Everything for a ban: cybercriminals use new deception schemes with a premium Telegram subscription

Cybercriminals have adapted old deception schemes to the hype surrounding Telegram's work. Now users are offered not just a "profitable subscription extension", but supposedly access to the service "without restrictions". Attackers send phishing links with activation buttons — by clicking on them, users risk losing money and personal data. According to information security experts, in the first months of 2026, the number of attacks related to the "acceleration" of services and the "unblocking" of applications increased by about 40%. Izvestia investigated which schemes became the most common in April and how to protect themselves from such threats.

Old schematics in new packaging

Scammers began to deceive Runet users with the help of phishing links promising to "unblock" Telegram and access the service without restrictions, Izvestia found out. In April, the scheme with "gift" subscriptions received a new development due to increased interest in the Premium feature.

— Reports were actively spreading in the information field that some users with a premium subscription have a more stable messenger and without additional tools. This applied mainly to Android devices, but the fact itself became a trigger. At the same time, people received notifications about the "last opportunity" to subscribe — all this created a stir, Anastasia Osipova, a junior analyst at the Positive Technologies research group, told Izvestia.

As a result, the scammers have reworked the old scenarios: if before it was "sweepstakes" or "free Premium", now the focus has shifted to "maintaining access", "bypassing locks" and "exclusive conditions". Such a presentation significantly increases trust and reduces critical perception, she added.

According to the expert, messengers have been one of the key channels of attacks on private users for several years, and this trend has intensified in 2026. Now the wave of fraud is directly related to the limitations of the service and the information background around it. The attackers operate according to classical social engineering schemes, but they quickly adapt them to the current agenda.

— Telegram is used by more than 1 billion people worldwide, and in Russia the audience has exceeded 100 million. This makes it not only a platform for communication, but also a tool for fraud. Since February, against the background of restrictions in the operation of the service, we have seen a surge in the activity of intruders. This is a typical situation where scenarios are based on users' fear of losing access to a familiar service. Although the scheme itself was used back in 2024, then it did not receive such a large—scale distribution," Anastasia Osipova explained.

Igor Bederov, the head of the Internet Search company, confirmed that the number of such attacks increased several times in March-April. According to him, the attackers have built a systematic work in several directions at once.

— We see at least three stable scenarios. The first is the massive sale of fake subscriptions. The user receives a message supposedly from an acquaintance: "You have been sent 12 months of Premium as a gift," after which they are asked to click the "Activate" button. In fact, this is a phishing page where the victim enters account details or billing information. As a result, the attackers get full access to the profile and start mailing on his behalf, quickly scaling up the attack," he said.

"Unreliable and accessible to Western intelligence agencies"

Alexander Ionov, member of the Presidential Council for the Development of Civil Society and Human Rights, spoke about the full access of American government agencies to correspondence in Telegram.

In addition, users are offered messenger "accelerators" or "circumvention solutions." Under the pretext of verification, they are asked to confirm that the person is not a robot and enter the SMS code — this is a classic scheme for intercepting authorization and account hijacking.

— There are more aggressive options, such as distributing modified versions of the messenger with an allegedly built—in VPN or access to "hidden functions." In practice, installing such software leads either to device lockout or to extortion," Igor Bederov noted.

The third direction is the active growth of bot farms. This is an infrastructure that allows you to scale attacks: mass mailings, cheating the audience, spreading malicious links through chats and comments.

"Since the beginning of the year, the number of such services has grown significantly, and they are actively used in fraudulent campaigns," he added.

The reason for scaling up attacks

A similar trend is being recorded at Kaspersky Lab. The company's expert Tatiana Kulikova noted that the premium subscription theme remains one of the most effective lures.

— The main goal is to get credentials, confirmation codes, or payment information. At the same time, such messages are increasingly being sent on behalf of already compromised accounts, which significantly increases trust and accelerates the spread of attacks," she explained.

InfoWatch also emphasizes that the basic scheme remains the same, but its effectiveness has increased due to adaptation to the current agenda. An additional vector is related to the proposals of "official solutions" to circumvent restrictions, added Pavel Kovalenko, director of the anti-fraud center at Informzashita.

— Scammers send instructions on how to bypass locks, offer to install applications or VPN services, and disguise phishing pages as "solutions" from operators or government agencies. They often require an advance payment for "guaranteed unlimited access." As a result, a person either installs malware or transfers payment and credentials. According to our data, in the first months of 2026, the number of attacks related to the "acceleration" of services and the "unblocking" of applications increased by about 40%, he said.

Attackers can also carry out targeted attacks on specific users using the premium subscription theme, said Evgenia Egorova, a leading analyst at F6's digital risk protection department.

Don't open it to anyone: hackers have started disguising malicious links under Telegram

The main target of cybercriminals are defense enterprises and government agencies.

The increase in fraudulent activity coincided with a decrease in the availability of Telegram. According to the OONI Explorer service, on the night of April 20, the level of unavailability of the messenger in Russia was about 97%, which became an anti-record.

Blocking proxies and making access more difficult only encourage users to look for alternative solutions — and this is what scammers are actively using, says Vladimir Zykov, director of projects at ANO Digital Platforms. Eldar Murtazin, a leading analyst at Mobile Research Group, believes that there are no prerequisites for improving the service.

— Peaks of service outages in the evening and at night are understandable. During this period, technical means of countering threats (TSP) that filter Internet traffic are being reconfigured. By morning, the situation usually stabilizes," the expert explained.

Experts agree that the key factor for scammers is still the behavior of the users themselves. Awareness, verification of information, and avoiding hasty actions in case of "profitable" offers are basic but critical protective measures. While the situation with Telegram availability remains unstable, the experts surveyed expect a high level of such attacks to remain.