ScamBaitAI

How it works
Telegram Bot response

The Problem

Every day, scammers target millions of people-especially the elderly and the vulnerable-through text and phone. They impersonate banks, tech support, and government agencies. They create urgency, fear, and fake trust. By the time a victim realizes it’s a scam, money is gone and personal data is leaked. Law enforcement is overloaded; blocking and ignoring only makes scammers move to the next number. We asked: what if we could turn the table? What if the “victim” on the other end was an AI that never gives real data or money-but wastes the scammer’s time and extracts intelligence (phone numbers, UPI IDs, phishing links, bank accounts) that can help researchers and authorities? That’s the idea behind ScamBait AI: an agentic honeypot that engages scammers on the same channels they use, with two solutions-a Telegram bot agent and a voice call agent-so we can fight back at scale.

Inspiration

We were inspired by real-world stories of digital arrest scams, UPI fraud, fake job offers, and tech-support call centers. We saw that scammers’ most valuable resource is time: the longer they stay on a call or in a chat, the less time they have for real victims. We also saw that the same tactics appear on multiple channels-Telegram for text, phone for voice-and that one AI character could work across both. We wanted to build something that:

Engages scammers so they keep talking.
Extracts actionable intelligence (accounts, links, numbers) without ever giving real data.
Scales across many conversations using one shared backend.

That led us to design two solutions on top of one backend: a Telegram bot for text-based scams and a voice call pipeline for phone scams.

What it does

ScamBait AI is an agentic honeypot with two ways to reach scammers-and everything is connected to one backend.

Telegram Bot Agent (Solution 1)
We run a bot that looks like a real person. When someone messages @ScamBaitAI_BOT, every message goes to our backend. The AI replies in character so scammers stay engaged. The same pipeline does scam detection (rules + ML), intelligence extraction (UPI IDs, phones, links, emails, APK links, crypto, etc.), and session management. Operators see live traffic and intel on the dashboard.
Voice Call Agent (Solution 2)
We host real phone numbers via Twilio. When a scammer calls, we answer with AI. Their speech is transcribed in real time (Deepgram), the same AI generates a text reply (same LLM as the bot), and ElevenLabs turns it into natural speech that is streamed back over the call. It feels like talking to a real person. We support barge-in and silence handling so the conversation stays natural.
Everything is connected
Both the bot and the voice call use the same backend and the same workflow: one place for detection, reply generation, and extraction. So whether the contact is via Telegram or phone, we get consistent behavior, one set of scam types (digital arrest, UPI scam, job scam, sextortion, etc.), and one place where intel is collected and can be sent to a callback endpoint for analysts. The dashboard connects to the same backend too-it shows real-time stats, live messages (WebSocket), and system status so we can monitor both channels from one place.

How we built it

Everything-bot, voice, and dashboard-talks to one central API. That keeps the system simple and makes it easy to add more channels or scale later.

Core: one API, one workflow

We built a FastAPI backend with a single honeypot endpoint. Every message (from Telegram or from a voice call) hits the same endpoint and goes through the same LangGraph workflow: load session → detect scam → generate reply → extract intel (UPI, phones, links, bank accounts, etc.) → save session. So the bot and the voice pipeline are just two different ways to send messages into the same brain.

Tech stack at a glance

Layer	What we use
Backend	Python, FastAPI, LangGraph, LangChain
LLMs	Cerebras (primary), Groq (fallback)
Database	SQLAlchemy (SQLite / PostgreSQL)
Telegram bot	python-telegram-bot, aiohttp (webhook)
Voice	Twilio (calls + media stream), Deepgram (speech-to-text), ElevenLabs (text-to-speech)
Dashboard	React, TypeScript, Vite, TailwindCSS, Recharts, Framer Motion
Detection	Rule-based + scikit-learn (TF-IDF, LinearSVC) for scam type
Hosting	Render (API, bot, and dashboard as separate services)

How each part connects

Telegram bot: When a user sends a message, the bot calls our API with that message and a session id. The API runs the workflow and returns the reply. The bot sends that reply back to the user. No logic lives in the bot-it just forwards messages to the API. That way, the bot and any future channel (e.g. WhatsApp, web chat) can reuse the same logic.
Voice calls: When someone calls our Twilio number, we connect the call to a WebSocket. Audio from the call goes to Deepgram (speech-to-text). When we have a final transcript, we send it to the same API as if it were a text message (with a flag for voice). The API returns a text reply; we send that to ElevenLabs (text-to-speech) and stream the audio back to the call. So the voice pipeline is just another client of the same backend.
Dashboard: It calls the API for stats and opens a WebSocket for live events. So operators see what’s happening across both Telegram and voice in one place.

Because everything is connected to one backend, scaling is straightforward: we can add more bot instances, more phone numbers, or new channels (e.g. WhatsApp) that all call the same API. We can also scale the API and database independently (e.g. more workers, read replicas) without changing the bot or voice code.

Challenges we ran into

Real-time voice latency
Keeping the call feeling natural meant tuning speech-to-text and text-to-speech so that “scammer speaks → we reply with voice” stayed under a few seconds. We had to run the LLM and TTS on the same event loop and avoid blocking the WebSocket.
Same character on text and voice
We wanted the same style of reply whether the scammer was typing on Telegram or speaking on the phone. We reused the same system prompt and passed a simple flag (e.g. voice vs Telegram) so we didn’t need two separate reply systems.
Barge-in and silence
On voice, we had to handle the scammer talking over the AI (stop playback, clear buffer) and long silence (e.g. “Hello? Are you there?”). We implemented this in the audio orchestrator and Twilio stream handling.
Concurrency and session safety
With many Telegram users and possible parallel calls, we added session locking and a cap on concurrent requests so two requests for the same session don’t race and the server doesn’t overload. We also added timeouts and fallback replies so we don’t return errors for normal flow.
Keeping the AI in character
We had to avoid the LLM saying things like “I’m an AI” or refusing to engage. We added a filter that blocks those outputs and retries, and we tuned the prompt so it stays in character without triggering safety refusals.
Intel extraction on messy text
Scammers obfuscate (“at” for “@”, “dot” for “.”, spaced digits). We added a normalization step before regex extraction and merged results from both raw and normalized text so we still capture UPI IDs, links, and phone numbers.

Accomplishments that we're proud of

Two solutions, one backend
The Telegram bot and the voice call agent both use the same API and the same workflow. We didn’t build two separate products-we built one brain and two channels. That makes the system easier to maintain and scale.
Consistent experience across channels
Whether the scammer is on Telegram or on the phone, they get the same style of reply and we get the same detection and extraction. Everything is connected.
Rich intelligence extraction
We extract bank accounts, UPI IDs, phishing links, phone numbers, emails, APK links, crypto wallets, social handles, IFSC codes, and suspicious keywords-with normalization for obfuscation-and can send a final summary to a callback URL for analysts.
Scam taxonomy and detection
We classify into types (digital arrest, UPI scam, job scam, sextortion, lottery) using rules and ML, and we avoid false positives on legitimate SMS (e.g. OTP, delivery) with trusted-sender rules.
Evaluation suite
We have an evaluation module (Reddit-style scam dataset, expanded prompts, concurrent run script) to measure detection rate and latency so we can improve the system with data.
Live dashboard
One React dashboard for stats, live messages, and system status so we can monitor both the bot and the voice pipeline in one place.

What we learned

Orchestrating speech-to-text → LLM → text-to-speech in real time over WebSockets needs careful async handling and low-latency models. We learned to schedule work on the main event loop and pick the right STT/TTS options.
LangGraph fit the honeypot well: conditional steps (scam vs not scam, when to run extraction) and a clear flow (load → detect → reply → extract → save) made it easier to add callbacks and session lifecycle.
Scam taxonomy (digital arrest, UPI, job, sextortion, etc.) and trusted-sender rules were as important as ML for keeping recall high and false positives low on real-world messages.
Keeping one backend for bot and voice taught us to keep the bot stateless and put all logic in the API. That way both solutions stay in sync and we can add more channels without duplicating code.

What's next for ScamBait AI

Scale to more channels
Because everything is connected to one API, we can add more channels (e.g. WhatsApp, web chat) by building thin clients that send messages to the same backend. We can also scale the API with more workers and the database with read replicas as traffic grows.
Richer extraction and export
Using an LLM for messy or heavily obfuscated text when regex fails, and exporting intel to CSV/JSON for analysts and law enforcement.
Dashboard improvements
Filters by scam type, date range, and channel (Telegram vs voice); optional auth; and export of sessions and intel.
Voice improvements
More robust barge-in and silence handling, and possibly different voice options for the same character.
Hardening
Rate limiting, abuse detection, and optional integration with threat-intel feeds so extracted data can be shared safely with researchers and authorities.

ScamBait AI - Turn the table on scammers. One backend, two solutions: Telegram Bot Agent and Voice Call Agent. Everything connected, built to scale.

Built With

api
bot
deepgram
elevenlabs
fastapi
langchain
langgraph
python
react
render
rest
scikit-learn
sqlalchemy
tailwindcss
telegram
twilio
typescript
vite
websockets

Submitted to

Next Byte Hacks: January 2026
Airia AI Agents Hackathon
Dev_Dash
AI For Good
TechThrive March
Frostbyte Hackathon
- Winner Theme-Based Awards
- Winner Participation & Completion Recognition
Dev Season of Code
TerraCode Convergence
DevHouse Global Hackathon 2026
Frostbyte Hackathon

Created by

Maaz .
I'm Abu Maaz, a 21-year-old computer science junior. I'm always looking for new challenges and opportunities to learn.
DIYA VIRMANI
Pre-Final Year @ VIPS | AI Engineer (in Progress) | Operations Head @ E-Cell | Coffee, Code & Consistency |Hackathon Winner
Harshita Bangia
Ankit Singh Raghuvanshi

Updates

Maaz . started this project — Feb 22, 2026 12:55 PM EST

Leave feedback in the comments!

Log in or sign up for Devpost to join the conversation.