FEMITBOT Network Leverages Telegram Mini Apps for Crypto Fraud, Android Malware
Key Takeaways A sophisticated network, dubbed FEMITBOT, is leveraging Telegram Mini Apps for global cryptocurrency fraud and Android malware distribution. The operation mimics legitimate crypto...
Key Takeaways
- A sophisticated network, dubbed FEMITBOT, is leveraging Telegram Mini Apps for global cryptocurrency fraud and Android malware distribution.
- The operation mimics legitimate crypto exchanges, streaming services, and financial platforms, luring victims with promises of passive income.
- FEMITBOT seamlessly integrates fake apps within Telegram’s native browser, making scams difficult for users to identify.
- The network employs social media advertising, unsolicited Telegram invites, and a multi-level referral system to expand its reach.
- Beyond financial scams, FEMITBOT infrastructure also serves malicious Android APK files, disguised as legitimate applications.
A highly organized and extensive fraud network, identified as FEMITBOT, has emerged, exploiting Telegram’s Mini App functionality to conduct widespread cryptocurrency scams and disseminate Android malware globally. This operation, first detected in April 2026, targets users by presenting fake applications designed to impersonate legitimate cryptocurrency exchanges, popular streaming services, financial platforms, and AI tools. Victims are typically enticed through deceptive social media advertisements and unsolicited Telegram invitations promising effortless passive income, as detailed in a recent report.
Table Of Content
The fraudulent applications engage users with a meticulously crafted deceptive sequence. Upon interacting with one of these malicious bots, users encounter a polished interface that closely resembles well-known brands. The illusion is further reinforced by fake earnings dashboards, countdown timers, and prompts for VIP upgrades, all designed to create a false sense of urgency and legitimacy. Subsequently, victims are prompted to make a small initial deposit to supposedly unlock their accumulated winnings, a tactic that has successfully siphoned real funds from unsuspecting users worldwide.
CTM360 analysts were able to pinpoint the malicious infrastructure, tracing it to a unified backend platform. A critical finding was the consistent API response, “Welcome to join the FEMITBOT platform,” across dozens of seemingly unrelated domains. This shared digital fingerprint, observed across more than 60 active domains, confirmed that all campaigns were powered by a single, professional-grade kit, indicating a well-resourced operation with clear commercial objectives.
The sheer scale of the FEMITBOT network is noteworthy. Researchers uncovered over 146 active Telegram bots, more than 30 impersonated brands, and over 100 tracking pixel IDs linked to Meta and TikTok advertising systems. These tracking pixels were strategically deployed by the threat actors to analyze the effectiveness of various lures, enabling them to refine their tactics in real-time. Furthermore, a multi-level referral system actively engaged victims, turning them into unwitting participants in the network’s expansion.
How FEMITBOT Exploits Telegram Mini Apps
FEMITBOT’s effectiveness stems from its seamless integration within Telegram’s ecosystem. The fake applications operate within Telegram’s native browser window, diminishing user suspicion. The entire kit is designed for global reach, supporting over 22 languages and utilizing Cloudflare’s network to obscure its true origin. The FEMITBOT toolkit primarily leverages the legitimate functionality of Telegram Mini Apps, which are lightweight web applications capable of handling logins, payments, and interactive features directly within the Telegram interface. While convenient by design, this very convenience has been weaponized for large-scale fraud.
When a victim interacts with one of these malicious bots, the Mini App covertly collects their Telegram user ID, display name, and authentication data via the initData feature. This information is then transmitted to the attacker’s server, which automatically logs the victim in without requiring a password. The server dynamically loads the appropriate brand theme—whether it mimics Binance, Netflix, or an AI mining platform—based on a predefined skin configuration setting. The fraudulent scheme then unfolds through a progressive script: fabricated earnings appear on the dashboard, countdown timers instill urgency, and warnings about limited VIP slots pressure the user. Ultimately, the victim is prompted to make a deposit to “unlock” their supposed withdrawals, at which point real funds are stolen.
Android Malware Distribution Tactics
Beyond its financial fraud operations, FEMITBOT also functions as a sophisticated delivery mechanism for Android malware. Specific sites within the network contain a dormant feature flag that, when activated, directly serves malicious Android Package Kit (APK) files to visitors. These files are deceptively named to resemble legitimate applications, making initial detection difficult for users. The malware is delivered through several methods: a direct file download initiated by a button, an in-app browser experience designed to appear trustworthy, or a Progressive Web App (PWA) prompt encouraging users to add the page to their home screen. Each delivery method is engineered to minimize friction and ensure the malicious software is installed on the device as smoothly as possible.
What You Should Do
- Exercise Extreme Caution: Be highly suspicious of any app or service promoted through Telegram links, especially those promising guaranteed returns or requiring upfront deposits for “winnings.”
- Verify App Sources: Only download and install applications from official and trusted app stores (e.g., Google Play Store, Apple App Store). Avoid installing APK files or apps from direct links or unverified sources.
- Review Permissions: Before installing any application, carefully review the permissions it requests. Be wary of apps asking for excessive or unusual permissions that are not relevant to their stated function.
- Enable Two-Factor Authentication (2FA): Implement 2FA on your Telegram account and any cryptocurrency platforms to add an extra layer of security.
- Educate Yourself: Stay informed about common phishing and scam tactics. If an offer seems too good to be true, it likely is.
- For Organizations: Block known FEMITBOT-linked domains and monitor outbound network traffic for any connections to the identified malicious infrastructure.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | zerocap[.]vip | FEMITBOT phishing domain impersonating crypto platform |
| Domain | spiderpool[.]app | FEMITBOT phishing domain linked to crypto fraud |
| Domain | btcaimining[.]xyz | FEMITBOT phishing domain for fake BTC mining pool |
| Domain | btcpoolok[.]cloud | FEMITBOT phishing domain for fake BTC mining pool |
| Domain | cineotv[.]one | FEMITBOT phishing domain impersonating BBC streaming |
| Telegram Bot | @Zerocap01_bot | Telegram bot tied to zerocap[.]vip phishing domain |
| Telegram Bot | @SpiderPool01_bot | Telegram bot tied to spiderpool[.]app phishing domain |
| Telegram Bot | @AiSuperBtc | Telegram bot tied to btcaimining[.]xyz phishing domain |
| Telegram Bot | @AiSuperBtcVIP01 | Telegram bot tied to btcpoolok[.]cloud phishing domain |
| Telegram Bot | @BBC_Serve | Telegram bot tied to cineotv[.]one phishing domain |
| URL | /api/public/init | Unauthenticated FEMITBOT API endpoint exposing full config including malware URLs |
| URL | /api/public/telegramLogin | FEMITBOT authentication endpoint used for session hijacking via initData |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.