A new and sophisticated Telegram phishing operation is active in the wild, targeting users globally by hijacking the platform’s legitimate authentication features.
Unlike traditional phishing, which often relies on malware or cloning login pages to steal passwords, this campaign integrates directly with Telegram’s official infrastructure.
The attackers register their own Telegram API credentials (api_id and api_hash) and use them to initiate real login attempts.
The attack supports two primary methods:
- QR Code Login: The phishing page displays a Telegram-style QR code. When the victim scans this using their mobile app, it initiates a legitimate login attempt on the attacker’s server.
- Manual Login: The victim enters their phone number and, if prompted, their One-Time Password (OTP) or Two-Step Verification password. These inputs are relayed to Telegram’s official APIs immediately.
Discovered by cyber intelligence firm CYFIRMA, this campaign moves beyond simple password theft. Instead, it tricks victims into approving valid, attacker-controlled sessions directly within the Telegram app, granting criminals full access to user accounts.
Telegram Phishing Scam
The critical phase of the attack occurs after the victim provides credentials or scans the code. Telegram’s security protocols trigger an in-app system message on the victim’s phone, asking them to confirm the new login.
The attackers use social engineering to manipulate this step. The phishing site displays misleading messages, framing the authorization prompt as a routine “security check” or “verification process.”
Believing they are securing their account, the victim clicks “This is me” or “Yes” on the official Telegram prompt.
By approving this prompt, the victim unwittingly authorizes the attacker’s device. Because the session is legitimately authorized by the user, the attackers gain complete access without needing to bypass encryption or exploit software vulnerabilities.
Technical analysis reveals that this is a highly organized, configuration-driven campaign. The phishing infrastructure is centrally managed, allowing the attackers to deploy new domains while reusing the same backend logic rapidly.
“The findings highlight a continued shift toward the abuse of legitimate platform features as a primary attack vector,” the CYFIRMA report states, “increasing the difficulty of detection, prevention, and user awareness.”
Once an account is compromised, it is often used as a launchpad to send phishing links to the victim’s trusted contacts, amplifying the campaign’s spread.
Why This Matters
MITRE FRAMEWORK
| Tactic | Technique ID | Technique Name |
| Initial Access | T1566.002 | Phishing: Spearphishing Link |
| Initial Access | T1078 | Valid Accounts |
| Credential Access | T1556 | Modify Authentication Process |
| Credential Access | T1528 | Steal Application Access Token |
| Defense Evasion | T1036 | Masquerading |
| Defense Evasion | T1078 | Valid Accounts |
| Persistence | T1098 | Account Manipulation |
This campaign highlights a dangerous shift in cybercrime tactics: the abuse of legitimate platform features. By forcing the user to perform the final authorization step within the trusted Telegram app, attackers bypass many traditional security detections.
The presence of Simplified Chinese language settings in the backend code suggests deliberate multilingual support, enabling the attackers to target users across different regions.
Users are advised to be extremely cautious of any “security checks” that appear after scanning QR codes or entering details on third-party sites. If you receive an in-app request to authorize a new session that you did not explicitly initiate for yourself, deny it immediately.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
