6 Spam Patterns We Caught in 48 Telegram Groups (Last 30 Days)

I run Varta across 48 Telegram communities. Last 30 days the AI handled 886 spam attempts from 192 unique offenders, with a 2.3% measured false-positive rate across 29K+ members in 10 active languages.

That sounds like a wall of numbers. The interesting story is underneath: almost all 886 attempts fit into six recurring patterns. Once you see them named, you start spotting them in your own group too. And once you spot them, you can act faster — whether that's a keyword rule, a manual ban, or letting an AI handle it in the background.

I'm going to walk through all six, with the kind of detail I wish someone had written for me when I started running communities. What the pattern looks like. Why it works against most defenses. What we do when we see it.

Pattern 1 — aged-account drift

What it looks like. An account joined your group 6 weeks ago. It posted a polite hello, replied to someone's question two weeks later, and now drops a message in a side conversation: «btw I've been using a side project that pays $200 a day — anyone wanna try?»

Why it works. Standard CAPTCHA gates check who's a bot at the door. This account is human-operated, has account history, and waited weeks to drop the payload. By that point, every entry-time defense has already cleared it. Trust signals like account age, join-date, and «has previously posted» all point to «legit member».

What Varta catches. The AI reads intent — the «$200 a day» phrasing combined with the discovery account's complete absence of group-relevant posting history triggers a flag, regardless of how long the account has existed. Cross-group reputation adds a second layer: if the same user ID dropped a similar message in another protected group last week, we already know the pattern.

Last 30 days, this pattern accounted for ~280 of the 886 detections — easily the biggest single bucket.

Pattern 2 — Cyrillic-Latin substitution

What it looks like. «Hottest cаsіnо of the year! 22% cashback!» Looks normal. But the letters «а», «і», and «о» are Cyrillic, not Latin. To your eye they're identical. To a keyword filter searching for «casino», they don't match.

Why it works. Every admin who ever set up a keyword list wrote «casino» in their native alphabet. The spammer's autoreplace function swaps a few visually-identical Cyrillic glyphs in, and the message passes through unchallenged. Same trick works for «vіagra», «forех», «crурto».

What Varta catches. The AI reads meaning, not spelling. «cаsіnо» and «casino» have the same semantic embedding to a language model — both are «name of a gambling category». No keyword list needed. Bonus: image attached? The vision pass reads any URL rendered into the picture.

Last 30 days, this pattern accounted for ~145 detections, concentrated in Russian-speaking and mixed-language groups where the alphabet trick is most natural.

Pattern 3 — image-embedded URLs

What it looks like. A screenshot of a «promotional offer». The image looks like a banner ad. The URL is rendered as part of the image — there's no clickable link, no text the bot can read, just pixels showing «👉 join.crypto-deals[.]xyz».

Why it works. Most moderation bots only read text. Images are opaque to them. You can post any text-based scam as a screenshot, and the keyword bot sees only «image attached» — nothing to evaluate.

What Varta catches. Vision models read images. The classifier extracts the URL, the call-to-action, and any text overlaid on the picture, then evaluates the same way it would evaluate a text message. Screenshots of QR codes get parsed too — we resolve the QR and check the destination against threat databases before passing or banning.

Last 30 days, this pattern accounted for ~95 detections — smaller in volume than the previous two but disproportionately damaging when missed, because image-based scams convert at higher rates than text ones.

Pattern 4 — admin impersonation

What it looks like. Your members start getting DMs from «you». The display name matches yours. The profile photo is yours. The username is one character off — yours is `@anna_admin`, the impersonator is `@anna_аdmin` (Cyrillic «а» again). The message: «Hey, I noticed your activity in the group — I'd like to discuss a partnership.»

Why it works. The spam happens off your channel. By the time a victim notices, they've already replied. By the time they tell you about it, the impersonator has DM'd everyone in the group. You never see the original message because it never appeared in your group.

What Varta catches. The bot scans new joins for profile-clone signals — matching display name, matching photo, similar username — against the current admin team's profiles. When the match score crosses a threshold, the suspicious account gets flagged for review before it can DM any group member. Members get a warning broadcast (silent — never posted in the group) explaining the impersonation pattern.

Last 30 days, this pattern accounted for ~60 detections. The smallest volume of the six, but the most expensive when it gets through — at least three groups in May 2026 had members lose money to admin-impersonator DMs before the detection was tuned.

Pattern 5 — slow-funnel income scams

What it looks like. Message 1: «hi, anyone here looking for remote work?» Sounds normal-ish. Reply or no reply, the spammer continues. Message 2 (10 minutes later): «I found this company that pays well, mostly admin tasks.» Message 3: «here's the link: easywork[.]biz». The link goes to a phishing or pyramid funnel.

Why it works. Message 1 alone is not spam — it's a question. Message 2 alone is not spam either — it's a personal recommendation. The pattern only becomes detectable once you see the sequence. Keyword bots evaluate each message in isolation, so they miss the funnel.

What Varta catches. The classifier keeps a short-term context window for each sender in each group. A sequence of message 1 («looking for work?») + message 2 (recommendation) + message 3 (external link) triggers the slow-funnel detection. Confidence rises across messages — by message 3, the verdict is unambiguous and the prior messages get retro-deleted as part of the same funnel.

Last 30 days, this pattern accounted for ~120 detections, concentrated in groups that allow job-discussion topics — exactly the groups where slow-funnel income scams are most useful.

Pattern 6 — cross-group pivot

What it looks like. You ban a spammer. Two days later, an account with a different username and a slightly different avatar joins your group — and within five minutes drops the same kind of offer. You ban again. Two days later, another. Same operator, fresh costume.

Why it works. Telegram makes username changes cheap. The same operator can pivot to a fresh account, fresh username, fresh photo within minutes of being banned. If your defense is per-group memory, every new account is a new opportunity.

What Varta catches. Cross-group reputation is the answer to this pattern. When a Varta-protected group bans an account, the underlying signal (ban category, timestamp, group context) is shared across all 48 protected communities. The spammer's next account doesn't need to repeat the pattern in your group — if a similar pattern was banned anywhere on the network, the new account starts at low trust and gets evaluated more strictly.

Last 30 days, this pattern accounted for ~7 first-message catches on accounts that had no in-group history at all — accounts banned on message #1 because the network already knew them. Small absolute number, but those are 7 spammers who never got to send a single message in a new group.

What changes when you name the pattern

Pattern recognition is the difference between «random spam happens, I keep deleting» and «I know what this is, I know what to do».

Three things shift when you name the patterns:

Response time drops. You stop reading every message wondering «is this spam?» Once you spot pattern 1 (aged-account, $200/day), you ban without re-evaluating. Once you spot pattern 5 (slow-funnel), you don't wait for message 3 — you act at message 2.

You can hand off. Patterns named in writing are patterns you can give a new co-admin or a moderation bot. «Watch for these 6 things.» That's a manual you didn't have before.

You see the system, not the noise. 886 events sounds chaotic. Six patterns sound manageable. You stop feeling like spam is happening to you and start seeing it as a finite catalogue you're already half-defended against.

If you saw any of these patterns in your group in the last week, here's what I'd actually do:

• 1Save the worst example you've seen lately as a screenshot.
• 2Paste it into our live classifier. See what the production AI calls it — and what it would do in your group.
• 3If the verdict feels right, add Varta in shadow mode for a few days. Watch what it flags. If the judgment matches yours, promote it.
• 4If you'd rather stay manual, at least share this post with your co-admins. Named patterns are easier to defend against than nameless ones.

Six patterns. 886 events. 192 offenders. The numbers will shift each month — but the patterns repeat. Knowing them is the start of running a community where moderation happens in the background instead of eating your day.

Varta is the Trust Layer for Telegram — AI in 33 languages, cross-community reputation across 48 protected groups, never posts in your group. It learns the rules of your specific community. Free forever plan with basic keyword protection; the 5-day full-AI trial starts only when Varta catches your first spam. Add Varta for free →