Sophisticated Telegram Phishing Campaign Exploits Legitimate Authentication Features
A new phishing operation is targeting Telegram users worldwide by hijacking the platform’s official authentication mechanisms. Unlike traditional phishing attacks that rely on fake login pages or malware, this campaign integrates directly with Telegram’s API, making it harder to detect.
Discovered by cybersecurity firm CYFIRMA, the attack employs two primary methods:
- QR Code Login: Victims scan a Telegram-style QR code, triggering a legitimate login request on the attacker’s server.
- Manual Login: Victims enter their phone number and, if prompted, their OTP or two-step verification password, which is relayed to Telegram’s official APIs.
The critical phase occurs when Telegram’s security protocols send an in-app confirmation prompt to the victim’s device. Attackers use social engineering such as framing the request as a "security check" to trick users into approving the login. Once authorized, the attacker gains full access to the victim’s account without bypassing encryption or exploiting software flaws.
The campaign is highly organized, with a centrally managed infrastructure that rapidly deploys new domains while reusing backend logic. Technical analysis reveals Simplified Chinese language settings in the code, suggesting multilingual targeting. Compromised accounts are often repurposed to spread phishing links to the victim’s contacts, amplifying the attack’s reach.
This method exploits legitimate platform features, evading traditional security measures. By leveraging MITRE ATT&CK techniques including T1566.002 (Spearphishing Link), T1078 (Valid Accounts), and T1556 (Modify Authentication Process) the attackers bypass detection while maintaining persistence.
The campaign underscores a growing trend in cybercrime: the abuse of trusted services to deceive users into granting unauthorized access.
Source: https://gbhackers.com/telegram-phishing-scam/
Telegram TPRM report: https://www.rankiteo.com/company/telegram-messenger
"id": "tel1770623774",
"linkid": "telegram-messenger",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Telegram users worldwide',
'industry': 'Technology/Communications',
'location': 'Global',
'name': 'Telegram',
'size': 'Large',
'type': 'Messaging Platform'}],
'attack_vector': ['QR Code Login', 'Manual Login (Phone Number + OTP/2FA)'],
'customer_advisories': 'Telegram users should verify unexpected login prompts '
'and enable two-step verification.',
'data_breach': {'personally_identifiable_information': 'Yes (phone numbers, '
'contact details)',
'sensitivity_of_data': 'High (personal communications, '
'contact information)',
'type_of_data_compromised': ['Account credentials',
'Contact lists',
'Messaging data']},
'description': 'A new phishing operation is targeting Telegram users '
'worldwide by hijacking the platform’s official authentication '
'mechanisms. The attack integrates directly with Telegram’s '
'API, employing QR code logins and manual login methods to '
'trick users into approving unauthorized access. Once '
'authorized, attackers gain full access to the victim’s '
'account and repurpose it to spread phishing links to '
'contacts.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'Telegram due to abuse of its '
'authentication features',
'data_compromised': 'Telegram account access, contact lists, and '
'messaging data',
'identity_theft_risk': 'High (account takeover, contact list '
'exposure)',
'operational_impact': 'Unauthorized access to user accounts, '
'potential spread of phishing links',
'systems_affected': 'Telegram user accounts'},
'initial_access_broker': {'entry_point': ['QR Code Login',
'Manual Login (Phone Number + '
'OTP/2FA)']},
'lessons_learned': 'Abuse of legitimate platform features can bypass '
'traditional security measures. User education on '
'authentication prompts and social engineering is '
'critical.',
'post_incident_analysis': {'corrective_actions': ['Enhance authentication '
'security for high-risk '
'logins',
'Improve user education on '
'phishing and '
'authentication prompts'],
'root_causes': ['Exploitation of legitimate '
'Telegram API authentication '
'mechanisms',
'Social engineering to trick users '
'into approving unauthorized '
'logins']},
'recommendations': ['Implement stricter verification for high-risk login '
'attempts (e.g., geolocation checks, device '
'fingerprinting).',
'Enhance user awareness about phishing risks, especially '
'for authentication prompts.',
'Monitor for unusual login patterns or rapid account '
'repurposing for phishing.',
'Collaborate with cybersecurity firms to detect and '
'mitigate API abuse.'],
'references': [{'source': 'CYFIRMA'}],
'response': {'third_party_assistance': 'CYFIRMA (cybersecurity firm)'},
'title': 'Sophisticated Telegram Phishing Campaign Exploits Legitimate '
'Authentication Features',
'type': 'Phishing',
'vulnerability_exploited': 'Legitimate Telegram API authentication mechanisms'}