Noureddine RAMDI / Matkap: Active interception of malicious Telegram bots using leaked tokens

Created Sat, 23 May 2026 20:41:14 +0000 Modified Sat, 23 May 2026 20:41:27 +0000
900 Words
github-stars python telegram osint security bot api

0x6rss/matkap

Matkap is an offensive security research tool focused on hunting and intercepting malicious Telegram bots by weaponizing leaked bot tokens. Instead of just reporting exposed credentials, Matkap actively connects to compromised bots using Telegram’s MTProto API and forwards all intercepted messages to the researcher. This turns passive OSINT into active threat intelligence.

What matkap does and its architecture

Matkap is written in Python and designed to intercept messages from Telegram bots whose tokens and chat IDs have been leaked or exposed. It takes as input a compromised bot token and the associated chat ID, then uses Telegram’s low-level MTProto API to establish a session as that bot. Once connected, it forwards all messages from the bot to the researcher’s own Telegram account.

The tool goes beyond manual token input by integrating with external OSINT platforms FOFA and URLScan. These platforms scan the internet for accidentally exposed credentials using dork queries such as body="api.telegram.org". Matkap automates the discovery process by searching these sources for leaked tokens and chat IDs, enabling large-scale hunting of malicious bots.

Captured messages are exported automatically to a local directory for further offline analysis. This combination of active connection, interception, and integration with OSINT scanners makes Matkap a practical tool for threat researchers focused on Telegram bot abuse.

Under the hood, Matkap requires Telegram API credentials (api_id, api_hash, phone_number) obtained from my.telegram.org/apps for authentication and session management. Optionally, FOFA and URLScan API keys enable the scanning modules. The architecture centers on leveraging Telegram’s MTProto protocol to hijack bot sessions securely and reliably.

Technical strengths and design tradeoffs

One of Matkap’s technical strengths is its active interception approach. Many OSINT tools merely report leaked credentials, leaving researchers to manually investigate or notify victims. Matkap takes the next step by programmatically connecting to the compromised bots and forwarding their traffic. This provides real-time visibility into malicious bot activities.

The integration with FOFA and URLScan for scanning exposed tokens is another plus. These platforms offer large-scale internet scanning capabilities that Matkap taps into, automating discovery at scale. This reduces manual effort and increases coverage.

The codebase is Python-based and depends on the Telegram MTProto API libraries, which are relatively low-level and complex compared to Telegram’s Bot API. This choice enables session hijacking capabilities but requires careful handling of authentication flows and message forwarding logic.

There are tradeoffs to consider. Actively connecting to compromised bots raises ethical and legal questions; researchers must ensure they have authorization or operate within legal boundaries. Also, reliance on FOFA and URLScan APIs means the tool’s scanning capabilities depend on external service availability and account limits.

From a code quality perspective, the repository appears well-structured with clear separation between the Telegram client logic, scanning modules, and message export functionality. Configuration is managed via environment variables in a .env file, improving usability and security by avoiding hardcoded secrets.

Getting started with matkap

Prerequisites

  • Python 3.7 or higher
  • Pip package manager
  • Telegram API credentials from my.telegram.org/apps (api_id, api_hash, phone_number)
  • Optional: FOFA and URLScan API keys for scanning features

Setup

  1. Clone the repository and navigate to the project folder.

  2. Install dependencies:

pip install -r requirements.txt
  1. Create a .env file in the project root with your Telegram API credentials and optionally FOFA/URLScan keys:
TELEGRAM_API_ID=123456
TELEGRAM_API_HASH=your_api_hash
TELEGRAM_PHONE=+900000000000

# Optional for scanning
FOFA_EMAIL=your_fofa_email
FOFA_KEY=your_fofa_key
URLSCAN_API_KEY=your_urlscan_api_key
  1. Run Matkap with the compromised bot token and chat ID to start intercepting messages. The tool will forward messages and save them locally.

This setup balances simplicity with the necessary credentials to operate Telegram’s MTProto API and external scanning services.

Verdict

Matkap is a specialized tool tailored for security researchers and OSINT practitioners focused on Telegram bot threats. Its active interception approach provides richer data than passive leak reporting, making it valuable for tracking malicious bot activity in real time.

However, it is not a turnkey solution for everyone. The requirement to manage Telegram API credentials and optional scanning service accounts adds setup complexity. Ethical and legal considerations around hijacking bot sessions mean users must operate responsibly.

In production or research, Matkap’s ability to automate token discovery and session hijacking offers a practical, if niche, capability. It’s worth understanding if you work with Telegram bot security or threat intelligence, but it requires some familiarity with Telegram’s API ecosystem and OSINT tooling.

Overall, Matkap fills a gap between passive credential exposure monitoring and active threat intelligence gathering on Telegram’s bot platform, with clear tradeoffs around complexity and operational risk.

→ GitHub Repo: 0x6rss/matkap ⭐ 948 · Python