A Large-Scale Study of Telegram Bots

Alejandro Cuevas; Alice Hutchings; Haoxiang Yu; Nicolas Christin; Taro Tsuchiya; Tina Marjanov

arxiv: 2603.24302 · v2 · submitted 2026-03-25 · 💻 cs.CR · cs.CY

A Large-Scale Study of Telegram Bots

Taro Tsuchiya , Haoxiang Yu , Tina Marjanov , Alice Hutchings , Nicolas Christin , Alejandro Cuevas This is my paper

Pith reviewed 2026-05-15 00:33 UTC · model grok-4.3

classification 💻 cs.CR cs.CY

keywords telegrambotslarge-scale studysnowball samplingmalicious activitycybercrimemessaging platformsbot classification

0 comments

The pith

Over 32,000 Telegram bots were collected and classified, showing both useful services and roles in financial scams.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper establishes the first large-scale characterization of Telegram bots by using snowball sampling to collect data on 32,000 bots and 492 million messages. It develops an automated interaction system to determine bot functions from their responses and associated channels. The work classifies bots into domains and analyzes their communities through language support, usage patterns, and network structure. A sympathetic reader would care because the findings show bots enabling both legitimate crowdsourcing and illicit activities like financial scams, which informs efforts by moderators to intervene.

Core claim

Through snowball sampling from existing datasets, this study uncovers 32,000 bots, 67,000 channels, and 492 million messages. An automated system interacts with the bots to extract their functionality based on descriptions, chat responses, and linked channels. Bots are classified into domains, with analysis showing useful applications such as crowdsourcing alongside malicious uses including payment gateways and referral systems for scams and underground services. The communities served are examined via supported languages, usage duration and reuse, and network topology.

What carries the argument

Snowball sampling combined with an automated bot interaction system that extracts functionality from chat responses and channel associations to enable domain classification.

If this is right

Bots support a range of domains including financial trading and group moderation.
Malicious bots function as payment gateways and referral systems for scams.
Usage patterns show varying durations and reuse rates across communities.
Network topology analysis reveals how bots connect different user groups.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Platforms like Telegram could implement better bot verification to reduce malicious activity.
The collected dataset enables future research on bot evolution over time.
Similar snowball sampling approaches could characterize bots on other messaging apps.
Content moderators might prioritize bots linked to payment processing for intervention.

Load-bearing premise

Snowball sampling starting from two published datasets produces a representative sample of all Telegram bots without significant bias toward well-connected or popular ones.

What would settle it

A comparison with a random sample of Telegram channels showing many additional bots outside the collected network or a manual audit revealing widespread misclassification of bot functions would falsify the representativeness and accuracy of the findings.

read the original abstract

Telegram, initially a messaging app, has evolved into a platform where users can interact with various services through programmable applications, bots. Bots provide a wide range of uses, from moderating groups, helping with online shopping, to even executing trades in financial markets. However, Telegram has been increasingly associated with various illicit activities -- financial scams, stolen data, non-consensual image sharing, among others, raising concerns bots may be facilitating these operations. This paper is the first to characterize Telegram bots at scale, through the following contributions. First, we offer the largest general-purpose message dataset and the first bot dataset. Through snowball sampling from two published datasets, we uncover over 67,000 additional channels, 492 million messages, and 32,000 bots. Second, we develop a system to automatically interact with bots in order to extract their functionality. Third, based on their description, chat responses, and the associated channels, we classify bots into several domains. Fourth, we investigate the communities each bot serves, by analyzing supported languages, usage patterns (e.g., duration, reuse), and network topology. While our analysis discovers useful applications such as crowdsourcing, we also identify malicious bots (e.g., used for financial scams, illicit underground services) serving as payment gateways, referral systems, and malicious AI endpoints. By exhorting the research community to look at bots as software infrastructure, this work hopes to foster further research useful to content moderators, and to help interventions against illicit activities.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

Solid first large-scale Telegram bot dataset and classification, but snowball sampling from two seeds likely introduces bias that undercuts claims of representativeness.

read the letter

The main thing to know is that this paper gives the first sizable empirical map of Telegram bots—32,000 of them, plus 67,000 channels and 492 million messages—along with an automated system to probe what the bots actually do and a domain classification that flags both useful tools and malicious ones like payment gateways and referral scams. That scale and the interaction system are the concrete advances over prior smaller studies. The community analysis on languages, usage duration, reuse, and topology is a reasonable next step that turns raw counts into something usable for moderators. The malicious-use findings line up with existing concerns about Telegram and add specific examples that could inform interventions. The work is empirical data collection rather than theory, so it avoids circular math but stands or falls on how well the data was gathered and labeled. The soft spot is the sampling. Starting snowball collection from only two published datasets risks over-representing already-visible, connected bots while missing isolated or deliberately low-profile ones, especially malicious endpoints that avoid discovery. Without reported checks against Telegram's public bot directory, multiple disjoint seeds, or coverage estimates, the numbers and domain breakdowns may describe the reachable component of the seed graph more than the full population. Classification details and any error rates for the interaction system or domain labels are also thin in the description, which matters when the central claims rest on those outputs. This paper is for researchers in platform security, online abuse, and bot detection who need a starting dataset and taxonomy. Readers working on moderation tools or Telegram-specific studies will get direct value from the released data even if they treat the totals as lower bounds. It deserves a serious referee because the scale is new for this platform and the topic is practically relevant; the sampling and validation questions are fixable with revisions rather than fatal.

Referee Report

2 major / 2 minor

Summary. The paper claims to be the first large-scale characterization of Telegram bots. Using snowball sampling from two published seed datasets, the authors collect over 67,000 additional channels, 492 million messages, and 32,000 bots. They develop an automated interaction system to probe bot functionality, classify bots into domains based on descriptions, chat responses, and associated channels, analyze supported languages, usage patterns, and network topology, and identify both useful applications (e.g., crowdsourcing) and malicious ones (e.g., payment gateways and referral systems for scams).

Significance. If the sampling and classification methods prove representative and validated, the work would be a notable empirical contribution by releasing the largest general-purpose Telegram message and bot datasets, providing a domain taxonomy, and documenting both benign and illicit bot uses at scale. This could inform content moderation research and interventions against financial scams and underground services.

major comments (2)

[Data Collection] Data Collection section: The snowball sampling procedure starting from only two published datasets is described without any validation against Telegram's public bot index, multiple disjoint seeds, or coverage metrics. This leaves the central claim of a representative 32k-bot sample and domain classifications vulnerable to selection bias toward high-visibility or connected bots, as the reported scale and taxonomy may reflect the seed graph's connected component rather than the full ecosystem.
[Bot Interaction System] Bot Interaction System and Classification sections: No details are provided on validation of the automated interaction system, error rates in functionality extraction, or how post-sampling filters were applied to the 492M messages. Without these, the domain classifications and identification of malicious uses (payment gateways, referral systems) rest on unverified assumptions about interaction success and labeling accuracy.

minor comments (2)

[Introduction] The abstract and introduction would benefit from explicit comparison to prior smaller-scale Telegram bot studies to better situate the novelty claim.
[Analysis] Figure captions for network topology visualizations should include axis labels, sample sizes, and statistical significance tests for the reported usage patterns.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We appreciate the referee's constructive feedback on our manuscript. We address each of the major comments below and have made revisions to improve the clarity and rigor of our methodology sections.

read point-by-point responses

Referee: [Data Collection] Data Collection section: The snowball sampling procedure starting from only two published datasets is described without any validation against Telegram's public bot index, multiple disjoint seeds, or coverage metrics. This leaves the central claim of a representative 32k-bot sample and domain classifications vulnerable to selection bias toward high-visibility or connected bots, as the reported scale and taxonomy may reflect the seed graph's connected component rather than the full ecosystem.

Authors: We acknowledge the potential for selection bias in snowball sampling, which is a common challenge in studying online platforms without complete directories. Telegram does not maintain a publicly accessible comprehensive bot index, making direct validation difficult. Our seeds come from two independently published datasets to mitigate this. In the revised manuscript, we have expanded the Data Collection section to include a discussion of sampling limitations, added coverage metrics (e.g., the fraction of bots discovered via multiple paths), and noted that our findings are representative of the connected component reachable from the seeds. We believe this addresses the concern transparently. revision: partial
Referee: [Bot Interaction System] Bot Interaction System and Classification sections: No details are provided on validation of the automated interaction system, error rates in functionality extraction, or how post-sampling filters were applied to the 492M messages. Without these, the domain classifications and identification of malicious uses (payment gateways, referral systems) rest on unverified assumptions about interaction success and labeling accuracy.

Authors: We agree that more details on validation are necessary. We have added a new paragraph in the Bot Interaction System section describing our validation process: we manually inspected a sample of 1,000 bot interactions to compute error rates (false positive rate of 12% for functionality extraction), and we detail the filters applied to the 492 million messages, including removal of non-interactive messages and duplicates based on timestamps and content hashes. These additions support the reliability of our domain classifications and malicious bot identifications. revision: yes

Circularity Check

0 steps flagged

No circularity: purely empirical data collection and classification

full rationale

The paper performs large-scale data gathering via snowball sampling from two external published datasets, followed by automated bot interaction, manual/automated classification into domains, and descriptive analysis of languages, usage patterns, and topology. No equations, fitted parameters, predictions, or first-principles derivations appear in the abstract or described contributions. The central claims (scale of 67k channels, 32k bots, domain taxonomy, malicious uses) rest directly on observed data rather than any self-referential reduction, self-citation chain, or ansatz that loops back to the inputs. Snowball sampling bias is a methodological limitation but does not constitute circularity under the defined patterns.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The central claims rest on the assumption that snowball sampling yields broad coverage and that automated chat responses reliably reveal bot functionality; no free parameters or invented entities are introduced.

axioms (2)

domain assumption Snowball sampling from two published datasets captures a representative distribution of Telegram bots and channels
Invoked to support the claim of uncovering 32,000 bots at scale.
domain assumption Bot descriptions, chat responses, and associated channels provide sufficient signals for accurate domain classification
Used to group bots into useful versus malicious categories.

pith-pipeline@v0.9.0 · 5578 in / 1360 out tokens · 37944 ms · 2026-05-15T00:33:39.716744+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Foundation/RealityFromDistinction.lean reality_from_one_distinction unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

Through snowball sampling from two published datasets, we uncover over 67,000 additional channels, 492 million messages, and 32,000 bots.

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.