Binance, Bitget and OKX. These names are used to confer instant credibility, even when the underlying domains and app flows are controlled by attackers.

Victims are typically drawn in through social media advertisements, Telegram invitations and promotional messages promising passive income, cloud mining, free streaming access or AI compute deals. Once inside the Mini App, they are shown fake dashboards with rising balances and countdown timers. When they try to withdraw supposed earnings, the platform demands an activation deposit, extra payment or referral activity, turning the promise of profit into an advance-fee fraud.

FEMITBOT also uses mainstream tracking tools to monitor user actions and refine campaigns. Scam pages have been observed firing events linked to page views, registrations, deposits and repeat purchases through Meta and TikTok tracking pixels. That allows operators to measure which ads, messages and interface designs produce the highest conversion rates, mirroring the optimisation techniques used by legitimate digital businesses.

The malware risk is concentrated on Android users. Some Mini Apps prompt users to download APK files, open links inside Telegram’s browser or install progressive web apps that imitate legitimate services. The APK names are crafted to resemble known applications or look harmless enough to avoid immediate suspicion. Hosting the files on the same domains as the scam APIs also helps avoid browser warnings that might otherwise expose the deception.

Telegram Mini Apps are legitimate web applications that can be launched directly inside Telegram and support features such as seamless authorisation, payments through third-party providers, push notifications, file downloads and home-screen shortcuts. Their convenience is central to their appeal, but the same frictionless design can be exploited when users treat every in-app interaction as safe.

The case highlights a wider shift in online fraud. Criminal groups are increasingly building scalable fraud systems with reusable templates, analytics, localisation and brand rotation. Instead of relying only on crude phishing pages, they create app-like environments that imitate the look and behaviour of trusted platforms. Messaging apps, social networks and digital advertising channels become part of the same funnel, from first contact to payment demand.

For users, the main warning sign is any Telegram bot or Mini App that promises unusually high earnings, asks for an upfront deposit, pushes urgency through timers, or requires an APK installation outside an official app store. Cryptocurrency platforms, investment schemes and streaming offers promoted through unsolicited Telegram channels require particular caution. Android users should avoid sideloading apps from Telegram links unless the developer and distribution path can be independently verified.

For companies whose brands are being impersonated, FEMITBOT underlines the need for continuous monitoring of Telegram bots, Mini App links, clone domains and social media advertisements. Takedown requests alone may not be enough where the same backend can relaunch campaigns under new names. Security teams will need to track infrastructure patterns, API responses, certificate reuse, traffic flows and advertising pixels to disrupt the ecosystem rather than isolated domains.