CTM360 identified FEMITBOT, a fraud operation using Telegram’s Mini App feature to run advance-fee crypto scams and distribute Android malware, while impersonating at least eight major brands: Apple, Coca-Cola, Disney, eBay, IBM, Moon Pay, NVIDIA, and YouKu.
The mechanics follow a pattern federal prosecutors know well. Victims interact with Telegram bots, which launch embedded Mini Apps showing fake crypto investment dashboards, complete with manufactured balances and countdown timers. When users try to withdraw, they don’t get paid: the platform demands a deposit first, a classic advance-fee structure that supports wire fraud charges under 18 U.S.C. § 1343.
Brand impersonation adds Lanham Act exposure. FEMITBOT’s infrastructure rotates domains and Telegram bots while sharing a single backend API, complicating attribution for civil plaintiffs seeking injunctive relief. Android APK files impersonating BBC, NVIDIA, CineTV, Coreweave, and Claro were distributed through the same servers, with filenames crafted to avoid triggering suspicion.
The campaign also deployed Meta and TikTok tracking pixels to measure conversion rates, a marker of organized monetization. The shared backend cycles through languages, brands, and themes, suggesting it’s a fraud-as-a-service infrastructure built for volume.
CTM360 shared its findings with BleepingComputer. No law enforcement action has been publicly announced. Given the impersonation of multiple U.S.-listed companies and the multi-jurisdictional infrastructure, referrals to the FBI’s Internet Crime Complaint Center or the FTC are the logical next step.
James Okafor