There are several similar articles on this topic, but while I was trying to recover my account, I never saw this solution, so I decided to post it. I hope it will help someone.
I'll say right away that this situation happened before the 'boom' in the news about Telegram hacks, so it wasn't as well-known.
The whole story began when an acquaintance of mine wrote to me and asked for help in restoring access to her Telegram account. I was immediately surprised because I didn't think Telegram accounts were hacked at all, as login is usually by phone number, and without having the phone, you can only log in with a QR code or a code from the messenger itself.
Well, what could I do? I started trying to log into the account. Naturally, the app made it clear that I wouldn't be able to do so anytime soon.
I immediately went to the web version, and there, upon login, it shows the number of seconds you have to wait for subsequent login attempts, in the format "Flood_wait_XXXX". In my case, I had to wait 22 hours.
While searching for similar situations, I came across an article on Habr about how a person shared their situation and offered their own recovery method: "link to his article".
This method didn't work for me as I'm not strong in JS and didn't even understand what went where, so I decided to dig deeper.
When the time was up, I tried to log into Telegram and saw that the person had written to everyone in the contacts asking them to vote for a certain 'Vikusya'.
We can also see a folder at the top marked with an emoji resembling, well, you know what. The scammer moved everyone who 'took the bait' there.
After that, of course, I was kicked out of the account. It all happened in 5-7 seconds. Okay, I thought, I'll log in again and kick the scammer out through 'active sessions', but it wasn't that simple. He had naturally become the owner of the account, and Telegram, of course, considered me the scammer...
Next, if anyone is interested or if there are still those who don't know how this scheme works, I'll explain it under a spoiler.
Spoiler
The victim receives a message asking them to vote for someone, after which they follow a link and lose their account, but not immediately. It's done more cleverly: a person (or a bot) starts an active session and doesn't log out of the account for 5 days (sometimes less). If the victim doesn't check their 'active sessions' (and not everyone does), then after a certain amount of time, the scammer becomes the account owner, and you can no longer even terminate their session.
My next action was to try to set a cloud password, because I thought that if I set it, the session would end, or at least the scammer wouldn't be able to write to anyone and kick me out of the session. By logging in again very quickly, I managed to-set the cloud password and link an email, but then I was kicked out again.
Here I realized that the cloud password wouldn't save me, but would only give me an additional login option via a code sent to my email.
After reading the forums again, I saw an article that said to write to tech support. You can't talk directly to an operator there, only send an email and wait 100 thousand years as usual. But I wrote anyway. After a day, I received no reply, not even a notification that they had at least seen my email. I also sent a message to the form (supposedly the official Telegram support) in two languages stating that the account was hacked, and again there was no response. Then, in desperation, I wrote to the volunteer bot (for those who don't know, there's an option 'write to a volunteer' right in the app). Of course, I understood that volunteers couldn't help much here, and apparently, I was right, as no response came.
There was another method I found on Google. It said you need to log in from the exact device you always used for Telegram (I was logging in from my own devices, as my acquaintance who was hacked was not in my city, and due to her age, she wouldn't have been able to quickly access the sessions and try to terminate them). Then, supposedly, it would allow you to terminate the sessions. But apparently, this referred to the case where the scammer hadn't terminated your session and become the 'owner' of the account, because even so, I couldn't terminate his sessions.
There is also a way to delete the account, but unfortunately, it wasn't suitable for us as there were personal channels and other things we didn't want to delete.
So how did it all end?
Actually, it was quite simple, but I only figured it out after numerous recovery attempts.
I wrote to the support form several times with different texts and never asked them to terminate all sessions. But then it dawned on me. As soon as I sent another form, this time with a request to terminate them, I was able to log into the account literally 30 minutes later, and there was no one else in it. By the way, all this happened after another 'attempt limit exceeded, try again later' message, and at that point, I had 15 hours left to wait. But it seems that if all sessions are terminated, the counter resets automatically.
I hope this article was useful to someone, as I haven't seen this particular method anywhere.