Experts warn of risk of crypto loss when trading via Telegram bots

Telegram-based crypto trading bots, while popular for their user-friendly interfaces and ease of use, could potentially lead to asset losses and are not safeguarded against hacker attacks, according to experts interviewed by ForkLog.

The large audience of the Telegram messenger and demand for digital-currency exchange operations have driven an increase in trading bots, such as Unibot, Swipe, WagieBot and Bolt.

According to Dune Analytics, to date more than 66,000 cryptocurrency holders have traded through such services for a total of over $149.4 million. Analysts warn that there are significant inaccuracies in their calculations.

At the same time, the mechanisms for creating wallets and handling user assets raise concerns among experts.

Advantages of Bots

Telegram crypto bots are designed to streamline the complex processes involved in wallet creation and authorising the necessary permissions for smart contracts on decentralized exchanges that handle asset transactions.

A broad set of features and strategies for working with cryptocurrencies makes them convenient to use. They also deliver high operational speed.

«For example, the popular Unibot specialises in rapid swaps on Uniswap, executing trades six times faster than on the DEX site», — explained ForkLog CEO Hacken Dmitry Budorin.

Bots operate by integrating with various crypto exchanges and blockchain networks using software algorithms that perform predefined functions. Typically, using bots is free, with only a nominal transaction fee charged.

«To start using a bot, you need to connect your existing wallet to the platform and share your private key. Or there is another way, when the Telegram bot creates a new wallet for you, generating cryptographic keys itself», — Budorin explains.

Seed phrases are stored encrypted on the bots’ servers and may be shown to the user on first install, says Mark Letsyuk, head of analytics and research at HAPI Labs.

Key Problems

From the above, the user effectively delegates responsibility for safeguarding their assets to a third party. This is compounded by the fact that most bots have closed-source code and do not undergo security audits.

«Developers have full control over the code and can embed hidden features. Some bots provide only executable files, which limits the ability to verify security», — notes Letsyuk.

According to him, storing assets on third-party servers risks unauthorized data access due to security breaches, human factors, and vulnerabilities in the bot’s code. Planned cyberattacks on crypto-bot servers, the creation of bots for fraud, or rug-pull schemes are not ruled out.

«Although popular crypto bots are typically designed with high security standards, no bot is completely immune to hacking or other attacks. Any vulnerability could lead to loss of funds or at least leakage of information», — emphasises the expert.

According to Dmitry Budorin, an additional risk stems from the Telegram messenger’s technical characteristics, the code of which is not open and has not undergone independent auditing:

«End-to-end encryption is available only for secret chats, with which bots cannot interact».

To avoid asset loss, experts recommend using only reliable and proven service providers — ideally with open-source code, a solid reputation and reviews, and audits by specialists in the field.

«It is important to periodically update apps and passwords, regularly review bot permissions and revoke them if necessary, check active sessions and, where possible, enable two-factor authentication. Storing large sums of cryptocurrency with such tools is unacceptable; cold wallets exist for this purpose», — concludes Mark Letsyuk.

Earlier, ForkLog reported that operators of ransomware, malware developers and other attackers move their active activity from the darknet to Telegram channels.