New Delhi. Cybersecurity researchers have exposed a large-scale fraud network called FEMITBOT that is allegedly exploiting Telegram Mini Apps to run cryptocurrency scams and distribute Android malware. The operation is targeting users through fake crypto exchanges, online streaming platforms, investment applications and AI-based tools, using Telegram’s interface to make fraudulent platforms appear more credible.
Fake Crypto Platforms Used to Lure Victims
According to researchers, cybercriminals are approaching victims through social media advertisements, fake promotional campaigns and unsolicited Telegram invitation links. Users are being drawn in with claims of easy passive income, AI mining, VIP investment plans and guaranteed returns.
FCRF Academy Launches Premier Anti-Money Laundering Certification Program
Once a user clicks on the link, a polished interface opens inside Telegram and appears similar to legitimate cryptocurrency platforms or popular online services. Investigators found that these fraudulent applications display fake earnings dashboards, countdown timers and VIP upgrade alerts to create urgency and push users into investing quickly.
After gaining a victim’s trust, the platforms ask users to deposit small amounts of money to unlock earnings or activate withdrawals. Researchers said this is where the financial fraud begins.
Shared Backend Links Multiple Bots and Domains
Cybersecurity firm CTM360 discovered more than 60 suspicious domains, over 146 active Telegram bots and more than 30 impersonated brands linked to the operation. Researchers also found that the platforms were connected to a shared backend infrastructure.
Multiple websites reportedly returned the same API response, “Welcome to join the FEMITBOT platform,” indicating that the campaign was operating through a centralised cyber fraud ecosystem.
Experts said one of the key risks of FEMITBOT is its ability to operate inside Telegram’s trusted environment. Since the fake applications load within Telegram’s built-in browser, many users may not immediately recognise the threat. The network reportedly supports more than 22 languages and uses services such as Cloudflare to hide its real servers and operational locations.
Android Malware Threat Also Detected
The investigation found that the operation extends beyond financial fraud and also functions as an Android malware delivery system. Several fraudulent platforms encourage users to download APK files disguised as legitimate mobile applications.
Once installed, these malicious files can steal sensitive data, access banking information, monitor device activity and potentially compromise the entire smartphone.
Cybercrime expert and former IPS officer Prof. Triveni Singh said Telegram-based cyber fraud is rapidly evolving into a model of organised digital crime. He warned that unknown Telegram links, investment offers and APK downloads can expose users to serious financial and cybersecurity risks.
Researchers at the Future Crime Research Foundation also cautioned that Telegram Mini Apps, AI-generated fake profiles and deepfake technologies could make cybercrime more complex. Experts have advised users to avoid downloading applications from Telegram links, install apps only from official app stores and verify any investment platform before transferring money.
