Summary
Cybercriminals no longer need advanced coding skills to launch sophisticated phishing attacks. A new breed of Telegram-based phishing bots gives anyone with a Telegram account the ability to steal passwords, track locations, and harvest phone numbers, all with a few button clicks. This article breaks it all down so you know exactly what to watch for.

Table of Contents
1. What Is This Telegram Phishing Bot?
2. Module 1: Device Monitor — Silent Tracking
3. Module 2: Account Access — Fake Login Pages
4. Module 3: Contact Access — Phone & Location Theft
5. Step-by-Step Attack Flow
6. Technical Observations
7. Indicators of Compromise (IOCs)
8. Risk & Real-World Impact
9. How to Protect Yourself
10. Conclusion

01 What Is This Telegram Phishing Bot?

During our research at ThreatWatch360, we discovered a Telegram bot with over 37,000 monthly active users that functions as a ready-to-use phishing toolkit. The bot markets itself as an “educational” tool, but its capabilities tell a very different story.

Once you interact with the bot, it presents a clean control panel with multiple attack modules. Each module is designed to steal a different type of data from unsuspecting victims, and the entire operation runs through Telegram’s messaging infrastructure.

The bot provides three core attack modules:
Module Overview
1. Device Monitor (DM): Tracks device details, IP address, and real-time location
2. Account Access (AA): Steals login credentials through fake login pages
3. Contact Access (CA): Harvests phone numbers and GPS coordinates

02 Module 1: Device Monitor — Silent Tracking

The Device Monitor module is perhaps the most stealthy. The attacker enters a legitimate website URL; in our test, we used threatwatch360.com, and the bot instantly generates a cloned tracking link hosted on a free platform like onrender.com.

When a victim visits that link, they see what looks like the real website. But behind the scenes, the page is silently collecting everything:

Device Monitor Captures
What Gets Collected:
i) Real-time IP address and ISP information
ii) Precise location — country, region, city, postal code, timezone
iii) Browser type, operating system, and device model
iv) Screen resolution and hardware details (CPU cores, RAM, storage)
v) Camera access (if the victim grants browser permission)

Key danger: The victim sees a legitimate-looking website and has no indication that their data is being collected. There is no malware download required; just visiting the link is enough.

If the victim grants camera permission (perhaps prompted by a fake CAPTCHA or verification step), the bot also sends a camera capture directly to the attacker.

03 Module 2: Account Access — Fake Login Pages

The Account Access module is the most directly damaging. It lets an attacker generate a convincing fake login page for popular platforms, including Instagram, Facebook, TikTok, Twitter, PayPal, PUBG, Telegram, and Snapchat.

Within seconds, the bot provides a phishing URL along with step-by-step instructions for the attacker on how to lure victims and what data they’ll receive.

The Multi-Step Deception Flow

What makes this phishing page especially dangerous is that it uses a multi-step funnel to build false trust before asking for credentials. Here’s what the victim sees:

Psychology in play: This multi-step approach uses a well-known manipulation technique called the “commitment and consistency” principle. The more steps a victim completes, the more likely they are to follow through with the final (credential-stealing) step.

Meanwhile, on the attacker’s side, the stolen credentials arrive instantly:

04 Module 3: Contact Access — Phone Number & GPS Theft

The Contact Access module takes a different approach. Instead of fake login pages, it deploys a fake “Telegram Stars Giveaway Bot” that tricks victims into handing over their phone number and GPS location.

Contact Access Flow
How This Attack Works:
i) Victim receives a link offering “300 Telegram Stars” as a free reward
ii) They’re told to verify they’re human by sharing their phone number
iii) Telegram’s own prompt appears, making it look completely legitimate
iv) Once shared, the attacker receives their phone number, name, and GPS coordinates

Important: Telegram itself shows a warning: “Never enter your Telegram login codes in mini apps.” This is your signal to stop and cancel. Legitimate giveaways never require your phone number to “verify you’re human.”

05 Step-by-Step: The Complete Attack Flow

Here is the full attack process from start to finish, regardless of which module the attacker chooses:
1. Setup: The attacker opens the Telegram bot and selects a module: Device Monitor, Account Access, or Contact Access.

2. Link Generation: The bot instantly generates a unique phishing or tracking URL, typically hosted on free platforms like onrender.com to avoid detection and cost.

3. Social Engineering: The attacker sends the link to targets disguised as a reward offer (free followers, Telegram Stars), urgent notification, or curiosity-triggering message.

4. Victim Interaction: The victim clicks the link and interacts with the page, logging in, granting permissions, or sharing their phone number, believing it is a legitimate service.

5. Data Capture: Depending on the module used, the attacker silently receives credentials, device information with IP address, or phone number with GPS coordinates.

6. Real-Time Exfiltration: All stolen data is instantly delivered to the attacker’s Telegram chat in a structured, readable format, requiring zero technical expertise to use.

06 Risk & Real-World Impact

The consequences of falling for one of these attacks extend well beyond a single compromised account:

Impact Assessment
1. Account Takeover: Instagram, Facebook, and other social media accounts are compromised instantly, often before the victim even realizes anything happened

2. Privacy Exposure: Real-time location data and home address details are leaked to a stranger

3. Secondary Attacks: Stolen accounts are weaponized to send the same phishing links to the victim’s friends and followers, multiplying the damage

4. Financial Fraud: Access to PayPal or linked payment accounts enables direct financial theft

5. Identity Risk: Phone number combined with location data creates a profile that can enable SIM swapping or stalking

07 How to Protect Yourself

The good news: all of these attacks rely on the victim taking a specific action. Awareness is your strongest defense.
1. Check URLs Always: Before clicking any link, check the domain. Instagram’s real site is instagram.com, not free-ai-tools.onrender.com/instagram/.

2. Never Trust “Free” Offers: No legitimate service gives away free followers, likes, or Telegram Stars in exchange for your login credentials or phone number.

3. Enable 2FA Everywhere: Two-factor authentication means even if your password is stolen, attackers cannot access your account without a second code.

4. Never Share OTPs or Phone Numbers: No real company or bot will ever need your one-time password or phone number to give you a reward or free service.

5. Deny Camera/Location Requests: If a website you don’t fully trust asks for camera or location access, deny it. Legitimate websites rarely need this.

6. Report Suspicious Bots: Report suspicious Telegram bots using the Report button. Platforms rely on user reports to take down malicious bots quickly.

Remember Telegram’s own warning: “Never enter your Telegram login codes in mini apps.” This message appears for a reason. Telegram knows these bots exist and is trying to protect you.

08 Conclusion

This Telegram phishing bot is a clear example of how the barrier to launching sophisticated cyberattacks has collapsed. What once required programming skills, server infrastructure, and technical expertise can now be done by anyone with a Telegram account in under five minutes.
Its modular design, combining website cloning, fake login pages, credential harvesting, location tracking, and camera access, makes it a genuinely versatile threat. The real-time Telegram delivery system means attackers can act on stolen data instantly, before victims even suspect something is wrong.
At ThreatWatch360, we believe that awareness is the most powerful tool against social engineering attacks. No antivirus can protect you from willingly typing your password into a fake login page. Knowing how these attacks work and what they look like is what keeps you safe.