O que é Bitrated e como ele protege meus fundos?

Bitrated é uma infraestrutura de caução Web3 descentralizada. Quando você inicia um pedido, seus fundos são bloqueados em um contrato inteligente multi-assinatura 2-de-3. A ZeroState não pode acessar o capital até que o alvo seja verificado e você aprove pessoalmente a liberação.

O que acontece se houver uma disputa ou o alvo permanecer ativo?

Se o objetivo operacional não for alcançado após nossa implantação, o árbitro terceiro neutro escolhido na plataforma Bitrated analisa o caso. Se o alvo não for neutralizado, o árbitro reembolsa com segurança o depósito bloqueado de volta à sua carteira. Seu capital é 100% livre de risco.

Preciso passar por KYC ou registro para usar esta caução?

Não. O sistema opera exclusivamente em protocolos Web3. Você só precisa de uma carteira cripto não custodial padrão (como MetaMask ou Trust Wallet) para bloquear e liberar os fundos, preservando o anonimato operacional absoluto.

May 21, 20268 min readZeroState Intelligence

How Telegram Bots Become Backdoors: Anatomy of a Social Engineering Attack

Behind every compromised wallet and hijacked channel lies a pattern. We break down the anatomy of Telegram-based social engineering — and how automation can detect it before the damage is done.

Threat IntelSocial EngineeringTelegram Security

This article is currently available in English. Other languages coming soon.

In 2025, Telegram surpassed one billion monthly active users. With that growth came an explosion of targeted attacks — not brute-force hacks, but carefully crafted social engineering campaigns that turn Telegram itself into the attack vector. Bots, the platform's most powerful feature, have become the primary delivery mechanism for these campaigns.

This post dissects the anatomy of a typical Telegram-based social engineering attack. Understanding this lifecycle is the first step toward building an effective defense — and understanding why reactive security fails.

Phase 1: Reconnaissance — The Bot as a Data Miner

The attack rarely begins with a direct message. It starts with a Telegram bot that scrapes public data. Attackers deploy bots into group channels — Telegram's open group system makes this trivial — to collect metadata: usernames, activity patterns, mutual contacts, and the tone of conversations.

These bots are often disguised as legitimate tools: "group analytics," "price alerts," "community polls." They blend in because they serve a real function while quietly mapping the social graph in the background.

A single bot monitoring a 5,000-member trading group for 72 hours can identify: admins and their response patterns, high-value targets (users who post about large transactions), trust relationships (who vouches for whom), and optimal timing for engagement (peak activity windows).

Phase 2: The Impersonation — Cloning Trust

With reconnaissance data in hand, the attacker creates a clone. Not a clone of the user — a clone of trust.

This typically takes one of three forms:

Bot impersonation: A fake bot with a nearly identical username (e.g., @DeFi_Support vs @Defi_Supp0rt) DMs users who interacted with the real bot, claiming a "security update" or "wallet verification" is needed.
Admin clone: A fake account that duplicates the display name and avatar of a known group admin. The attacker joins the group (often via a leaked invite link from Phase 1), then DMs members with urgent requests.
Fake group invitation: A bot sends personalized invitations to a "private" group — usually named something like "Alpha Signals Exclusive" or "Whitelist Priority Access." The group looks legitimate, populated with fake high-engagement accounts (sock puppets), designed to build false confidence.

Phase 3: The Hook — Pressure + Authority

Social engineering succeeds when emotion overrides logic. The attacker weaponizes urgency, authority, or greed.

Common hooks seen in Telegram-based attacks:

The "Verify Your Wallet" Hook — A message arrives from what appears to be a trusted exchange bot: "Unusual login detected. Verify your wallet within 15 minutes or access will be suspended." The user clicks a link leading to a perfect replica of the exchange's Web3 connect page. Connecting the wallet exposes the private key.

The "Exclusive Presale" Hook — "First 100 wallets only. 50x guaranteed." The user connects their wallet to a fake dApp interface to "register." The smart contract they sign drains all approved tokens.

The "Admin Emergency" Hook — A user receives a DM from someone who appears to be the group admin: "We're migrating to a new group. The old one is compromised. Click here to rejoin." The link leads to a phishing page that captures the user's Telegram login credentials via Telegram Web's OAuth flow.

Phase 4: The Execution — Automated Exfiltration

Once the user takes the bait, the attack executes automatically. This is where bots accelerate the damage:

Session token theft: Telegram stores session files locally. If the attacker gains file access (via a malicious attachment or browser exploit), the bot exfiltrates the tdata folder, giving full account control without a password.
Token approval scams: If a wallet is connected, the bot initiates a setApprovalForAll transaction that grants the attacker unlimited access to ERC-20 or BEP-20 tokens.
Channel takeover: With admin credentials stolen, automated scripts remove existing admins, change the channel handle, and rebrand the channel for crypto scams — sometimes within 60 seconds of the initial breach.

Why Traditional Defenses Fail

Conventional security tools struggle with Telegram-native attacks for a fundamental reason: they monitor infrastructure, not context.

Email security doesn't help — the attack never touches email.
Web security doesn't help — the phishing page lives for 4 hours and is served from a clean domain.
Antivirus doesn't help — there's no malware to detect. The victim interacts with a legitimate interface (Telegram Web or a Web3 connector) and makes a conscious decision to connect or sign.
Blockchain monitoring is reactive — by the time the on-chain transaction is flagged, the assets are already moving through mixers.

How ZeroState Approaches This

Effective defense against Telegram-based social engineering requires a shift from reactive monitoring to active threat disruption. ZeroState's approach operates at three layers:

Bot Detection: Automated scanning of Telegram groups and channels to identify impersonator bots and clone accounts before they reach potential victims. Pattern matching on username variants, avatar reuse, and behavioral anomalies.
Infrastructure Takedown: Once a phishing bot or clone channel is identified, coordinated reporting to Telegram via the abuse channel, augmented with DMCA takedown requests for hosted phishing pages.
Attack Surface Reduction: Recommendations to harden your community's Telegram infrastructure — proper bot permissions, admin access controls, rate limiting on join requests, and user education protocols.

The Bottom Line

Telegram-based social engineering is not a technological hack — it's a trust hack. The bot is not the weapon; it's the delivery system. The real vulnerability is the speed at which trust can be manufactured inside the Telegram ecosystem.

Defending against it requires the same speed — automated detection and response that matches the pace of the attack, not the pace of a human analyst reading a report.

ZeroState was built for that speed.

Voltar ao início