It began like any other late night crypto experiment. A trader, eager to catch the next memecoin wave, opened Telegram, searched for BloomEVM (@BloomTrading), and followed the bot’s instructions: “Create your wallet. Paste your token address. Let automation do the rest.”
Within seconds, the bot was trading: fast, smooth, and efficient. But behind that convenience hid a silent danger associated with centralized storage of your private keys.
The Promise of a Telegram Trading Bot
Telegram trading bots like BloomEVM promise to simplify crypto trading. They let users create or import wallets directly in Telegram, paste token addresses, and automate trades across chains. Everything happens within a friendly chat window, no coding or wallet plugins required.
Following the Data
To understand what really happens behind the screen, we traced BloomEVM’s network traffic. The moment a user clicked Create Wallet, a series of HTTP requests lit up. We can see requests not from the user’s device to the blockchain, but between Telegram’s web client and Bloom’s backend servers.
The discovery was unsettling:
- Wallets weren’t being generated locally.
- The private keys were created on Bloom’s servers and sent back to the user.
- When importing an existing wallet, private keys were transmitted to the same backend. In other words, BloomEVM had full visibility and control over users’ keys, despite publicly claiming that “Bloom will not store or retrieve your private key.”
The illusion of self-custody shattered.
The Technical Proof
Our analysts captured the key creation flow in detail. In the captured network requests, the backend responded with both the wallet address and its private key (see Fig. 1).
Fig. 1. The created private key is sent to user’s frontend and can be directly captured.
Contrary to Bloom’s documentation, the private key never resided solely in the user’s Telegram frontend. Instead, it lived on Bloom’s servers, accessible to anyone controlling that infrastructure.
This design wasn’t just a poor practice; it was a fundamental violation of self-custody principles. Even worse, the bot could execute transactions directly on behalf of users without requiring on-chain approvals. This is actually a delegation of full authority.
When Things Went Wrong
The risks weren’t theoretical.
In January 2025, a Solana user lost 1,068 SOL (≈ $2.1 million) in transaction fees after a trade routed through the Bloom Router. Community members debated whether the loss was due to a manual fee error or a bot side vulnerability. Bloom never issued a formal response. And Bloom wasn’t alone. The history of Telegram trading bots is littered with similar incidents:
- Banana Gun (Sept 2023): $3 million drained from 11 users via unauthorized wallet access.
- Maestro (Oct 2023): 280 ETH stolen after a smart contract flaw.
- Unibot (Oct 2023): $640k lost in a router contract exploit.
Each story told the same cautionary tale: convenience came at the price of control.
Why This Matters
Telegram bots blur the boundary between social app and financial terminal. Unlike decentralized applications, they operate through centralized servers. A single compromised backend could endanger thousands of users’ wallets overnight. Yet, for many casual traders, that risk remains invisible behind the sleek chat interface.
What You Can Do
If you still choose to experiment with Telegram bots, treat them as untrusted intermediaries, not self-custodial tools. Security best practices include:
- Use a temporary wallet. Never connect your main wallet.
- Limit your funds. Only deposit what you can afford to lose.
- Withdraw profits quickly. Move them to a cold or main wallet.
- Revoke token approvals when done.
- Monitor wallet activity regularly through explorers.
These aren’t guarantees, but they’re your last defense against silent custody failures.
The Takeaway
The rise of Telegram trading bots like BloomEVM reflects a deeper trend: traders want simplicity. But when simplicity hides centralization, the convenience becomes an illusion of control. Our investigation reminds us that in crypto, custody equals trust, and trust, once misplaced, is impossible to reclaim.
References: