FEMITBOT Network Abuses Telegram for Crypto Scams

FEMITBOT Network Abuses Telegram for Crypto Scams

Posted on By CWS

A sophisticated fraud network known as FEMITBOT is leveraging Telegram’s Mini App feature to conduct extensive cryptocurrency scams and distribute harmful Android software globally.

This campaign, which surfaced in April 2026, utilizes counterfeit apps that mimic legitimate cryptocurrency exchanges, streaming services, financial platforms, and AI tools. Unsuspecting users are targeted through social media ads and unsolicited Telegram invitations, lured by promises of effortless passive income.

How FEMITBOT Operates

The fraudulent apps employ a well-crafted scheme. Once users interact with these bots, they encounter interfaces that closely resemble those of reputable brands. Features like fake earnings dashboards, countdown timers, and VIP upgrade prompts are used to create urgency.

Victims are eventually prompted to make a small deposit to access alleged winnings, a tactic that has successfully swindled individuals worldwide. CTM360 analysts traced the malicious infrastructure back to a shared backend, identifying a unified platform with over 60 active domains.

Exploitation of Telegram Mini Apps

FEMITBOT’s effectiveness lies in its seamless integration into Telegram’s trusted environment. Fake apps load within Telegram’s browser, raising little suspicion. Supporting over 22 languages and using Cloudflare’s network, the operation is truly global.

The FEMITBOT kit exploits Telegram Mini Apps, lightweight web applications that handle logins, payments, and interactive features. This convenience becomes a tool for large-scale fraud, with the app collecting user data like Telegram IDs and sending it to the attacker’s server.

Android Malware Distribution

Beyond financial scams, FEMITBOT serves as a conduit for Android malware. Certain network sites contain hidden flags that, when activated, deliver malicious APK files masked as legitimate apps.

The software reaches devices via direct downloads, in-app browser experiences, or Progressive Web App prompts. These methods reduce barriers, making the malware delivery seamless.

To safeguard against these threats, users should avoid apps linked through Telegram that request deposits or promise guaranteed returns. Security teams are urged to block known FEMITBOT domains and monitor for suspicious traffic.

Indicators of Compromise (IoCs) have been documented, including specific domains and Telegram bots associated with phishing activities. These indicators should be handled carefully within controlled threat intelligence platforms.

Cyber Security News Tags:, , , , , , , , , , , , , ,

Related Posts

New Magecart Skimmer Attack With Malicious JavaScript Injection to Skim Payment Data New Magecart Skimmer Attack With Malicious JavaScript Injection to Skim Payment Data Cyber Security News
Critical ScreenConnect Flaw Puts Remote Sessions at Risk Critical ScreenConnect Flaw Puts Remote Sessions at Risk Cyber Security News
Iranian Cyber Threats Escalate Amid Middle East Tensions Iranian Cyber Threats Escalate Amid Middle East Tensions Cyber Security News
Cloudflare Unveils MCP Server Portals to Secure AI Revolution Cloudflare Unveils MCP Server Portals to Secure AI Revolution Cyber Security News
Hackers are Leveraging SEO Poisoning to Attack Users Looking for Legitimate Tools Hackers are Leveraging SEO Poisoning to Attack Users Looking for Legitimate Tools Cyber Security News
Microsoft Confirms Laying Off 9,000 Employees, Impacting 4% of its Workforce Microsoft Confirms Laying Off 9,000 Employees, Impacting 4% of its Workforce Cyber Security News