Telegram Bot Attack: How to Stop Raids, Floods, and Mass-Join Waves
A Telegram bot attack is a coordinated burst of automated accounts hitting a group at once: a raid where dozens of bots join in seconds, a flood where accounts post faster than anyone can read, or a mass-join wave designed to overrun moderation and drop spam or scam links before admins react. Telegram Bot App stops these with layers built for bursts rather than single messages: a CAPTCHA gate at the join, anti-flood and anti-raid velocity limits, a one-command manual lockdown, and an on-join ban for accounts already flagged across the network. This guide explains what a bot attack looks like and the exact settings that shut it down.
An attack is different from ordinary spam. Ordinary spam is a message here and there, handled by the spam detection layers. An attack is about volume and timing: many accounts acting together in a narrow window to swamp the group. The defences below are designed for that shape.
What a bot attack looks like
Most attacks fall into three patterns, and often combine:
- A join raid. Ten, fifty, or hundreds of accounts join within a few seconds, then start posting at once. The goal is to post faster than any admin can ban.
- A message flood. One or a few accounts send a rapid stream of messages, pushing real conversation off-screen and burying the chat in links or noise.
- A mass-join spam wave. Automated accounts join steadily and each drops a scam or invite link, relying on there being too many to remove by hand.
The common thread is speed. A defence that reviews one message at a time is always a step behind. What breaks an attack is stopping accounts at the door and capping how fast anyone can act.
The join gate: CAPTCHA
The first defence is to make joining cost human effort. CAPTCHA verification keeps every new member read-only until they solve a simple challenge, with a timeout you set from 1 to 60 minutes (15 is the default) and a choice to remove or restrict accounts that do not verify. A script that joins hundreds of groups cannot solve an individual challenge for each, so an automated raid stalls at verification instead of reaching the chat. Setup is in the CAPTCHA verification guide.
Anti-raid: locking down a join surge
When accounts join faster than any human would, anti-raid locks the group automatically. It watches the join rate through four settings:
set_antiraid_enabled— the on/off switch (off by default).set_antiraid_joins— the join limit (default 10).set_antiraid_secs— the window in seconds (default 30).set_antiraid_lockdown_secs— how long the lock lasts (default 600 seconds, 10 minutes).
With the defaults, more than 10 members joining within 30 seconds triggers a lockdown: the bot removes the group's send permission so no one can post, holds it for the lockdown window, then reopens automatically. It is a pause, not a purge, giving you time to see what is happening while the wave of new accounts sits unable to post. The full behaviour is in the flood and raid protection guide.
Anti-flood: capping message velocity
For an attack that comes from a few accounts posting rapidly, anti-flood limits how many messages a non-admin member can send in a short window:
set_antiflood_enabled— the on/off switch (off by default).set_antiflood_msgs— the message limit (default 8).set_antiflood_secs— the window in seconds (default 5).
With the defaults, more than 8 messages in 5 seconds trips the limit: the burst is deleted, and enforcement escalates. A first flood is a 5-minute mute; a repeat flood is a ban. Admins are exempt, and the check fails open, so a transient infrastructure error never mutes or bans an innocent member.
The manual switch: /panic
When you can see trouble starting and do not want to wait for a threshold, /panic locks the group immediately for the configured lockdown window, and /unpanic releases it early. Both are admin-only. This is the fastest way to freeze a group the moment an attack begins, and it works even if automatic raid detection is turned off. Keep it in mind as a manual backup alongside the automatic checks.
Banning known abusers on join
Attacks often reuse accounts that have already misbehaved elsewhere. With set_kick_known_abusers enabled, each new member is checked against the network's shared user-intelligence signal, and an account already flagged as a known abuser is banned on sight before it can post. This check also fails open: if the lookup errors, the joiner is treated as clean, so a lookup problem never bans a legitimate member. It is worth enabling on any public group that anyone can join.
Behavioural removal during the attack
Running underneath all of this, AI Spam Intelligence scores each account from 0.0 to 1.0 and auto-kicks at 0.75. Because a coordinated attack uses accounts that share characteristics and often carry violation history from other groups, many of them arrive with elevated scores and are removed on join without any per-message decision. This is free for every group, and it means part of the attack is handled before your velocity limits even engage.
A recommended setup against attacks
For a public group that could be raided, enable the burst defences together:
- CAPTCHA on join, so automated accounts stall at verification.
- Anti-raid at the defaults, so a join surge locks the group on its own.
- Anti-flood at the defaults, so a rapid poster is muted then banned.
- Known-abuser kick, so flagged accounts never get in.
- AI Spam Intelligence and Spamfinder, the two free spam layers, for the messages that do get through.
Keep /panic ready as the manual override. These burst controls are off until you switch them on, so nothing changes about your group until you decide to harden it. For the wider picture of keeping a group safe day to day, see how to protect a Telegram group.
Frequently asked questions
What is a Telegram bot attack?
A Telegram bot attack is a coordinated burst of automated accounts hitting a group at once: a join raid, a message flood, or a mass-join spam wave. The aim is to act faster than admins can respond and drop spam or scam links before anyone reacts. It differs from ordinary spam, which is occasional rather than coordinated.
How do I stop a bot attack on my Telegram group?
Enable the burst defences together: CAPTCHA to stall automated joins, anti-raid to lock the group when too many accounts join at once (default: more than 10 in 30 seconds), anti-flood to mute then ban rapid posters (default: more than 8 messages in 5 seconds), and the known-abuser kick to ban flagged accounts on join. Keep /panic as a one-command manual lockdown. The two free spam layers handle whatever gets through.
Can the bot lock my group automatically during a raid?
Yes. With anti-raid enabled, a join surge past your threshold locks the group by removing send permissions for a set period (10 minutes by default), then reopens automatically. You can also lock it by hand at any time with /panic and release it with /unpanic.
Will these protections affect normal members or admins?
Admins are exempt from anti-flood, and every automatic check fails open, so a transient error never punishes an innocent member. During a raid lockdown the whole group is paused rather than individuals punished, and it reopens on its own. The defences are also off by default, so they only act once you enable them.
Is bot attack protection free?
The strongest layers are free: AI Spam Intelligence, Spamfinder, CAPTCHA, anti-flood, anti-raid, /panic, and the known-abuser kick are all available to every group at no cost. The free tier also includes 500 image scans and 1,000 sentiment checks per month for the content-based checks.