Scamming the Scammers: Phishing Kit Creator is Stealing the Telegram Token from Scammers


At Bolster Research Labs, we recently observed that phishing kit creators constantly target entertainment media groups with a worldwide user base, like Disney+. (Our phishing kit has already dissected the specific behaviors of a phishing kit targeting Disney+.)

In our continuous pursuit of understanding the scope of these concerns, we turn our attention to another media heavyweight: beIN Media Group.

BeIN, a well-known Qatari state-owned company specializing in worldwide sports and entertainment, headquartered in Doha, Qatar, has become the latest victim of such phishing attempts. Our findings hint at a similar phishing kit intended to target beIN’s consumer base.

Surprisingly, this phishing kit is freely available within the underbelly of a cybercrime channel, but broad exploitation has yet to be accomplished. It raises the question of the kit’s hidden motivations and deliberate deployment timing. The deceptive method devised by the phishing kit’s developer serves as the focal point of our examination.

Not only are beIN Media Group’s naive clients at risk but so are the fraudsters. The developer has integrated a clever trap in the kit, a snare designed to steal the Telegram Bot token from scammers who use it in illegal activities.

This devious strategy is a game changer, showing a multifaceted threat landscape in which trust is a liability and even cybercriminals are vulnerable to predation. It serves as a harsh reminder that predators can rapidly become prey in the digital arena.

The focal point of this blog is to unveil the cunning tactic employed by the developer of the phishing kit that steals the Telegram Bot token from scammers who are reusing this phishing kit to scam customers of beIN Media Group.

beIN Phishing Page
Fig1: beIN Phishing Page

Phishing Kit Structure

This phishing kit is designed to steal credit and debit card information from the beIN users and then exfiltrate it with the Telegram bot, a common technique observed for most phishing campaigns.

Files inside the Phishing Kit
Fig2: Files inside the Phishing Kit

This phishing kit is not as sophisticated as others, primarily because it could be under development. The anti1.php, an antibot code (based on previous phishing kit analysis), contains the logic for unnecessary traffic like crawl engines, which seems incomplete. Since this can’t block traffic by default, AI engines can crawl and classify the hosted phishing site.

Incomplete antibot code
Fig3: Incomplete antibot code

Data exfiltration

This phishing kit is designed to exfiltrate the credit/debit card information and OTP via the Telegram bot.

Data exfiltration via telegram bot
Fig4: Data exfiltration via telegram bot

Both messages posted on Telegram contain sensitive information typically associated with credit card details, a transaction or account verification confirmation code, and expiration dates. The attacker later sells this data on Telegram or other dark web forums.

Configuration file for telegram bot C2
Fig5: Configuration file for Telegram bot C2


Phishing Kit Creator Stealing Telegram Bot Token

While testing this phishing kit’s capabilities locally, it was found that the phishing kit is stealing the Telegram bot token (used by scammers who host this phishing kit in the real world) and exfiltrating via this unknown endpoint: hxxp:// as a POST request (while writing this blog, the endpoint is active).

Phishing Kit Creator Stealing Telegram Token
Fig6: Stealing Telegram Token

We uncovered that the Telegram token exfiltration is triggered by one obfuscated function from a JQ.js file in the phishing kit.

Token Stealing JS code
Fig7: Token Stealing JS code

Further scanning the IP address, we found 5 TCP ports open: 135,139,3389,500,5985, and likely the threat actor behind the phishing kit creation using IP management infrastructure powered by the IPXO (based on the WHOIS record).

Open ports on the IP controlled by the threat actor
Fig8: Open ports on the IP controlled by the threat actor
WHOIS record of
Fig9: WHOIS record of

The IP address mentioned above is working as a C&C server to exfiltrate tokens, and on port 5000, Werkzeug/2.3.7 Python/3.11.4 services are running.


Understanding the tactics and techniques is critical for creating strong security measures and preventing potential threats. The Mitre TTP is given below:

ID Tactic Technique Procedure



Phishing for Information

Spearphishing to target beIN Media Group to get Personal Identifiable Information [PII] and credentials.


Initial Access


Spearphishing to target beIN Media Group.



User Interface

Adversaries rely upon the user/customers to input the credentials and PII through login portal.



Server Software Component

Through the phishing kit’s backdoor, the scammer’s operations can be continuously accessed by its creator.


Defense Evasion


Impersonating beIN Media Group in order to persuade and trick the customers and users.


Credentials Access

Input Capture

Adversaries using methods to capture user input to obtain credentials and credit card details through login portal in this case.



Account Discovery

Adversaries collecting information from compromised user.



Input Capture

Adversaries using methods to capture user input to obtain credentials and credit card details through login portal in this case.


Command & Control

Web Service

Telegram and acting as a mechanism for C2 as a means for relaying data to/from a compromised system/user.



Exfiltration Over C2 Channel

Adversaries are exfiltrating data over C2 server. In this case, telegram bot and is serving as C2 server to exfiltrate tokens.

MITRE ATT&CK Framework Heatmap
Fig11: MITRE ATT&CK Framework Heatmap

Impact & mitigation

Impact Mitigation

The collected data contains Personal Identifiable Information (PII) of the users interacting with the kit, which could later be sold on dark web forums, thus resulting to data breach.

Regularly performing vulnerability assessments, conducting penetration testing to identify gaps in security protocols, and keeping up-to-date with the latest phishing trends and techniques are essential for maintaining a secure IT environment.

Loss of trust and reputation, financial loss.

Cybersecurity incorporated into employee onboarding, thus creating awareness among the individuals at an early stage.


In conclusion, our investigation into the phishing kit targeting beIN Media Group reveals a fascinating and ironic twist in cybercrime. The creators of this phishing kit distributed it freely on cybercrime channels and stole Telegram bot tokens from the scammers who would host it. Those stolen tokens can be abused for various malicious purposes.

Furthermore, our analysis at Bolster Research Labs sheds light on the operation of this specific phishing kit. It contributes to a broader understanding of cybercriminal tactics and the need for continuous innovation in cybersecurity defenses. Sharing our findings becomes crucial in the collective fight against cybercrime as we continue to uncover and dissect these threats.

Bolster’s anti-phishing and domain monitoring technology protects your business from evolving phishing threats. With the industry’s leading LLMs and continuous scanning technology that quickly identifies threats and misuse of your branded assets, you can trust Bolster will protect your business.

See Bolster in action when you request a demo.