FEMITBOT network abuses Telegram Mini Apps for crypto scams and Android malware
6 min. read 
Published on
A fraud network called FEMITBOT is abusing Telegram Mini Apps to run cryptocurrency scams, impersonate major brands, and push Android malware. CTM360 says the operation uses Telegram bots and embedded web apps to make fake investment, streaming, AI, and financial platforms look more trustworthy.
The scam begins when a user opens a Telegram bot and taps Start. The bot launches a Mini App inside Telegram’s built-in browser, where the victim sees a polished dashboard with fake balances, fake earnings, countdown timers, and deposit prompts.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The goal is simple: convince users that they have earned money and then make them pay a deposit before they can withdraw it. Some FEMITBOT-linked sites also deliver Android APK files or progressive web apps that imitate real services.
Why FEMITBOT is dangerous
Telegram Mini Apps are legitimate web applications that run inside Telegram. Telegram’s own documentation says they can support authorization, payments, interactive features, and direct launch options from bots.
FEMITBOT abuses that convenience. Because the fake platform opens inside Telegram, users may treat it like a trusted in-app experience rather than a suspicious website.
That trust gap makes the campaign effective. The fraud pages look like apps, use familiar branding, and move victims through a scripted flow that ends with a payment request or malware download.
At a glance
| Detail | What researchers found |
|---|---|
| Campaign name | FEMITBOT |
| Main platform abused | Telegram Mini Apps |
| Primary scams | Fake crypto, financial, AI, and streaming platforms |
| Reported scale | More than 146 Telegram bots and over 60 active domains |
| Impersonated brands | More than 30 brands across technology, entertainment, finance, and crypto |
| Tracking infrastructure | More than 100 Meta and TikTok tracking pixel IDs |
| Malware path | Android APK downloads and progressive web app prompts |
How the Telegram Mini App trap works
The victim usually arrives through a social media ad, referral link, or unsolicited Telegram invite. The message promises passive income, crypto rewards, AI mining, streaming benefits, or a limited-time bonus.
After the user opens the bot, the Mini App collects Telegram-related details and loads the correct brand theme. CTM360 found that the same backend could switch between different fake brands, languages, and skins.
The fake dashboard then shows invented earnings or account balances. When the user tries to withdraw money, the app asks for a deposit, VIP upgrade, tax payment, or referral task.
A shared backend ties the campaigns together
CTM360 linked the operation through repeated infrastructure behavior. Across many unrelated-looking domains, researchers found the same API response: “Welcome to join the FEMITBOT platform.”
That shared fingerprint showed that the campaigns were not isolated scams. They were powered by a common fraud kit that could be reused across brands and themes.
The operation also used tracking pixels from Meta and TikTok. These scripts likely helped the operators measure which ads, lures, and pages converted victims most effectively.
Android users face a malware risk too
FEMITBOT is not limited to payment fraud. Some sites linked to the network can serve Android APK files that pretend to be legitimate apps.
CTM360 found delivery paths that included direct APK downloads, in-app browser prompts, and progressive web app installation prompts. BleepingComputer reported that some APKs impersonated brands such as BBC, NVIDIA, CineTV, CoreWeave, and Claro.
This matters because Android APK sideloading can bypass normal app store review checks. Google Play Protect can scan apps and warn users about harmful behavior, but users still reduce risk by avoiding apps from Telegram links and unofficial download pages.
Common warning signs
- A Telegram bot promises guaranteed crypto returns or passive income.
- A Mini App shows a balance before you have done any real activity.
- The app asks for a deposit before withdrawals are allowed.
- The page uses countdown timers, limited VIP slots, or referral pressure.
- The bot impersonates a major brand but is not linked from the brand’s official website.
- The app asks you to install an APK from outside Google Play.
- The platform claims you must pay tax, unlock fees, or verification charges to receive earnings.
Why the scam can spread quickly
FEMITBOT uses referral mechanics to turn victims into promoters. People who think they are earning rewards may invite friends, family, or social media contacts to join.
The fraud kit also supports many languages, which helps operators run campaigns across different regions. The same backend can power a crypto lure in one country and a streaming lure in another.
Cloudflare-backed infrastructure also helps the pages stay fast and harder to trace to their real origin. That does not make the pages legitimate, but it can make them look more polished to users.
What users should do
- Do not trust Telegram bots that promise guaranteed returns, instant crypto income, or easy withdrawals.
- Never pay a deposit to unlock supposed earnings.
- Do not install APK files from Telegram bots, Mini Apps, or random web pages.
- Check whether a brand links to the Telegram bot from its official website or verified channel.
- Keep Google Play Protect turned on.
- Remove suspicious apps and revoke permissions if you installed anything from one of these pages.
- Report fraudulent bots and domains to Telegram, the impersonated brand, and your security team.
- Contact your bank, exchange, or wallet provider quickly if you sent money.
What security teams should monitor
Security teams should look for traffic to known FEMITBOT-linked domains and newly registered domains that use similar templates. They should also review mobile telemetry for APK downloads launched from Telegram or in-app browsers.
Organizations with managed Android devices should restrict sideloading, allow only approved app sources, and block unknown APK downloads where possible. Security teams should also educate users that Mini Apps can load external web content inside Telegram.
For fraud teams, the shared backend behavior is useful. API responses, repeated page structures, tracking pixels, and Telegram bot-to-domain links can help cluster new campaigns before more users lose money.
FAQ
FEMITBOT is a fraud network identified by CTM360 that abuses Telegram Mini Apps to run fake crypto, financial, AI, and streaming platforms.
Mini Apps open inside Telegram’s built-in browser, so fake platforms can feel like part of the Telegram experience even when they connect to attacker-controlled infrastructure.
Yes. Some FEMITBOT-linked sites can deliver Android APK files or progressive web apps that imitate legitimate services.
The fake apps show invented balances or earnings, then ask victims to make a deposit, upgrade, or payment before they can withdraw money.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages