Code malice: scammers have tripled the activity of hijacking Telegram accounts
In the second half of 2025, the number of phishing pages linked to by scammers in personal messages and in popular Telegram posts increased to 62,000, cybersecurity companies estimated. At the same time, about 20,000 such resources were identified by the end of June, but by November the total number had tripled. Basically, the attackers disguise such links in the comments with messages about the draws of a paid subscription to Telegram. You can find out what other schemes are currently actively used in this messenger in the Izvestia article.
How they try to hack accounts
In the first half of 2025, more than 20,000 fraudulent domains aimed at stealing Telegram accounts were identified, BI.ZONE Digital Risk Protection reported. However, since the third quarter, the attackers have become even more active: from July to November, 42 thousand more such resources were recorded. The peak of activity occurred in July, when more than 11 thousand domains were discovered. Thus, the total number of phishing pages linked to by scammers has tripled.
— Probably, such rapid growth is associated with the popularization of the "Stars" — the internal currency of Telegram, as well as the Toncoin cryptocurrency, — they explained. — Since July, the messenger has expanded the possibilities for operations using these methods. Since then, users have been using Stars and Toncoin more and more actively, and attackers are trying to gain access to wallets and steal money.
The interest of scammers in hacking Telegram accounts has grown significantly, confirmed by a data analyst at the Coordination Center for domains .RU/.Russian Federation Evgeny Pankov.
— Within the framework of the "Domain Patrol" project, from January to October of this year in the zones.RU and .The Russian Federation has identified and blocked more than 5.8 thousand domains related to attempts to compromise Telegram accounts," he said. — This is 2.5 times more than in the same period of 2024. And the activity of intruders in this messenger continues to grow.
The main goal of hackers when hacking accounts is to access users' contacts, correspondence, and personal photos, said Evgeny Pankov. This gives them the opportunity to send phishing links on behalf of the victim, engage in extortion and commit other illegal acts.
Why are Telegram accounts being stolen?
One of the scammers' tasks is to reach as many potential victims as possible in order to steal their Telegram accounts, said the head of BI.ZONE Digital Risk Protection Dmitry Kiryushkin.
"For example, attackers leave comments in popular channels with messages about paid subscription draws," he said. — To participate, you need to log in on behalf of your account. This way, the user may lose access to the messenger and even lose money.
Izvestia studied dozens of popular Telegram channels. Anonymous users leave similar suggestions in the comments to almost every post.
In addition, scammers post messages on behalf of the "lucky winner." Such "users" claim to have received a large prize on a site with sweepstakes from online stores, and attach a link to a phishing resource.
In total, experts found more than 4,500 such messages on Telegram platforms. Their reach was over 74 million people, Dmitry Kiryushkin said.
Among the popular legends under which scammers operate are fake Telegram support pages, various votes, messages about payments for holidays, discounts and sales in popular stores and marketplaces, Evgeny Pankov recalled.
Another relevant scheme is as follows: the user receives a message stating that he was allegedly sent a gift — an annual premium subscription to Telegram. You can activate the "gift" by clicking on the link. However, if you hover the cursor over it or hold it down, you can see that this is the text in which the phishing link is "sewn".
If the user does follow it, he will end up on a fake page where he will be asked to verify his account, said Olga Altukhova, senior content analyst at Kaspersky Lab.
"Next, on this phishing page, a person will be required to log in: enter a phone number and a confirmation code," she explained.
The increase in the number of attacks via Telegram is influenced by both its high popularity and seasonal factors: summer holidays, the beginning of the school year, and traditional autumn sales, Evgeny Pankov noted.
"The upcoming New Year holidays and long vacations will also be no exception: at this time, users are more likely to make online purchases and click on phishing links, losing their vigilance," he added.
How to deal with account hijacking
Phishing resources disguised as official Telegram services have become the main trend in 2024-2025, the lawyers interviewed confirmed.
— One of the most common schemes was the imposition of an urgent confirmation of the number, — said Sofya Lukinova, head of the legal department of VMT Consult. — The user is sent a message as if his SIM card is allegedly registered in another region or someone is trying to log into Telegram instead.
After that, they suggest clicking on the link and updating the data, but in fact this is a form for intercepting the code from an SMS. In some cases, scammers try not only to gain access to the account, but also to "hijack" the phone number and then reissue the SIM card in order to consolidate control over all the victim's services.
The second common scheme remains fake admin bots. The attacker writes to the user on behalf of the Telegram security service, claims that the account violated the rules, and asks for verification.
"The third direction is fake duplicates of well—known channels," she added. — Scammers manually copy the design and content, after which, under the guise of an administrator, they begin to send subscribers links for, for example, bonuses or extended access. This is a massive scheme, which began to receive noticeably more requests in the second half of the year.
After the attack, it is necessary to fix the fact of fraud as soon as possible: take screenshots, save links, messages, correspondence — this will be useful for qualifying the incident, advised Sofya Lukinova.
— You should immediately contact your telecom operator if there is a risk of "hijacking" the number, and block the SIM card. File a police report. Fraud, even in digital form, is a criminal offense, and an application is accepted regardless of the amount of damage," she said.
A complaint about fraud or unlawful access to computer information is being filed with the police, said lawyer Ekaterina Alexandrovich.
"You should contact the bank and the telecom operator with a statement about unauthorized write—offs and disputed transactions and a request for a refund and blocking of transactions," she said. — But if there was only a phishing attempt, you blocked everything in time and nothing was lost, you can first limit yourself to technical measures and a statement of support. But keep the evidence — if damage occurs, contacting the police about it will be easier.
To protect yourself from compromising accounts in the messenger, you should enable two-factor authentication and be more careful when clicking on links received from familiar and unfamiliar contacts, added Konstantin Larin, head of the Bastion cyber intelligence department. In addition, it is worth checking the browser string for compliance with the domain name and you should not install mobile applications from questionable sources.
Переведено сервисом «Яндекс Переводчик»
