A sophisticated fraud network known as FEMITBOT is leveraging Telegram’s Mini App feature to conduct extensive cryptocurrency scams and distribute harmful Android software globally.
This campaign, which surfaced in April 2026, utilizes counterfeit apps that mimic legitimate cryptocurrency exchanges, streaming services, financial platforms, and AI tools. Unsuspecting users are targeted through social media ads and unsolicited Telegram invitations, lured by promises of effortless passive income.
How FEMITBOT Operates
The fraudulent apps employ a well-crafted scheme. Once users interact with these bots, they encounter interfaces that closely resemble those of reputable brands. Features like fake earnings dashboards, countdown timers, and VIP upgrade prompts are used to create urgency.
Victims are eventually prompted to make a small deposit to access alleged winnings, a tactic that has successfully swindled individuals worldwide. CTM360 analysts traced the malicious infrastructure back to a shared backend, identifying a unified platform with over 60 active domains.
Exploitation of Telegram Mini Apps
FEMITBOT’s effectiveness lies in its seamless integration into Telegram’s trusted environment. Fake apps load within Telegram’s browser, raising little suspicion. Supporting over 22 languages and using Cloudflare’s network, the operation is truly global.
The FEMITBOT kit exploits Telegram Mini Apps, lightweight web applications that handle logins, payments, and interactive features. This convenience becomes a tool for large-scale fraud, with the app collecting user data like Telegram IDs and sending it to the attacker’s server.
Android Malware Distribution
Beyond financial scams, FEMITBOT serves as a conduit for Android malware. Certain network sites contain hidden flags that, when activated, deliver malicious APK files masked as legitimate apps.
The software reaches devices via direct downloads, in-app browser experiences, or Progressive Web App prompts. These methods reduce barriers, making the malware delivery seamless.
To safeguard against these threats, users should avoid apps linked through Telegram that request deposits or promise guaranteed returns. Security teams are urged to block known FEMITBOT domains and monitor for suspicious traffic.
Indicators of Compromise (IoCs) have been documented, including specific domains and Telegram bots associated with phishing activities. These indicators should be handled carefully within controlled threat intelligence platforms.
