In order of harm: the number of thefts of Telegram accounts has doubled
The number of account thefts has increased dramatically in Telegram, with 887,000 user profiles stolen from Russia and other countries in the first quarter. This is almost comparable to the second half of 2024. This year, attacks have become more automated through the use of templates, including through the use of AI. In such a situation, experts say, not only users themselves must apply basic security measures, but the messenger must also update security tools such as login notifications, advanced privacy settings, and anti-phishing.
How scammers steal user accounts and data
With the development of digital technologies and an increase in the volume of information, fraudsters are increasingly coming up with various schemes to deceive citizens, including through social networks and messengers. And the most popular of them, such as Telegram, are attracting more and more attention from intruders.
In the first three months of 2025, only one of the Russian-speaking groups of intruders stole more than 887,000 user accounts from Russia and other countries, while in the second half of 2024 the same group stole more than 1.2 million profiles, Maria Sinitsyna, senior analyst at the Digital Risk Protection department at F6, told Izvestia.. She noted that this is data on only one of the groups, and at least six similar ones were found in total, which act against Telegram users.
—The main task of the attackers is to ensure that the user provides his phone number, account password and SMS code from Telegram on a phishing resource that looks like the official messenger page," the expert explained.
She noted that to achieve their goal, criminals seek to use both fresh news stories and proven tricks: the promise of cash prizes and free subscriptions, voting, access to a private channel, and others, encouraging people to enter confidential data on fake resources.
Recently, for the first time, the company recorded a "combo scheme" in which a stolen account automatically begins to distribute fraudulent links, the expert said.
— Hackers hijack Telegram user accounts, and then send messages to the contact list offering to take a survey on behalf of the United Russia party for money. To do this, it is proposed to download a fake mobile application with an Android Trojan, after installing it, criminals get the opportunity to withdraw money from the victim's accounts," said Maria Sinitsyna.
One of the Telegram users, Daniel, told Izvestia how he lost his messenger profile at the end of 2024. According to him, his classmate contacted him, at first the conversation was absolutely normal, as before. He even sent his voice messages, so he didn't have any thoughts about possible fraud, Daniel noted.
— In the chat, he asked for help opening an archived folder with files, allegedly he was not at his computer, and there was no necessary program for unarchiving on his phone. I agreed to help. After that, I downloaded the folder to open it, the messenger "transferred" me to the unarchiver, as soon as I did this and wanted to send the file back, I realized that I was knocked out of my account, and I can't log in again," Daniel said.
According to him, he tried to log in several times, but the code did not arrive on the phone.
Indeed, it will be difficult for a person to restore their account: after hacking, fraudsters prevent them from regaining control over it by constantly resetting all active sessions, experts previously told Izvestia. They also block the ability to write something in all groups where the user was an administrator in order to slow down the spread of information about hacking. This causes additional damage to the victim, as not only personal ones are blocked, but also all workgroups and chats, creating a risk for her colleagues and business partners.
After hijacking an account in a messenger, criminals receive information from correspondence. They send messages to the contact list, user groups, as well as to channels, if the account had administrator rights, asking for financial assistance or links to phishing and fraudulent pages, Maria Sinitsyna added. In addition, stolen accounts are sold through marketplaces in the web dashboard or Telegram bots. In the shadow market, the average selling price of such profiles registered with Russian numbers is about 160 rubles.
Kaspersky Lab confirmed to Izvestia a 10% increase in thefts in the first quarter of 2025 compared to the same period in 2024. The attackers' interest in user credentials is due to the fact that they can use stolen profiles in various other fraudulent schemes: as part of telephone fraud, for blackmail, for sale on the darknet, said Olga Svistunova, senior content analyst at the company.
Igor Bederov, director of the Internet Search company, agrees with the data of his colleagues on account hijacking. He stated that they correlate with the general growth trend.
How to secure your data
Significant amounts of phishing through messengers have been observed in Russia for a long time. Such services have a large audience, people can use them for both personal and work purposes, and attackers understand this, Olga Svistunova said. According to her, criminals also use neural networks to implement phishing schemes, in particular, they use them to create deceptive pages, so they try to automate their work.
According to Igor Bederov, we are talking about creating malware, texts for fraudulent schemes — websites, letters, messages. AI is also used for complex, multi-level attacks with access to a specific victim.
The growing number of thefts of Telegram accounts is a dangerous trend, especially given the scale with which cybercriminals operate, said Anton Nemkin, a member of the State Duma Committee on Information Policy, Information Technology and Communications.
— One of the reasons for the vulnerability of users is the insufficient level of protection of the accounts themselves. Telegram should continue to develop protection tools such as login notifications, advanced privacy settings, and anti—phishing," the deputy told Izvestia.
According to him, users themselves also need to be conscious about protecting their data: enable two-factor authentication, regularly check active sessions, and do not share codes or passwords with third parties. Without changing behavior at the user level, any technical measures will have a limited effect, Anton Nemkin believes.
Kaspersky Lab recommends that you do not follow links from questionable messages, especially if they were sent by strangers, and also do not enter credentials or confirmation codes on suspicious resources. In addition, it is important to use antivirus software on all devices, the company concluded.
Переведено сервисом «Яндекс Переводчик»
