After two years, Telegram smishing is back, and account takeovers are here to stay
Following the Telegram account takeover campaign in 2024, a smishing attack has recently been identified that uses Telegram security issues to steal users’ account information. threat actors hijack Telegram accounts by tricking users into entering their phone numbers and login codes on phishing sites. once an account is compromised, it can lead to personal information and chats being leaked, as well as secondary damage. let’s take a look at the main Telegram login smishing schemes and the security tips you should keep in mind.
[Figure 1] Telegram login smishing has surged again
the Telegram login smishing we’ve seen this time around has remained almost identical to the phishing page and account takeover methods from two years ago.
The attacks are primarily launched through messages that falsely claim to be about Telegram security issues, account protection, login verification, etc. when users click on the link in the message, they are directed to a phishing site that looks like the Telegram login page. the site is organized similarly to the actual Telegram service, making it easy for users to mistake it for a legitimate security verification process.
[Figure 2] Comparison of phishing sites in 2024 (left) / 2026 (right)
In particular, this phishing site also includes a bypass feature to evade security detection. the site checks the User-Agent value of the visitor and redirects them to a legitimate site if they are accessing it from an analytics tool, crawler, security service, or PC environment. this appears to be done to avoid detection by security personnel or automated analysis systems.
[Figure 3] Bypass Logic Code
When the user enters their phone number on the phishing page, a login code is sent to the Telegram app. the phishing site requires the user to enter that login code. once the user enters the code, the account information is passed to the threat actor, who gains access to the victim’s Telegram account.
If your Telegram account is compromised, your personal information and conversations can be leaked to the outside world, and there is also the potential for secondary damage, such as additional smishing messages sent to your saved contacts. in particular, Telegram is often utilized not only for personal conversations, but also for work, community, investment, and trading-related communications, which can further increase the scope of damage if an account is compromised.
Users should be especially cautious when they receive messages that ask them to follow a link to check Telegram security, protect their account, or verify their login. do not follow links from unclear sources, and do not enter login information or verification codes on external pages.
It’s also always a good idea to set up two-step verification on your Telegram account. enabling two-step verification makes it harder for threat actors to access your account, even if your login code is compromised, because it requires an additional password.
Other security habits include periodically checking for suspicious login notes or access from unfamiliar devices, and ending active sessions when necessary.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
