A sophisticated fraud network known as FEMITBOT has emerged, leveraging Telegram’s Mini App feature to ensnare users in investment scams and distribute malicious software. This centralized fraud infrastructure enables hackers to orchestrate and manage a multitude of scams simultaneously, creating a seamless yet deceptive experience for unsuspecting individuals.
The operation was uncovered by the research firm CTM360, which identified the network through API responses—technical data exchanged between the hackers’ servers and the victims’ devices. The name FEMITBOT was derived from these findings, highlighting the organized nature of this fraudulent scheme.
How the Scams Work
At the core of this operation are Telegram Mini Apps, lightweight programs that function within the app’s internal browser, known as WebView. When users engage with a bot and click the Start button, they are immediately presented with phishing pages. Because these pages remain within the Telegram environment, they create an illusion of authenticity, making it difficult for users to discern that they have ventured beyond the app’s secure areas.
The scammers employ several tactics to extract money from their victims:
- Fake Dashboards: Users are shown fabricated screens displaying fictitious earnings or inflated cryptocurrency balances.
- Urgency: The applications utilize countdown timers and limited-time offers, compelling users to make hasty, emotional decisions.
- The Trap: To withdraw any purported earnings, users are instructed to deposit their own funds or refer friends, a classic tactic in investment scams.
Brands and Dangerous Software
In an effort to enhance their credibility, FEMITBOT mimics well-known global brands. According to CTM360, the network employs logos and names from companies such as Apple, Disney, Coca-Cola, eBay, IBM, NVIDIA, MoonPay, and Binance, among others. This strategy lends an air of legitimacy to their fraudulent investment schemes.
Additionally, the operation disseminates Android malware, with some Mini Apps tricking users into downloading APK files or installing Progressive Web Apps (PWAs). These malicious files masquerade as applications from reputable entities like the BBC and NVIDIA. To further obscure their intentions, the attackers utilize TLS certificates, which help these harmful files appear safe and verified to users.
A Professional Setup
This operation is not the work of a small group; rather, it functions as a well-oiled machine. The entire network operates on a shared system, allowing hackers to swiftly alter the branding or language of their scams. Remarkably, they utilize marketing tools from platforms like Meta and TikTok, employing tracking pixels to monitor which scams attract the most engagement. This level of organization suggests that they are treating their fraudulent activities with the professionalism of a legitimate business. Users are advised to exercise caution with any bot that requests a deposit before allowing access to their funds.
(Photo by Mohamed Nohassi on Unsplash)
