Verify a decision

{"actor":"system:backfill","investigation_id":"78e87dbe-3942-454c-8718-d932eb3e3384","kind":"publish","page_slug":"femitbot-telegram-mini-app-fraud-network","published_at":"2026-05-28T16:29:26.639Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"FEMITBOT Telegram Mini App Fraud Network","sections":[{"content":"CTM360, a Bahrain-based cybersecurity intelligence firm, identified and named the FEMITBOT network in April 2026 after discovering the string 'Welcome to join the FEMITBOT platform' appearing as a consistent API response fingerprint across all attacker-controlled domains. This shared response confirmed that all observed campaigns were operating on a single unified backend infrastructure. The network was publicly disclosed in a CTM360 threat report and subsequently covered by major security outlets including BleepingComputer, CyberSecurityNews, and Hackread in early May 2026. No attribution to specific individuals, groups, or nation-states has been established, and no law enforcement action has been announced as of the date of this investigation.","heading":"Discovery and Attribution","severity":"critical","sources":[{"credibility":2,"name":"CTM360: FEMITBOT Telegram Mini Apps Fraud Report","type":"research","url":"https://www.ctm360.com/reports/femitbot-telegram-mini-apps-fraud-campaigns"},{"credibility":1,"name":"BleepingComputer: Telegram Mini Apps abused for crypto scams, Android malware delivery","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/telegram-mini-apps-abused-for-crypto-scams-android-malware-delivery/"},{"credibility":2,"name":"CyberSecurityNews: New FEMITBOT Network Uses Telegram Mini Apps to Push Crypto Fraud and Android Malware","type":"news_article","url":"https://cybersecuritynews.com/new-femitbot-network-uses-telegram-mini-apps/"}]},{"content":"The FEMITBOT network operates a modular, template-driven infrastructure designed for rapid deployment and reuse across multiple simultaneous fraud campaigns. CTM360 researchers documented 146+ active Telegram bots, 60+ active domains, and at least 15 distinct Mini App 'skins' — configurable brand templates that can be swapped to impersonate different targets. All domains share a common backend API, with every server returning the identifying string 'Welcome to join the FEMITBOT platform.' The infrastructure leverages Cloudflare's network to obscure origin servers and maintain uptime. Ad-tech conversion tracking is integrated directly into the fraud kit, with PageView, Purchase, and rePurchase events reported to both Meta (Facebook/Instagram) and TikTok advertising platforms, indicating a commercially optimized approach to victim recruitment. The entire platform is reported to support 22+ languages, enabling global targeting.","heading":"Infrastructure Scale and Architecture","severity":"critical","sources":[{"credibility":2,"name":"CyberSecurityNews: New FEMITBOT Network Uses Telegram Mini Apps","type":"news_article","url":"https://cybersecuritynews.com/new-femitbot-network-uses-telegram-mini-apps/"},{"credibility":2,"name":"GBHackers: FEMITBOT Network Exploits Telegram Mini Apps","type":"news_article","url":"https://gbhackers.com/femitbot-network-exploits-telegram-mini-apps/"},{"credibility":2,"name":"Hackread: FEMITBOT Network Abuses Telegram Mini Apps for Crypto Scams and Android Malware","type":"news_article","url":"https://hackread.com/femitbot-telegram-mini-apps-crypto-scam-android-malware/"}]},{"content":"A technically significant component of the FEMITBOT attack chain involves the abuse of Telegram's initData mechanism. When a victim opens a FEMITBOT Mini App, the embedded Vue.js client calls a single unauthenticated public endpoint — /api/public/init — which returns the full campaign configuration including brand skins, feature flags, and tracking IDs. Simultaneously, the app silently collects the victim's Telegram user ID, display name, and authentication hash from the initData object that Telegram automatically passes to all Mini Apps. This initData string is then submitted to a separate API endpoint which issues a JWT cookie, silently authenticating the victim to the fraudulent platform for up to ten days without requiring any password entry. This mechanism allows attackers to establish persistent session control tied to the victim's Telegram identity, potentially enabling follow-on attacks against any wallet or service linked to that account.","heading":"Telegram initData Harvesting and Session Hijacking","severity":"critical","sources":[{"credibility":2,"name":"CyberSecurityNews: New FEMITBOT Network Uses Telegram Mini Apps","type":"news_article","url":"https://cybersecuritynews.com/new-femitbot-network-uses-telegram-mini-apps/"},{"credibility":2,"name":"CTM360: FEMITBOT Telegram Mini Apps Fraud Report","type":"research","url":"https://www.ctm360.com/reports/femitbot-telegram-mini-apps-fraud-campaigns"},{"credibility":2,"name":"SOCFortress Medium: The Telegram Trap — Inside the FEMITBOT Fraud Network","type":"research","url":"https://socfortress.medium.com/the-telegram-trap-inside-the-sophisticated-femitbot-fraud-network-8b310c8c9df8"}]},{"content":"Victims are recruited primarily through social media advertising on Meta and TikTok platforms, as well as through unsolicited Telegram invitations promising passive income or investment returns. Upon interacting with a FEMITBOT bot, victims are presented with polished interfaces that closely mimic legitimate brands, including fake earnings dashboards, countdown timers creating artificial urgency, and VIP upgrade prompts. The scripted escalation follows a predictable pattern: fake balances or earnings are displayed to establish trust, time-limited offers pressure quick action, and when victims attempt to withdraw their alleged earnings, a deposit requirement is introduced to 'unlock' the funds. Real money is transferred by the victim at this stage. The network also employs multi-level referral systems that convert victims into unwitting recruiters, amplifying reach organically.","heading":"Fraud Mechanics and Victim Exploitation","severity":"critical","sources":[{"credibility":1,"name":"BleepingComputer: Telegram Mini Apps abused for crypto scams, Android malware delivery","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/telegram-mini-apps-abused-for-crypto-scams-android-malware-delivery/"},{"credibility":2,"name":"GBHackers: FEMITBOT Network Exploits Telegram Mini Apps","type":"news_article","url":"https://gbhackers.com/femitbot-network-exploits-telegram-mini-apps/"},{"credibility":2,"name":"Cryptopolitan: Scammers turn Telegram Mini Apps into crypto fraud traps","type":"news_article","url":"https://www.cryptopolitan.com/scammers-telegram-mini-apps-crypto-fraud/"}]},{"content":"FEMITBOT impersonates more than 30 globally recognized brands across multiple sectors. Confirmed impersonated crypto and financial services brands include Binance, OKX, Bitget, and MoonPay. Impersonated technology and media brands include Apple, IBM, NVIDIA, BBC, Disney, CineTV, YouKu, Netflix, and Coreweave. Consumer brands impersonated include Coca-Cola and eBay, and the telecommunications firm Claro has also been identified as an impersonated target. The network uses at least 15 configurable brand skins loaded dynamically via feature flags in the shared backend configuration, allowing operators to switch active impersonation targets without redeploying infrastructure.","heading":"Brand Impersonation","severity":"high","sources":[{"credibility":2,"name":"Hackread: FEMITBOT Network Abuses Telegram Mini Apps for Crypto Scams and Android Malware","type":"news_article","url":"https://hackread.com/femitbot-telegram-mini-apps-crypto-scam-android-malware/"},{"credibility":2,"name":"CyberSecurityNews: New FEMITBOT Network Uses Telegram Mini Apps","type":"news_article","url":"https://cybersecuritynews.com/new-femitbot-network-uses-telegram-mini-apps/"},{"credibility":2,"name":"GBHackers: FEMITBOT Network Exploits Telegram Mini Apps","type":"news_article","url":"https://gbhackers.com/femitbot-network-exploits-telegram-mini-apps/"}]},{"content":"Beyond financial fraud, FEMITBOT functions as a malware delivery network for Android devices. Certain sites within the network include an 'appdownloadshowswitch' feature flag in their server-returned configuration that, when enabled, triggers malicious APK file delivery. Malware distribution uses three delivery methods designed to minimize user friction: direct APK file downloads triggered by a button, in-app browser experiences that feel native and trusted, and Progressive Web App (PWA) home screen installation prompts. APK filenames are crafted to appear legitimate or randomized to evade detection. Identified malicious APKs impersonate apps from BBC, NVIDIA, CineTV, Coreweave, and Claro. The APKs are hosted on the same domains as the phishing infrastructure, allowing them to present valid TLS certificates and avoid browser security warnings. Specific malware family classification or behavioral analysis has not been publicly confirmed in available sources.","heading":"Android Malware Distribution","severity":"critical","sources":[{"credibility":1,"name":"BleepingComputer: Telegram Mini Apps abused for crypto scams, Android malware delivery","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/telegram-mini-apps-abused-for-crypto-scams-android-malware-delivery/"},{"credibility":2,"name":"GBHackers: FEMITBOT Network Exploits Telegram Mini Apps","type":"news_article","url":"https://gbhackers.com/femitbot-network-exploits-telegram-mini-apps/"},{"credibility":2,"name":"TechBriefly: FEMITBOT scam uses Telegram Mini Apps to distribute Android malware","type":"news_article","url":"https://techbriefly.com/2026/05/04/femitbot-scam-uses-telegram-mini-apps-to-distribute-android-malware/"}]},{"content":"A distinctive feature of the FEMITBOT network is its integration of legitimate digital advertising infrastructure for victim recruitment and campaign optimization. The fraud kit embeds conversion tracking pixels from both Meta Platforms (Facebook and Instagram) and TikTok, reporting PageView, Purchase, and rePurchase events back to attacker-controlled ad accounts. This enables operators to measure campaign performance, optimize targeting parameters, and scale victim acquisition using the same tools used by legitimate e-commerce businesses. Victims are funneled into Telegram bots primarily through paid social media advertisements on these platforms, as well as through organic spread via the network's built-in referral system. This represents a notable professionalization of fraud operations, treating victim acquisition as a marketing funnel.","heading":"Ad-Tech Abuse and Victim Recruitment","severity":"high","sources":[{"credibility":2,"name":"CTM360: FEMITBOT Telegram Mini Apps Fraud Report","type":"research","url":"https://www.ctm360.com/reports/femitbot-telegram-mini-apps-fraud-campaigns"},{"credibility":2,"name":"CyberSecurityNews: New FEMITBOT Network Uses Telegram Mini Apps","type":"news_article","url":"https://cybersecuritynews.com/new-femitbot-network-uses-telegram-mini-apps/"},{"credibility":2,"name":"Security Boulevard: Telegram Mini Apps Abused for Crypto Scams and Android Malware Delivery","type":"news_article","url":"https://securityboulevard.com/2026/05/telegram-mini-apps-abused-for-crypto-scams-and-android-malware-delivery/"}]},{"content":"As of May 2026, no law enforcement agency has publicly announced arrests, takedowns, or formal investigations related to the FEMITBOT network. No regulatory body has issued related warnings or sanctions. CTM360's report does not attribute the network to a specific threat actor group, nation-state, or geographic origin. The operators remain unidentified in all publicly available sources. The infrastructure's use of Cloudflare for origin obfuscation, shared multi-domain backend hosting, and ad account abuse across Meta and TikTok platforms presents significant challenges for attribution and takedown. The network's continued active operation as of the date of public disclosure has not been contradicted by any available source.","heading":"Absence of Law Enforcement Action or Attribution","severity":"medium","sources":[{"credibility":2,"name":"CTM360: FEMITBOT Telegram Mini Apps Fraud Report","type":"research","url":"https://www.ctm360.com/reports/femitbot-telegram-mini-apps-fraud-campaigns"},{"credibility":1,"name":"BleepingComputer: Telegram Mini Apps abused for crypto scams, Android malware delivery","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/telegram-mini-apps-abused-for-crypto-scams-android-malware-delivery/"}]}],"sources_used":[{"credibility":2,"name":"CTM360: FEMITBOT Telegram Mini Apps Fraud Report","type":"research","url":"https://www.ctm360.com/reports/femitbot-telegram-mini-apps-fraud-campaigns"},{"credibility":1,"name":"BleepingComputer: Telegram Mini Apps abused for crypto scams, Android malware delivery","type":"news_article","url":"https://www.bleepingcomputer.com/news/security/telegram-mini-apps-abused-for-crypto-scams-android-malware-delivery/"},{"credibility":2,"name":"CyberSecurityNews: New FEMITBOT Network Uses Telegram Mini Apps to Push Crypto Fraud and Android Malware","type":"news_article","url":"https://cybersecuritynews.com/new-femitbot-network-uses-telegram-mini-apps/"},{"credibility":2,"name":"Hackread: FEMITBOT Network Abuses Telegram Mini Apps for Crypto Scams and Android Malware","type":"news_article","url":"https://hackread.com/femitbot-telegram-mini-apps-crypto-scam-android-malware/"},{"credibility":2,"name":"GBHackers: FEMITBOT Network Exploits Telegram Mini Apps to Spread Crypto Scams and Android Malware","type":"news_article","url":"https://gbhackers.com/femitbot-network-exploits-telegram-mini-apps/"},{"credibility":2,"name":"Security Boulevard: Telegram Mini Apps Abused for Crypto Scams and Android Malware Delivery","type":"news_article","url":"https://securityboulevard.com/2026/05/telegram-mini-apps-abused-for-crypto-scams-and-android-malware-delivery/"},{"credibility":2,"name":"Cryptopolitan: Scammers turn Telegram Mini Apps into crypto fraud traps","type":"news_article","url":"https://www.cryptopolitan.com/scammers-telegram-mini-apps-crypto-fraud/"},{"credibility":2,"name":"TechBriefly: FEMITBOT scam uses Telegram Mini Apps to distribute Android malware","type":"news_article","url":"https://techbriefly.com/2026/05/04/femitbot-scam-uses-telegram-mini-apps-to-distribute-android-malware/"},{"credibility":2,"name":"SOCFortress Medium: The Telegram Trap — Inside the Sophisticated FEMITBOT Fraud Network","type":"research","url":"https://socfortress.medium.com/the-telegram-trap-inside-the-sophisticated-femitbot-fraud-network-8b310c8c9df8"}],"summary":"FEMITBOT is a large-scale, centralized fraud-as-a-service network discovered by CTM360 in April 2026 that abuses Telegram Mini Apps to operate fake cryptocurrency platforms, impersonate over 30 global brands, and distribute Android malware across more than 60 domains and 146 active bots. The network harvests Telegram initData authentication tokens to silently access victim sessions, operates in 22+ languages, and uses real-time ad-tech conversion tracking from Meta and TikTok to optimize victim recruitment at global scale. No law enforcement action or attribution to specific threat actors has been publicly confirmed as of May 2026.","timeline":[{"date":"2026-04-01","event":"CTM360 identifies and documents the FEMITBOT network, discovering the shared API fingerprint 'Welcome to join the FEMITBOT platform' across all attacker domains. Exact date within April not publicly specified.","source":"CTM360 FEMITBOT Report","source_url":"https://www.ctm360.com/reports/femitbot-telegram-mini-apps-fraud-campaigns"},{"date":"2026-05-04","event":"BleepingComputer, CyberSecurityNews, Hackread, TechBriefly, and multiple security outlets publish coverage of the FEMITBOT network based on the CTM360 report, bringing the threat to wider public attention.","source":"BleepingComputer","source_url":"https://www.bleepingcomputer.com/news/security/telegram-mini-apps-abused-for-crypto-scams-android-malware-delivery/"},{"date":"2026-05-04","event":"CTM360 formally publishes the FEMITBOT threat report, detailing 146+ bots, 60+ domains, 30+ impersonated brands, and the initData JWT session hijacking vector.","source":"CTM360","source_url":"https://www.ctm360.com/reports/femitbot-telegram-mini-apps-fraud-campaigns"}]},"v":1}