A new phishing operation uncovered by CYFIRMA targets Telegram users by weaponising the platform’s own security features, steering away from credential harvesting and towards authorising attackers directly through Telegram’s official app. According to CYFIRMA, the attack uses legitimate Telegram API credentials to trigger authentic login prompts on victims’ phones, effectively turning a routine security check into a full account takeover.
The phishing site presents two options—scanning a QR code or entering a phone number—which then prompt real in-app authorisation requests on the victim’s device. The pages coach users to approve the prompt, with misleading system messages guiding them to click “This is me” to authorise the operation, thereby bypassing suspicion by framing the prompt as a security verification.
CYFIRMA’s analysis describes a centralized, reusable phishing framework designed for mass deployment, with multilingual support including Simplified Chinese to indicate broad international reach.