You tap “Start” on a Telegram bot. A clean-looking dashboard opens inside Telegram. It shows a balance, a few “wins,” maybe a countdown timer pushing you to act now. It feels native because it’s running in Telegram’s own in-app browser. That’s the trap. Investigators have tied a big wave of scams to a platform dubbed FEMITBOT, where criminals reuse the same backend across many fake brands and domains, then pressure people to pay “fees” or recruit referrals to unlock withdrawals .
Why these scams feel “real” inside Telegram (and why that matters)
Telegram Mini Apps (also called Telegram Web Apps) are basically lightweight web pages that open inside Telegram’s built-in browser. That’s the key detail scammers love. You don’t get kicked out to Chrome or Safari. You tap Start on a Telegram bot, and the “app” loads right there in Telegram’s own WebView, so your brain files it under “safe, familiar, native.” CTM360 researchers tracking the FEMITBOT campaigns described this exact flow: click “Start,” the bot launches a Mini App, and a phishing page displays inside Telegram like it’s part of the platform .
That “feels real” factor isn’t cosmetic. It changes how people judge risk.
Mini Apps + bots = a perfect trust wrapper
A normal phishing link has friction:
- You see a random domain in the address bar.
- Your browser warnings might show up.
- The page looks “webby,” not “app-like.”
A Telegram Mini App removes a lot of that friction. The bot acts like a front desk. The Mini App acts like the “product.” And because it opens in Telegram’s in-app browser, it looks like a Telegram feature—especially when the scammers add clean UI, brand logos, and a dashboard layout .
The emotional setup: fake progress + manufactured urgency
Once the Mini App is open, these scams don’t start with “send crypto.” They start with momentum.
Researchers observed Mini Apps showing fake balances or “earnings,” then pushing victims with countdown timers or “limited-time” prompts . It’s a simple psychology loop:
- “You’re already up.” (fake profit)
- “Don’t miss the window.” (timer, expiring bonus)
- “Act now.” (quick deposit, quick verification, quick step)
The result is people making money decisions in the same mental mode as buying concert tickets: rushed, reactive, and focused on not missing out.
Why this matters before you even lose money
Even if you don’t send funds, a Telegram Mini App scam can still do damage because it can:
- Collect your details (phone, email, wallet address) under the cover of “registration”
- Train you to trust the next step (“Start” → dashboard → “connect” / “verify” / “deposit”)
- Normalize risky clicks inside Telegram, where you’re less likely to scrutinize links
That’s why “it opened inside Telegram” isn’t a safety signal. In this scam wave, it’s often the hook .
Inside FEMITBOT: one factory, many fake brands
Once you stop thinking of these as “random Telegram scams,” the pattern gets easier to spot. Researchers linked a large chunk of them to a shared platform they dubbed FEMITBOT—less like one scam, more like a reusable kit that can be reskinned fast across bots and domains .
How researchers tied separate bots to the same operation
When investigators pulled on the technical threads, different “brands” started to look like the same machine underneath.
Key link: shared backend infrastructure across many phishing domains and Telegram bots .
A standout indicator was a repeated API response string showing up across campaigns:
- “Welcome to join the FEMITBOT platform”
That kind of repeated backend “fingerprint” is hard to explain away as coincidence. If two totally separate operations were building their own systems, you wouldn’t expect the same odd phrasing to show up in API responses across different domains.
The fake-brand play: borrow trust, then cash it out
FEMITBOT campaigns didn’t just invent new names. They went after credibility by impersonating widely recognized brands to raise click-through and reduce suspicion .
Brands called out by researchers included:
- Apple
- Coca-Cola
- Disney
- eBay
- IBM
- MoonPay
- NVIDIA
- YouKu
The reason impersonation works is boring but effective: people hesitate less when the logo feels familiar. Even skeptical users think, “Maybe this is a promo bot” or “Maybe this is a support channel.”
Scam operators are running this like performance marketing
What makes FEMITBOT feel modern is how it’s run. CTM360 noted the infrastructure is built to be reused, letting attackers switch branding, languages, and themes quickly across campaigns —the same way a growth team A/B tests landing pages.
And it gets worse: these pages used tracking scripts including Meta (Facebook) Pixel and TikTok Pixel to monitor activity and “measure conversions,” likely to optimize what gets people to take the next step .
That detail matters because it tells you the goal isn’t “spray and pray.” It’s:
- track what you click
- see where you drop off
- tweak the page until more people pay
At that point, you’re not dealing with a single shady bot. You’re dealing with an assembly line.
The money trap: ‘deposit to withdraw’ and referral pressure
FEMITBOT-style crypto scams don’t usually ask for money on the first screen. They let you believe you’ve already made it.
CTM360’s reporting shows the punchline comes when you try to withdraw: victims are prompted to make a deposit or complete referral tasks—a classic advance-fee / investment scam move dressed up as a normal “platform requirement” .
The standard “deposit to withdraw” flow (what it looks like in Telegram)
Here’s the pattern that keeps showing up in Telegram bot / Mini App scam dashboards:
- You see earnings: a balance that rises, a “profit” widget, maybe a streak or reward counter.
- You hit Withdraw: the first time you try to cash out.
- A blocker appears: withdrawals are “locked,” “pending,” or “limited.”
- You’re told to pay or recruit: deposit funds or complete referral tasks to “activate” withdrawals .
That’s the trap. Real services take their fees from the amount being withdrawn or clearly disclose costs upfront. Scams flip it around: you pay extra to access money that isn’t real.
Why referrals show up in investment scams
Referral tasks aren’t a “growth hack.” They’re a pressure tool.
- They make the scam feel like a legit product with “community rewards”
- They buy the attackers more victims without buying ads
- They isolate you socially: once you’ve invited friends, it’s harder to admit it’s fake
CTM360 notes victims are pushed into referral tasks as part of the withdrawal roadblock .
A hard-stop checklist: phrases that should end the conversation
If you see any of these, treat it like a confirmed scam and stop engaging:
- “Unlock withdrawals”
- “Verification fee”
- “Tax fee”
- “One-time activation”
- “Invite 3 friends”
Not “be careful.” Just stop. Close the Mini App. Don’t negotiate, don’t argue, don’t try one small payment to “test it.” That’s exactly what they’re counting on.
When the Mini App turns into malware: APK/PWA installs and the TLS ‘trust’ trick
Some Telegram Mini App scams don’t stop at stealing deposits. They try to get code onto your phone.
CTM360 found Mini Apps in this wave that attempted to distribute Android malware by prompting users to download Android APKs, open links in Telegram’s in-app browser, or install progressive web apps (PWAs) that mimic legitimate software . That’s a big shift: once you install something, you’re not just dealing with a fake dashboard anymore.
The “install” moment: what scammers push
You’ll see prompts that sound like normal setup steps:
- “Download the app” (but it’s an APK file, not Google Play)
- “Install update” (common excuse to push a new file)
- “Add to Home Screen” (typical PWA wording)
In the FEMITBOT campaigns, APKs were made to impersonate well-known brands, and CTM360 noted the filenames were chosen to reduce suspicion:
- they might look like a real app name, or
- they might be random-looking so they don’t trip your instincts right away .
If you’re on Android, this often funnels into sideloading (installing outside the Play Store). Attackers like sideloading because it bypasses a lot of the store’s safety checks.
The TLS ‘trust’ trick: why the lock icon misleads people
A lot of people rely on one signal: the little lock icon in the browser.
Scammers know that.
CTM360 documented a simple tactic: the APKs were hosted on the same domain as the API, which helps keep the TLS certificate “valid” and avoids browser “mixed content” warnings .
Here’s the plain-English version:
- TLS (the lock icon) only means the connection is encrypted between you and that website.
- It does not mean the site is honest.
- It definitely does not mean the file you’re downloading is safe.
So yes, a malicious APK can be delivered over a perfectly “secure” HTTPS connection. The lock just means you’re privately downloading the malware.
Quick rules if a Telegram Mini App asks you to install anything
- Treat any APK download prompt inside Telegram as high risk.
- Avoid APK sideloading unless you’re 100% sure of the source and you understand the risk.
- Prefer apps from Google Play when possible.
This is where Telegram scams stop being “I might lose some crypto” and turn into “my phone might be compromised.”
What to do next time you get a ‘Start’ button: a practical safety playbook
If the last section left you thinking, “Okay, so a Mini App can be a malware delivery page,” good. That’s the right level of suspicion.
CTM360’s guidance is blunt: be cautious with Telegram bots that push crypto investing or Mini Apps, especially when they ask for deposits or downloads—and on Android, avoid sideloading APKs that come from outside Google Play 【】.
Step 1: Treat “Start” like you would a cold link
Before you tap Start on a Telegram bot:
- Pause and verify the source. If it claims to be Apple/Disney/NVIDIA/etc., don’t trust the bot name or logo.
- Go to the brand’s official website and look for their official Telegram presence (if any). If you can’t confirm it from an official source, assume it’s impersonation.
Rule of thumb: a real brand doesn’t need a random Telegram bot + Mini App for “instant earnings.”
Step 2: Set one non-negotiable money rule
If any dashboard ever blocks your withdrawal and asks you to:
- deposit funds,
- pay a fee,
- or complete tasks
Stop. CTM360 observed victims being prompted to make a deposit or complete referral tasks when trying to withdraw—classic advance-fee mechanics 【】.
Step 3: Treat download prompts as a red alert (especially on Android)
If a Telegram Mini App asks you to install anything:
- Don’t download APKs from a Telegram bot link.
- Don’t enable sideloading “just this once.”
- Stick to Google Play when you need an app.
This same campaign family pushed Android APKs and PWAs through Telegram, and CTM360 explicitly warns Android users to avoid APK sideloading because it’s commonly used to distribute malware outside the Play Store 【】.
Step 4: Protect your identity even when you’re “just checking it out”
Even if you don’t send money, scams still try to harvest your contact info so they can:
- keep pressuring you,
- resell your details,
- or target you later with more convincing phishing.
If you absolutely must interact with an unknown service (sign-up forms, “support” chats, waitlists), use a Cloaked phone number and email instead of your real ones. It’s a practical way to avoid burning your primary contact info when a bot turns out to be a scam, and it reduces the follow-on harassment that often comes after you engage.
Step 5: If you already clicked, don’t “fix it” inside the chat
- Stop responding to the bot.
- Don’t send screenshots of IDs, wallet screenshots, or payment receipts.
- Report/block the bot and warn anyone you invited.
The win here isn’t proving it’s a scam. It’s cutting contact before it turns into a payment, an install, or an identity leak.
