The Mini App opens inside Telegram and the trapdoor closes behind you

I.

The link arrives on a Tuesday afternoon from someone whose profile picture you half-recognize. A face from a Discord. A handle from a group chat. The message is short. A screenshot of a balance. A promise of easy yield. A button that says tap here.

You tap. Telegram opens a window inside Telegram. There is no browser. There is no address bar. There is just a screen with a logo you trust at the top of it. Maybe Binance. Maybe Apple. Maybe Disney, if the bot was tuned for a different demographic that week. The page loads instantly because it is supposed to load instantly. That is the point of a Mini App. They are little web apps that live inside the messenger and run without ever asking you to leave it.

You are still inside Telegram. That is what your brain registers. You came here through a chat. You did not type a URL. You did not click an unknown link in an email. You are in the app you use to talk to your cousin.

There is a dashboard. There is a number going up. There is a countdown timer telling you the offer ends in nine minutes and twelve seconds. There is a button that says deposit to activate.

This is where the money leaves.

II.

The cybersecurity firm CTM360 spent the early weeks of April 2026 pulling apart what they eventually named the FEMITBOT network. They found something that is, in its way, more interesting than another scam. They found a factory.

Fifteen different Mini App skins. More than sixty active domains. More than one hundred and forty Telegram bots feeding traffic into them. Over thirty brand identities painted on the front of the operation. Apple. Disney. Coca-Cola. eBay. IBM. NVIDIA. MoonPay. YouKu. Binance. OKX. Netflix. BBC. Bitget. CineTV. Coreweave. Claro.

Different logos. Different color schemes. Different bots greeting you with different scripts.

One backend.

The researchers found it because every domain in the network, no matter what brand was painted on the front, returned the same string from the same API endpoint when you poked it. Welcome to join the FEMITBOT platform.

That is the receipt. That is the part the operators forgot to repaint.

III.

Here is what a Mini App actually is, because the word makes it sound like a toy.

Telegram is the messenger. Mini Apps are little programs that run inside Telegram's built-in browser, the same way an Instagram filter runs inside Instagram. They can take payments. They can sign you into things. They can pull your Telegram identity out of the SDK and bind it to whatever the developer wants to bind it to. The framework is real. Companies use it. Governments use it. The Hamster Kombat phenomenon used it.

Here is the part that matters for FEMITBOT. Telegram does not pre-review the code in a Mini App before it goes live. The platform is reactive. Something has to be reported, and then Telegram acts. Until then, whatever the developer ships is what the user sees.

That is not a bug. That is a policy. The policy is the trapdoor.

If you are the operator, you do not need to break Telegram. You do not need to write an exploit. You write a normal Mini App. You buy a domain. You point the Mini App at a phishing page wearing the skin of a brand the target will recognize. The TLS certificate will be valid because it is a normal certificate. The page will load smoothly because it is a normal web page. The Telegram interface around it will look exactly the way Telegram is supposed to look, because it is exactly the way Telegram is supposed to look.

The container is real. The contents are not. That gap is the entire business.

IV.

The pitch shape is older than the technology.

You make a deposit to unlock your earnings. The dashboard says you have already earned three hundred dollars in passive income, but to withdraw it you need to verify your account by depositing fifty. You deposit fifty. The number goes up. Now to withdraw you need to complete three referral tasks. Or pay a tax. Or upgrade to a higher tier. The dashboard never stops showing you what you almost have.

This is the advance-fee structure with new paint. The pattern was running in Nigerian email scams in the 1990s. It was running in romance scams in the 2010s. It is running inside Telegram in 2026 because the only thing that ever changes about an advance-fee scam is the room you stand in while you do the math.

In FEMITBOT's room, the math has a logo on it. The logo says Binance, or Apple, or Netflix. The logo says trust me.

V.

There is a second floor to the operation. The same domains that host the phishing API also host APK files. Those are Android installer packages. Sideloaded. Outside the Play Store. The user is invited to download the "official" app for the brand they are already pretending to interact with, and because the certificate on the domain is valid and the browser does not warn them, they install it.

What the APK does after that is a separate problem. Credential harvesting. Wallet draining. Persistence on the device. The malware is the part that keeps working after you have stopped paying attention.

Read that slowly. The crypto loss is the visible damage. The phone in your pocket is what they actually walked away with.

VI.

The operators were not winging this. CTM360 catalogued more than one hundred tracking pixel IDs from Meta and TikTok ad systems wired into the scam pages.

A tracking pixel is a small piece of code that tells an advertising platform what a user did after they saw an ad. Did they click. Did they convert. Did they deposit. Marketers use them to optimize spend.

The operators of FEMITBOT used them the same way. They were running A/B tests on which brand skin pulled the best deposit rate. They were tuning the headline. They were measuring funnel completion. They were doing growth marketing on a fraud product.

Picture it. Somewhere there is a dashboard, on someone's monitor, showing conversion lift on the Disney skin versus the Coca-Cola skin in the eighteen-to-thirty-four demographic. The math is clean. The architecture is elegant. The product is theft.

I have sat in rooms where dashboards like that get built for legitimate reasons. The dashboard does not know what it is measuring. The dashboard just measures.

VII.

The thing that makes this network worth writing about is not its size. The crypto fraud number for last year was, by FBI accounting, $11.3 billion, inside a $20.9 billion total internet crime figure. FEMITBOT is one operation in that ocean. The number for FEMITBOT itself is not public yet, and CTM360's report does not give one.

The thing worth writing about is the shape.

This is fraud as a service. Fifteen skins on one engine. Swap a logo, spin up a new bot, point it at the same backend, and you have a new campaign by the end of the afternoon. Take one down and the other fourteen keep running. Take all fifteen down and the operators ship sixteen more next month, with new domains, new logos, new bot handles, the same API quietly returning the same welcome string in the back of the building.

That is not a scam. That is infrastructure.

The press release about the takedown will get the headline. The next fifteen skins will get no coverage at all. The bot you tap on Tuesday afternoon will be a brand-new domain registered eleven days ago. The certificate will be valid. The Mini App will load instantly. The page will look correct.

VIII.

Here is the ugly question. Not the exciting question. Not the one that makes a good headline.

Why does Telegram's Mini App framework not require pre-publish review.

The platform's answer is that it would not scale. That developer experience matters. That moderation is reactive because the volume of submissions is too high to gate. These are real arguments. They are also the same arguments every platform makes right up until the regulatory cost of not gating exceeds the engineering cost of gating.

Until that math flips, the policy is the policy. And the policy is the part the FEMITBOT operators are renting.

IX.

If somebody you know is about to tap one of these links, the only thing that matters is the question they ask before they tap.

Not is this brand real. The brand is real. Apple is real. Binance is real. Disney is real. The brand is not what is in front of you.

Not is this Telegram. It is Telegram. The container is real.

The question is who wrote the page inside the container. The answer to that question is almost never visible to the user. That is the trapdoor.

If a stranger sends you a Mini App link promising yield, the Mini App is not the product. You are. The deposit is not an investment. It is the price of admission to a dashboard that will keep you watching a number that is not real until you run out of money to feed it.

X.

CTM360's researchers did the work of finding the seam. They ran the API. They got the welcome string back. They mapped fifteen front doors to one back room.

The back room is still there. The operators have not been named. No arrests have been reported in connection with FEMITBOT itself. The domains will rotate. The bots will rotate. The brand skins will rotate.

The welcome string will get rewritten next time. That part they will fix.

The trapdoor will not.