FEMITBOT Network Exploits Telegram Mini Apps for Global Crypto Scams and Malware Distribution
A sophisticated fraud network known as FEMITBOT has recently surfaced, leveraging Telegram’s Mini App feature to orchestrate extensive cryptocurrency scams and disseminate malicious Android software on a global scale. This campaign, identified in April 2026, employs counterfeit applications that mimic legitimate cryptocurrency exchanges, streaming services, financial platforms, and AI tools. Victims are lured through social media advertisements and unsolicited Telegram invitations promising effortless passive income.
Upon interacting with these deceptive bots, users encounter interfaces that closely resemble those of reputable brands. These interfaces display fabricated earnings dashboards, countdown timers, and prompts for VIP upgrades, all designed to instill a false sense of urgency. Users are then prompted to make small deposits to access their alleged winnings, a tactic that has successfully extracted real funds from unsuspecting individuals worldwide.
Analysts at CTM360 uncovered the malicious infrastructure underpinning this operation, tracing it to a unified backend platform. Despite the appearance of diversity, numerous domains associated with the campaign returned the identical API response: Welcome to join the FEMITBOT platform. This consistent signature across over 60 active domains indicates a centralized and professionally managed operation with clear commercial objectives.
The scale of FEMITBOT’s activities is remarkable. Researchers identified more than 146 active Telegram bots, over 30 impersonated brands, and upwards of 100 tracking pixel IDs linked to Meta and TikTok advertising systems. These pixels enable the perpetrators to monitor the effectiveness of their lures, allowing for real-time refinement of their strategies. Additionally, a multi-level referral system amplifies the campaign’s reach by converting victims into inadvertent recruiters.
A particularly concerning aspect of FEMITBOT is its seamless integration into Telegram’s trusted environment. Since the fraudulent apps operate within Telegram’s own browser window, users are less likely to suspect malicious activity. The entire operation supports over 22 languages and utilizes Cloudflare’s network to obscure its true origin, underscoring its global reach and sophistication.
The FEMITBOT kit exploits Telegram Mini Apps—lightweight web applications that function within Telegram and can manage logins, payments, and interactive features. While these apps are designed for convenience, this very feature makes them susceptible to large-scale exploitation for fraudulent purposes.
When a victim engages with one of these bots, the app discreetly collects their Telegram user ID, display name, and authentication data through a feature called initData. This information is transmitted to the attacker’s server, which automatically logs the victim in without requiring a password. The server then loads the appropriate brand theme—be it Binance, Netflix, or an AI mining platform—based on a skin configuration setting.
The fraudulent process follows a meticulously crafted escalation script. Fake earnings appear on the dashboard, timers count down to create urgency, and warnings about limited VIP slots pressure users into making deposits. Once a deposit is made, the system may display additional fake earnings to entice further investment. However, when users attempt to withdraw funds, they encounter obstacles such as additional fees or verification requirements, effectively preventing any actual payout.
In addition to financial fraud, FEMITBOT’s infrastructure is capable of distributing Android malware. By prompting users to download and install applications outside of official app stores, the network can deploy malicious software that compromises device security, steals sensitive information, or enlists devices into botnets for further malicious activities.
The emergence of FEMITBOT highlights the evolving tactics of cybercriminals who exploit trusted platforms and features to conduct large-scale fraud and malware distribution. Users are advised to exercise caution when interacting with unsolicited messages or offers, especially those promising easy financial gains. Verifying the authenticity of applications and services through official channels and being wary of requests for personal information or financial transactions can help mitigate the risk of falling victim to such sophisticated scams.
