08.08.2024
2 min
1217
A detailed analysis of a new wave of phishing attacks on Telegram, where networks of automated bots disguised as attractive girls massively litter chats, comments, and private messages. We tell you how the so-called “slutbots” work, what fraud and phishing schemes they use, who is behind these networks, how they are used to extort money and data, and how to effectively protect your account and audience from such attacks.
Recently, we have increasingly begun to notice the same type of commentators under our publications in the Telegram channel dev.ua — accounts with erotic avatars that instantly react to any post. Regardless of the topic — Elon Musk, salaries in IT, or the everyday lives of recruiters — the comments contained relatively meaningful remarks from “girls” that looked too fast and thematically tailored to be real. All this indicated automation. At the same time, such bots have long flooded popular political and news channels — especially those with a large number of subscribers. It seems that it is the size of the audience that makes such channels the main target for massive bot attacks.
In the end, we decided to get to the bottom of it: what is really behind this phenomenon? Is it just a cheap scam in the style of “OnlyFans for the poor” or a full-fledged digital industry that works as an online showcase for sex services? Are these isolated “side jobs” or well-organized schemes with offices, managers, and technical support? We were interested in who is behind it, how much they earn, and what tools they use — and most importantly, can an ordinary user lose personal data, account access, or even money because of such “entertainment.” To answer these questions, we immersed ourselves in the environment of these accounts, tested several bots, and involved experts in the conversation: white hat hacker Nikita Knysh, cybersecurity specialist Vyacheslav Davydenko, and specialists from Netpeak.
Let’s start with the main thing — accounts with sexy avatars in Telegram can have different origins. But the vast majority of those we analyzed immediately direct the user to a private channel with limited access. It’s simple: if you want content, pay. Usually it’s a one-time payment of about 500 hryvnias. Then they promise: you will have nudes, erotic videos, exclusively for subscribers only. How is this not an analogue of OnlyFans?
The journalist received such an “offer” from one of the accounts that regularly “patrol” comments on the Telegram channel of MP Oleksiy Honcharenko. The potential “model” began by demonstrating several disappearing images – a kind of “teasers”, and then immediately sent the card number of the Ukrainian bank Globus to pay for access to the content. It is likely that behind this account is not a girl, but an administrator or a whole team that skillfully uses the charms of digital sexuality for profit.
In my opinion, the choice of bank was also not accidental: instead of the usual Privat or Monobank, through which it is easy to “hack” the cardholder using a mobile application, the less noticeable Globus was used. And yet, it is worth admitting: the administrator of this porn channel managed to create a rather convincing image of a real girl. She not only sent candid photos, but also shared personal stories, replied with a lively emotional background and even communicated in beautiful Ukrainian. Moreover, the discount on intimate content for the military of the Armed Forces of Ukraine looked like another “touch” of trust.
Special details, such as the same background on her photo, also created the illusion of reality. At some point, it even seemed: if I had given those 500 hryvnias, it would only be to her. But right next to the comments to the same deputy, another person appears – “Vasilisa”, who instead of live communication offers a subscription to an erotic channel for Russian rubles. Everything is clearly automated: the bot immediately lists prices, conditions, services – no contact with a “person”. This is no longer flirting, but a conveyor belt.
In parallel, other types of accounts appear on the network – less aggressive, but no less suspicious. They are also decorated with erotic photos, although less frank than those of “direct saleswomen”. However, everything here looks more “handy”: there are no links to paid channels or bots that immediately ask for money. Instead, the illusion of a “live” girl is created, open to dialogue – flirting, online communication, hints of continuation offline. This is a kind of romanticization of the scheme, where the initiative is supposedly transferred to the user.
But the essence does not change from this: in most cases, the ultimate goal is not a date or a “strawberry”, but a banal extortion of money. Moreover, often it is not even necessary to shoot anything new for this – the Internet has long been overflowing with porn content that can be easily “repackaged” under the guise of an exclusive. Moreover, it is no longer a problem to generate incredibly realistic erotic photos or videos using AI today — and many people are actively using it. We asked experts how exactly it works and how real the threat is.
The experts we spoke to unanimously point to one thing: the mechanics of such schemes appeal to basic human instincts — in particular, sexual desire. It is this that becomes a convenient bait that spammers skillfully manipulate.
As white hat hacker Mykyta Knysh says, there is nothing new here: “Spammers have simply adapted to the Telegram environment. The “bread and spectacle” formula still works. And what spectacle sells the easiest? Forgive me — breasts, genitals, frank poses. It has worked for millennia. That is why so-called “slutbots” are used — in our understanding, these are bots that, through erotic content, lure the user into certain Telegram channels. Then the process of deception, monetization, or even phishing begins.”
Vyacheslav Davydenko, a consultant on cybersecurity and new technologies, emphasizes: such Telegram activities are a classic example of social engineering, where attackers exploit basic human desires, primarily sexual ones. This artificially creates fake traffic, and the user falls into the trap of manipulation.
According to the expert, most such schemes are based on the principle of a “deception funnel”: they promise unique content — private photos, “merged” archives, supposedly gift materials — only if they subscribe to dozens of channels or enter payment details. As a result, a person either endlessly switches from channel to channel, never receiving what was promised, or loses money and personal information altogether.
“Telegram has become a convenient tool for scammers due to the lack of centralized moderation and the illusion of complete anonymity, which users often abuse,” Davydenko adds.
This opinion is supported by white hat hacker Mykyta Knysh. He agrees that most of these channels are actually cheap analogues of OnlyFans. “Not everyone wants to register on OnlyFans, write someone a message, explain their desires. Telegram is faster: you go in, throw a couple of “stars” and get what you consider to be intimate content,” he explains.
Knysh also emphasizes that such spamming is not necessarily about erotica. Fake vacancies or other “hot offers” are often spread in the same way. “There is nothing new here. Previously, these schemes flourished on forums and IRC chats. Now they are on Telegram. Only the platform changes, not the essence,” the specialist adds.
The Netpeak Group company, whose specialists helped to delve deeper into this topic, explains the technical side: comments that appear en masse under posts in popular channels are not ordinary spam. These are neuro-comments generated by artificial intelligence. They are not written by people, but by algorithms specifically trained to look “alive” and fit into the context of the post, increasing the likelihood of interaction with a potential victim.
This phenomenon is called neurocommenting, and it began to gain popularity in the spring of 2023, when bots began to appear under posts that comment instantly and on the topic of the post.
As Netpeak specialists point out, this is a very cheap way to promote on social networks with no or very low moderation.
“This is mass advertising that tries to get clicks or subscriptions using provocative images and comments. It works on the principle: attention → click → monetization/data extraction,” Netpeak Group explains.
Their goal is to attract attention and drive traffic to other channels or services, such as:
Scams – under the guise of “girls nearby” they may offer to fill out a fake profile that leaks data or subscribes to paid services;
Advertising of adult content – they promote OnlyFans, porn sites, lead to real accounts, but often with fake media;
Online prostitution / webcams – some of these accounts may belong to web agencies;
Private initiative – sometimes these are real people who independently promote themselves. But 90% are botnets.
Netpeak experts add that neurocommenters react very quickly to new posts, so they are not difficult to notice: they appear almost immediately after publication, most often in the first 60 seconds. And although they often write “on topic” to disguise themselves as real people, they can be identified by several common signs:
uniformity;
irrelevant or “mechanical” text;
link in bio (the description of a bot account always includes a link with a call to join or order a service, because the main purpose of such comments is to drive traffic to this link).
Cybersecurity expert Vyacheslav Davydenko highlighted the following most common scenarios in his commentary to our publication.
This is one of the most common scenarios — an account with a female name and an erotic avatar offers “hot” content. The only condition is a subscription to several Telegram channels. These channels can contain anything: low-quality spam, porn without authorship, or just meaningless content created solely for the artificial growth of subscribers. The user never receives the content itself — the main goal of the scammers is to give them a list of partner channels, for which customers pay real money to subscribe. And when the “victim” passes the first round, she is met with a new list — even more “spicy” but with the same content: empty promises instead of the promised video.
Another popular trick is to create the illusion of winning. The user is told that somewhere on one of the channels to which he has already subscribed, a unique draw for money or free access to content is taking place. To “confirm participation”, they are asked to leave their bank card details. The consequences are typical: either direct debiting of funds, or transfer of data to fraudulent services for future thefts.
Some schemes are more sophisticated. The user is invited to a channel where everything looks plausible — supposedly an ordinary couple shares their own intimate experiences, or a girl talks about her life with elements of eroticism. Such pages are maintained “by hand”, creating a feeling of authenticity, everyday life, and a home background. But in the end, the user is offered to switch to private correspondence or take out a paid subscription — supposedly for unique content, which, most likely, has no relation to authorship or reality.
Another way to deceive is to use high-profile topics such as compromising information about famous people. A person is offered to learn juicy details from the life of a politician, blogger or star, but instead of the promised compromising information, there is banal advertising: casinos, gray analytics, affiliate links. The content for which it all started is not there – instead, the user simply spins in an endless carousel of fake channels, from which only one thing falls out: traffic and money for scammers.
As Vyacheslav Davydenko sums up, such interaction is not a game or a frivolous temptation. This is a direct path to financial losses, data theft and even infection of the device with malicious software.
He argues that the danger of this phenomenon should not be underestimated, because interacting with such bots or following their links is a direct path to serious cybersecurity problems.
“Every careless click can lead to financial losses due to fake “donations” or fraudulent subscriptions, transferring bank card data to phishers, installing malware on your device, or even losing access to your Telegram account,” the expert says.
White hacker Mykyta Knysh once again emphasizes: users should not forget about digital caution and common sense. According to him, the situation when someone writes a private message to an erotic Telegram account, and in response receives an offer to switch to a closed channel with several “hot” photos and a phrase like “do you want, I’ll do something special for you?” is quite typical. Everything looks “free” only at first. Then – a fee for the next video or continued communication.
But there are more dangerous scenarios. As Knysh explains, sometimes bots can send suspicious files with the .exe extension and convince to install them or log in via Telegram. Here, according to him, a simple rule applies: never click on anything suspicious – it doesn’t matter whether it’s a “slutbot” or a third-party site. The main problem is the thoughtlessness of the users themselves. “Sometimes the biggest threat to personal data is not the bot, but human naivety,” he concludes, urging critical thinking.
Netpeak Group agrees: Telegram has become one of the most convenient tools for spam, so any bots of this type should be treated with extreme caution. Or better yet, do not interact with them at all.
Netpeak has identified several levels of risk:
Personal data – fake profiles, “verification”, “18+ check” → phone, email, bank data leak.
Telegram account – if the user follows the link and enters the confirmation code on a fake site, the account can be stolen.
Financial losses – debiting funds from the card when trying to get “access to video” or “communication”.
Blackmail – rare, but happens on the basis of correspondence or fake screenshots.
The mechanics of how scammers make money, according to Cybersecurity & Emerging Tech Consultant Vyacheslav Davydenko, is quite simple: they either receive money from channel owners for boosting subscribers, or directly steal money and data through phishing pages.
“Telegram, with its minimal moderation, the speed of deploying fraudulent schemes, and an audience that easily responds to “free” offers, has become an ideal environment for them. It is important to understand that these are no longer isolated cases, but the activities of organized teams that work according to well-established templates,” he says.
According to Davydenko, this situation is part of a global trend: bots are increasingly displacing real users in the online space, and Telegram is no exception. Meanwhile, according to the expert, the share of automated activity that only imitates “live interaction” but is actually manipulative in nature is only growing every year.
Netpeak Group notes: automated scripts or bots monitor posts in popular channels/chats or specific keywords (for example, “evening”, “Kyiv”).
After a new post appears, the following algorithm occurs:
The script immediately captures the message ID.
Chooses a comment template. Often with an AI twist — short, on-topic, so as not to be filtered.
Leaves a comment from an account with an attractive avatar and name.
Can add emojis, tag the author, or attach a link.
Sometimes they use AI-generated contextual comments to embed themselves in the discussion and appear “alive.” Analyzing the issue of costs, Netpeak specialists note that from a mass perspective, this is a very cheap and fast way to get clicks.
Account creation, according to them, costs <$0.05 per account or is free via Telegram API. Hosting and scripts also cost a pittance. AI/chatbots cost $5–20/month for the entire network, and the human time involved is also minimal.
Netpeak Group notes that this approach is much more profitable than legal advertising and is perfectly suited for fraudulent schemes.
White hat hacker Mykyta Knysh also shares his vision of the process. He mentions automation services such as N8N and Knight.
“It’s simple: you specify a sequence of actions, the bot monitors a number of channels. It has a script — conditionally, if a new post appears, an automatic reaction is triggered. Knight is easy to configure. There is also the Chinese neural network Manus, which does all this in an even more convenient way,” he explains.
When a new publication appears in a subscribed channel, the bot automatically reads it, understands the topic and writes a corresponding comment. “For example: “Oh, you have a post about a synchrophasotron? Really interesting. But my breasts are even more interesting!” — this is, of course, a joke,” Knysh adds.
All this, according to him, is generated by a neuron in a certain sequence, and is configured literally in two or three clicks. “You can link your account, you can link a whole bunch of accounts so that it alternates them,” he adds. Mykyta Knysh also claims that automating such a scheme costs a penny.
“The cost of accounts – in Russia they are sold for 3-5 rubles. If in cents, then it will cost 10 cents. From a hacked account, you upload some data from the autoreg and send it through neurons. That’s how it works technically,” he says.
At the same time, according to Mykyta Knysh, such technical information has long been no secret. If you are interested, you can easily find video instructions on the Internet, even on YouTube or TikTok.
“Enter a query and you will get a bunch of guides on how it all works based on neural networks. And if neurons are not suitable, there are old proven tools, such as ZennoPoster, a program for automating actions that is easy to adapt for mass spam. You can connect ChatGPT to it to generate texts – and go ahead, sit and spam,” he concludes.
Cybersecurity expert Vyacheslav Davydenko warns: there is usually no “exclusive content” in such schemes. Instead of what is promised, the user ends up in a chain of spam, advertising of dubious services, fake sweepstakes and phishing links, which are designed to exploit the gullibility and curiosity of the victim.
The only reliable way to protect yourself, he says, is to be as careful as possible, combined with critical thinking. “Do not open suspicious links, avoid interacting with anonymous or too “perfect” accounts. And most importantly, do not forget to think. Anything that looks too generous is likely to be a threat. Protect yourself and your personal data,” Davydenko emphasizes.
White hacker Mykyta Knysh notes that many people still don’t realize how massively the Internet is filled with bots, rather than real users. In his opinion, it is precisely such “slutbots” that often open people’s eyes to this reality. “Yes, these bots are usually made quite clumsily and are easily recognizable — especially if you think critically. But at some point the user begins to notice that the responses appear literally a second after the publication. If the text is large, say, a whole page, and the comment appears instantly, it becomes obvious: it couldn’t have been a person. And then it dawns on you — yeah, it must be a bot,” Knysh explains.
Netpeak Group has created several basic recommendations for users to avoid losing their account or otherwise harming themselves:
do not follow the links offered by these bots;
do not follow links that you are not sure about at all;
do not enter any of your personal codes or passwords if these links offer this;
set up two-factor authentication, as well as set up email to protect your account, as this will help maintain access to your account.
However, as the company says, after the March update to Telegram, it has become much easier to understand who is writing to you.
Зокрема, можна побачити країну за номером, дату реєстрації, спільні групи, чи є це офіційним акаунтом, а також чи були у користувача нещодавно змінені ім’я та аватарка. «Тому з цією інформацією значно простіше зрозуміти, спам це чи ні», — уточнюють у Netpeak.
Netpeak Group advises Telegram channel administrators who want to maintain a basic level of digital cleanliness to regularly check the list of subscribers, especially in comment groups, and manually delete suspicious accounts. Often, these bots are already subscribed to the channel and leave spam messages.
In addition, experts recommend activating the built-in spam protection system. This can be done through the menu: “Group Management” → “Administrators” → “Aggressive Antispam”. This is a basic but effective step in the fight against bots.
Netpeak also recommends using Telemetrio to clean up your channel. At the same time, disabling comments for a few days will give your channel/group a chance to be removed from the potential spam list.
Also, as experts note, with the help of special bots, it is possible to set a mandatory condition for subscribing to a group for commenting. “This will stop some attacks, other bots can be quickly detected and blocked,” Netpeak Group adds.
Another life hack in this fight is to add the @LyAdminBot bot to the group and set it to automatically block. “A developer from Ukraine created moderation based on LLM. Random bans are possible, but special rules can be set up,” Netpeak explained.
There are also other bots for moderating groups, such as:
Experts also note that when adding any bot to a group or channel, it is important to carefully monitor what rights you grant it. Netpeak Group emphasizes that neurocomments are a new form of spam that needs to be combated not pointwise, but systematically. Regular monitoring, a combination of technical tools and organizational measures can significantly reduce their impact. Taken together, these actions allow you to effectively protect the channel from neural network attacks and maintain the adequacy of comments.
The mass penetration of “slutbots” into Telegram is not a curiosity or an Internet meme, but a well-built, automated manipulation system that exploits basic human instincts. Behind bright avatars and provocative comments are hidden networks of bots that drive fake traffic, lure into fraudulent schemes, steal money, accounts and personal data. They use artificial intelligence, old spam engines, auto-generation of accounts and scale almost without cost.
The best defense is critical thinking, digital hygiene, and knowledge of the mechanics of deception. And for channel administrators, constant monitoring, manual cleaning, enabled anti-spam, limiting access to comments, and using proven moderation bots.
Telegram has long ceased to be just a messenger — it is a field for information warfare, marketing, and criminal profit. And if we don’t want to become its victims, it’s time to act consciously.
