Hijacking Track: Scammers Use Telegram's New Feature to Steal Channels

Scammers have figured out how to use one of the messenger's functions, which appeared after its large-scale update on July 1, to steal Telegram channels. Cybersecurity experts told Izvestia about this. We are talking about the possibility of offering a paid publication to the channel administrator. Attackers place phishing links in such messages. Experts believe that this type of deception will mainly be aimed at channel owners in the segment of up to 10 thousand subscribers.

New scenarios of deception of Telegram users

Since June 1, a new feature has been added to Telegram — "suggested publications". And scammers immediately started using it to send phishing and malicious links to the owners of Telegram channels, disguising them as interesting content. The main trick is to offer the administrator a generous fee so that he can deal with the sent offer in detail, study the details via a link that leads to a phishing resource, Anatoly Dolzhenkov, an independent cybersecurity expert, told Izvestia.

Photo: IZVESTIA/Eduard Kornienko

— If the victim clicks on such a link and enters an authorization code or installs malware, the attacker can intercept control of the channel. In the future, he will be able to demand a ransom for the return of access or use the channel to deceive subscribers," said the head of BI.ZONE Brand Protection Dmitry Kiryushkin.

The mechanics of deception are very simple, confirmed by Igor Bederov, director of the Cyber research department at T.Hunter.

— Criminals create fake bait channels in advance with the reputation of news portals or analytical resources. Next, posts with malicious links are sent to the "suggestion" of the target channels. When clicking on them, the administrator is redirected to a phishing site that mimics the Telegram interface," he explained.

​In order of harm: the number of thefts of Telegram accounts has doubled

How hackers steal profiles and what to do to improve the security of their data

According to Bederov, entering the login and the SMS code gives the attackers access to the account. For IT administrators, stylers or files with macro viruses (formats .doc, .xls), which inject malware when opened.

Photo: IZVESTIA/Dmitry Korotaev

It is already known that the user channel "Booster League" was one of the first to suffer from this method, which was deleted by hackers after using a scheme with betting on esports. Currently, the channel administration is working with Telegram support to restore the profile.

Blogger Denis Podemirov reported a similar case of "hijacking" in his social networks. He contacted messenger support and has not received any response yet.

Experts note that the procedure for regaining control over a deleted or stolen channel can take from several days to several months and is not always completed successfully.

The massive nature of the problem

In June, registrations of potentially phishing domains, including telegram, tg and others, increased by 40%. This indicates the relevance of the topic, Igor Bederov said.

Photo: Global Look Press/IMAGO/Zoonar.com/Andres Victorer

— Cheating with suggested posts has become a new trend. It is aimed primarily at channels in the segment of up to 10 thousand subscribers, in which payment instruments are connected. It is believed that administrators there are less savvy in the topic of cybersecurity. It is much more difficult to deceive the owners of large channels. There are a lot of small resources, and the attackers' actions are primarily aimed at them. Due to the scheme that scammers have now started using, hundreds of administrators risk losing access to their accounts," the expert concluded.

The function of offering posts in terms of attacking the owners and administrators of the Telegram channel is one of the new technical features, but you can also insert a phishing link or a link to a malicious resource into a private message, explained Evgeny Egorov, a leading analyst at the digital risk protection department at F6.

Scammers also use text messages to confirm access to the channel's administration, misleading victims, he said.

— Fraudsters' methods are constantly evolving, but protection technologies are also evolving. By the end of the half-year, on average, we blocked 144 million SMS messages per month, which is twice as high as the monthly average of 2024. Such messages are not only spam mailings, but also fraudulent tricks, which are only part of multi—level techniques," commented Sergey Khrenov, Director of the Fraud Prevention and Revenue Loss Department at MegaFon.

Photo: Global Look Press/Sergey Lantyukhov

BI.ZONE Brand Protectio specialists also note a new scenario for the "hijacking" of user accounts. Scammers create fake pages disguised as a platform Fragment.com — the only official service from Telegram for buying and selling usernames and phone numbers. The balance for paid offers is also replenished through it. By entering a confirmation code when logging in to such a site, the victim transfers access to his account. The attackers gain control over it with all the confidential data.

A movie about villains: scammers rob Russians under the pretext of watching a movie

​​​​​​​Victims are chosen by those who are looking for acquaintances

Izvestia previously wrote that, according to F6, in the first three months of 2025 alone, and only one of the Russian-speaking groups of intruders stole more than 887,000 Telegram user accounts from Russia and other countries. Despite the fact that at least six similar groups were discovered in total, acting against Telegram users.

And in June, the specialists only BI.ZONE recorded almost 4 thousand resources that are focused on "hijacking" user profiles. The messenger's audience is growing regularly, which gives attackers the opportunity to reach many potential victims. The Favorites folder often becomes a source of valuable information, such as passwords, bank card details, and photos of documents. Subsequently, this data is used for fraudulent activities, says Dmitry Kiryushkin from BI.ZONE Brand Protection.

Photo: Getty Images/fizkes

In order not to fall for the tricks of intruders, it is recommended not to follow links from questionable messages, especially if they were sent by strangers. In general, it is important to be critical of any online offers. You should not enter confidential data on suspicious resources, including credentials from messenger accounts. It is important to use a reliable security solution that recognizes a phishing or scam resource in time, concluded Olga Altukhova, senior content analyst at Kaspersky Lab.