FEMITBOT Network Pushes Crypto Fraud via Telegram Uses Mini
A sophisticated and highly organized fraud network, dubbed FEMITBOT, has emerged, actively exploiting Telegram’s Mini App feature to orchestrate extensive cryptocurrency scams and distribute...
A sophisticated and highly organized fraud network, dubbed FEMITBOT, has emerged, actively exploiting Telegram’s Mini App feature to orchestrate extensive cryptocurrency scams and distribute malicious Android software globally. This new operation targets users worldwide, as detailed in a recent
The fraudulent apps follow a carefully scripted trap. Once a user taps on one of these bots, they are greeted with a polished interface that mirrors well-known brands. Fake earnings dashboards, countdown timers, and VIP upgrade prompts create a false sense of urgency.
Victims are then asked to make a small deposit to unlock their supposed winnings, a trick that has been used to steal real money from users around the globe.
Analysts at CTM360 identified the malicious infrastructure and traced it back to a shared backend platform. Across dozens of unrelated-looking domains, every site returned the same API response: “Welcome to join the FEMITBOT platform.”
This consistent fingerprint across more than 60 active domains confirmed that all the campaigns were running on one unified kit, pointing to a professional-grade operation with a clear commercial motive.
The scale of the network is striking. Researchers found over 146 active Telegram bots, more than 30 impersonated brands, and upward of 100 tracking pixel IDs tied to Meta and TikTok advertising systems.
How FEMITBOT Exploits Telegram Mini Apps
Threat actors used these pixels to measure which lures performed best, allowing them to sharpen their tactics in real time. A multi-level referral system further extended the reach by turning victims into unwitting recruiters.
What makes FEMITBOT particularly dangerous is how seamlessly it blends into Telegram’s trusted environment. Because the fake apps load inside Telegram’s own browser window, users have little reason to suspect anything is wrong. The entire kit supports more than 22 languages and uses Cloudflare’s network to hide its true origin, making it a genuinely global operation.
The FEMITBOT kit is built around the abuse of Telegram Mini Apps, lightweight web applications that run inside Telegram and can handle logins, payments, and interactive features. These apps are convenient by design, but that same convenience makes them easy to weaponize for fraud at scale.
When a victim opens one of these bots, the app silently collects their Telegram user ID, display name, and authentication data through a feature called initData. This is sent to the attacker’s server, which logs the victim in automatically without a password.
The server then loads the correct brand theme, whether it resembles Binance, Netflix, or an AI mining platform, based on a skin configuration setting.
The fraud then follows a step-by-step escalation script. Fake earnings appear on the dashboard, timers count down to create urgency, and limited VIP slot warnings build pressure. Eventually, the user is asked for a deposit to unlock withdrawals, and that is the moment real money is lost.
Android Malware Distribution Tactics
Beyond financial fraud, FEMITBOT also functions as a delivery system for Android malware. Certain sites in the network include a hidden feature flag that, when switched on, serves malicious APK files directly to visitors. These files are named to resemble real apps, making them hard to spot as threats at first glance.
Delivery comes in three forms: a direct file download triggered by a button, an in-app browser experience that feels more trusted, or a Progressive Web App prompt asking users to add the page to their home screen.
Each method reduces friction so the malicious software reaches the device as smoothly as possible.
Users should avoid installing any app that arrives through a Telegram link, especially if it requests a deposit or promises guaranteed returns.
Apps should only come from official stores, and anything requesting unusual permissions should be removed right away. Security teams are advised to block the known FEMITBOT-linked domains and monitor outbound traffic for connections to this infrastructure.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | zerocap[.]vip | FEMITBOT phishing domain impersonating crypto platform |
| Domain | spiderpool[.]app | FEMITBOT phishing domain linked to crypto fraud |
| Domain | btcaimining[.]xyz | FEMITBOT phishing domain for fake BTC mining pool |
| Domain | btcpoolok[.]cloud | FEMITBOT phishing domain for fake BTC mining pool |
| Domain | cineotv[.]one | FEMITBOT phishing domain impersonating BBC streaming |
| Telegram Bot | @Zerocap01_bot | Telegram bot tied to zerocap[.]vip phishing domain |
| Telegram Bot | @SpiderPool01_bot | Telegram bot tied to spiderpool[.]app phishing domain |
| Telegram Bot | @AiSuperBtc | Telegram bot tied to btcaimining[.]xyz phishing domain |
| Telegram Bot | @AiSuperBtcVIP01 | Telegram bot tied to btcpoolok[.]cloud phishing domain |
| Telegram Bot | @BBC_Serve | Telegram bot tied to cineotv[.]one phishing domain |
| URL | /api/public/init | Unauthenticated FEMITBOT API endpoint exposing full config including malware URLs |
| URL | /api/public/telegramLogin | FEMITBOT authentication endpoint used for session hijacking via initData |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.