Telegram bot steals accounts using login codes

Security researchers have uncovered a Telegram bot and associated channels pretending to be “boosters” for the messenger’s performance, but they’re actually stealing user accounts. The scam asks users to confirm they are “not a robot” and then enter a five-digit code – which is actually Telegram’s authorization code. If the account doesn’t have a cloud password (Telegram’s two-step verification) enabled, the hackers gain full access.

How the scam bot works

The scheme is simple yet effective against inattentive users: the bot claims to “speed up” Telegram or offer a way to bypass restrictions. To proceed, it asks users to click an “I’m not a robot” button – which collects their phone number. Next, the user is prompted to enter a five-digit code into a “verification” form; this code is actually the Telegram authorization code sent on login. Without the cloud password enabled, that code gives attackers full control over the account.

“Then, under the pretext of a check, users are asked to enter a five-digit code supposedly sent by the bot itself. In reality, this is the Telegram authorization code. Entering it into the ‘speed bypass’ form instantly grants attackers access – provided the cloud password isn’t activated.”

Anastasia Knyazeva, digital risk protection analyst at F6

What not to download: fake clients and trojans

Alongside the scam bot, channels have appeared that offer “modified” desktop clients or VPN/proxy tools to bypass blocks. Security experts found a trojan hidden inside a Windows application disguised as part of one channel’s downloadable archive. This is a classic tactic: malicious installers masquerading as handy utilities.

• “Performance boosters” and unblock modules often serve as phishing fronts.
• Files packed in archives are common carriers of trojans and backdoors.
• Recommendations to download VPNs or proxies can lead to fake services loaded with malware.

What users should do

Simple precautions can drastically reduce the risk of losing your account. The most reliable step is to enable the cloud password (two-step verification) in Telegram’s settings: this way, the login code alone won’t allow hackers to get in.

• Never enter authorization codes into third-party forms or send them to bots.
• Download official Telegram clients only from the developer’s website or trusted app stores.
• Enable the cloud password via Settings → Privacy and Security → Two-step verification.
• Avoid clicking on links promising “speed boosts” and never run .exe files from unknown archives.
• Use antivirus software and verify the integrity (hashes) of software when downloading outside official stores.

Why this matters

These attacks exploit a growing trend: as users face restrictions on certain services, they seek “accelerators” and alternatives – often trusting offers that promise a quick fix. The scammers benefit by gaining account access, which lets them send spam posing as the user, steal assets, or abuse the contacts list to launch further attacks. Meanwhile, regular users lose out, and Telegram’s reputation suffers. The more incidents like this occur, the more users will be tempted to switch to other platforms or forks.

This isn’t a new threat: phishing bots and fake clients have been repeatedly used to steal login credentials and deliver malware across various messaging platforms. But when attacks coincide with discussions around restrictions and alternatives, their impact grows stronger.

Brief outlook

Expect new variations – from more cleverly disguised bots to fake “updates” for official clients. The best defense is widespread user education and straightforward security setup within the app. As long as users keep entering codes into unknown forms, scammers will keep winning.