It's been two years since I posted a video and a post about how I recovered my friend's Telegram account using JavaScript. Since then, I've helped over a hundred people regain access to their accounts. I regularly get messages in my feedback bot like "Anton, please help! I clicked a link and my account was stolen."

Screenshots of sample requests to my bot

The main security problem with Telegram is that anyone who has control of an account for more than 24 hours can terminate all sessions, including the owner's. After that, futile attempts to recover the account are thwarted by the speed of the scammer, who keeps kicking the owner out of the session.

Ошибка с просьбой подождать из-за количества попыток входа
Error message asking to wait due to too many login attempts

For a while, my method actually worked, and I helped everyone who reached out. The mechanics were simple: log into the user's account and start spamming in all directions to get all sessions terminated, including the scammer's. Then the account owner would log back into Telegram and remain its owner.

Soon, Telegram updated its security policy, and this method stopped working. Perhaps the developers decided that "scammers are people too, let them earn their bread." The result is that a scammer can now operate freely in an account, and recovering it relies on a miracle. I wrote a long post about my disappointment with Telegram in this regard on my channel with all the links confirming my indignation.

I anticipate that after this article, people will start messaging me again asking for help to recover their accounts. I'm writing this for those people: please don't write to me. Unfortunately, I can't help. My method hasn't worked for a long time, and I won't be able to help you. Please refer only to point 8 of this publication.

If you're reading this after you've been hacked, please read it to the end anyway.

  • First, to know how to avoid a similar situation in the future and protect your loved ones from this risk;

  • Second, at the end, I'll tell you about a method that might still work even now.

🔐 How to Protect Your Telegram

I decided to gather all the security aspects I know here. They may seem obvious to those who follow them regularly. If they are all obvious to you, then congratulations—your account has probably never been hijacked.

If you follow all these steps, you can sleep soundly—no one will hijack your account (as of the writing of this article).

This publication also has a video version (🎥 YouTube | VK | Rutube | Dzen | PL 🎥).

1. Access to Your SIM Card

It might seem obvious: your phone number is the key to your account. And it's strange to assume you don't have access to it. But about a third of all requests to my bot were related to losing access to a SIM card. The reasons for losing access vary:

  • bought a "shady" SIM card from a street vendor and it stopped working;

  • the SIM card was bought during a trip and is no longer active;

  • moved to another country, but the Telegram account is still linked to the old, inactive number.

The problem is that Telegram only sends codes to the number the account was originally linked to. You can't log in via email or any other method. And when a session is terminated on all devices, the code can only be sent via SMS. This means if your SIM card dies, so does your Telegram account.

Номер отображается в настройках над вашим username
The number is displayed in the settings above your username

What to do:

  • Check if you have stable access to your number. Make sure it hasn't been blocked by the carrier, has a positive balance, and is registered in your name;

  • If your SIM card is questionable or lost, link your account to a real, accessible number. You should do this right now, putting everything else aside.

Telegram sometimes kindly asks if you still have access to the phone number linked to your account. It does this about once a month, and not very obviously.

2. Cloud Password (Two-Step Verification)

Many years ago, Telegram introduced the cloud password feature. After entering the authorization code, you need to enter a cloud password. This protects you from situations where an unauthorized person gains access to your SMS messages or your carrier is up to no good and reads your messages.

Without a cloud password, in such situations, a scammer will take over your account, set their own cloud password, and it will be nearly impossible to get the account back.

What to do:

  • Be sure to enable two-step verification.

  • The password can be simple: at least 6 characters, with an uppercase and a lowercase letter. You don't have to create a super-complex password that will take you half an hour to type manually.

  • The main thing is to save it in a safe place, otherwise you won't be able to restore access yourself. KeePass or any other password manager will do.

3. Linked Email

In the screenshot above, you can see that when setting a cloud password, you can specify an email address for future password recovery. This can be useful if you forget your password. However, it also creates an additional security vulnerability—a scammer now only needs access to your phone and email to gain control of your account.

A linked email can also be useful for contacting Telegram "support." When your account is hijacked, you can write to a bunch of Telegram email addresses and hope for a miracle. According to subjective statistics, if you write from the linked email, there's a higher probability that the scammers' session will be terminated.

But unfortunately, there's no hard evidence for this. I generally consider Telegram's "support" to be a real slap in the face to the messenger's billion-strong audience, which pretends to be a super-secure and reliable communication method.

4. Login with Telegram ≠ Giving Away Access

One of the main scam mechanics (I'd even say the only one) is to trick a mark into clicking a link for some kind of poll or anything else (like "you've been gifted Telegram Premium"). Then comes the scam: "log in with Telegram to verify your identity."

That's why I decided to write a couple of paragraphs to explain the difference between "logging into a site with Telegram" and "kindly handing over your Telegram to scammers."

When "logging in with Telegram," you will never be asked for your phone number, SMS code, or cloud password. If you are asked to enter anything from this list, someone is trying to take your precious account. The "login with" or OAuth mechanism is built on the following process:

  1. The user clicks "log in with";

  2. Redirected to the Telegram website (or directly to the app);

  3. Then, in Telegram, they see a message like "Do you want to log in to the website EASYMONEYFORFREE with Telegram?";

  4. The user gives consent;

  5. The user is redirected to the website's page with a code in the address bar;

  6. The website makes a request to the Telegram server using the code from the address bar;

  7. Telegram provides the Telegram User ID to identify the user;

  8. The website grants the user access.

Pay attention to points 2-4. The entire mechanism with Telegram authorization data happens on the Telegram website or in the app itself. Scammers, however, kindly disguise their own site as Telegram and start asking for your phone number and cloud password, collecting this information for themselves.

Remember:
A real login with Telegram does not require your:
– phone number,
– SMS code,
– cloud password.

If you see a site asking for this data, it's a scam.

How a legitimate login works:
– You are redirected to Telegram.
– You click "Allow access."
– Telegram only sends the site your Telegram ID—and that's it.

5. Custom Clients

Custom Telegram client applications deserve special attention. Since Telegram has an open API, anyone can create their "own Telegram client" with various bells, whistles, and improvements. One such improvement might be the wonderful feature "give your account to a scammer with your cloud password and SMS,"

Example of a "useful" custom client

On my TG channel, I made a post about fake ad videos in Shorts showing a girl restoring her entire chat history. I also attached the ad video itself - https://t.me/gmoreva/854. For some reason, the video can't be attached here.

No "special" Telegram clients, "chat restorers," or "magic reels" on social media can recover deleted messages. They are just a way to trick you out of your session. Use only official Telegram clients, specifically those that can be downloaded from telegram.org — from there you can go to the store for your specific platform.

There can be many clones, and they might even look very similar to the native client, but it's better to be safe than sorry.

6. System Notifications from Telegram

Everyone on Telegram has a system account called "Telegram" that sends notifications about new device logins. You need to read every message from it carefully. Especially if

you get a message like "Anton, someone logged into your account from this device, with this IP." You should make sure it was really your login and your device

Example message

Here you can see that a login was made in the city of Ramenskoye from a Latitude device and a B450M. That was me logging in, and I know for sure it was me.

7. Check Your Devices in Telegram.

This point is for paranoids like me—regularly check the list of active sessions and monitor it for unauthorized sessions. If a scammer has logged into your account, you have 24 hours to kick them out. After 24 hours, they will kick you out and become the owner of the account. I check my list of active devices about every two to three days.

8. What to Do If Your Account Is Hijacked

And finally, if you've read this far and your account has been hijacked after all, I'll tell you about one theory. It still works from time to time.

Telegram has a privacy restriction mechanism. That is, if I have a premium account or I'm from Russia—and for Russians, this feature is available for free because at some point there were calls for terrorist attacks in Russia, and Pavel Durov said, "Okay, let it be free for Russians"—I can check a box so that only people with premium or those in my contacts can write to me.

Settings screenshot

And sometimes this system starts working against scammers. We can't regain access to the account. As soon as we log in, the scammer sees the login and instantly terminates the session. Scammers even use bots that constantly terminate all sessions. So, getting access back is practically impossible.

You only have a few seconds before the scammer kicks you out. Sometimes they let their guard down. In this short window, you create a chat—any chat—and invite someone who:

  • has their private messages closed (you can't message them directly),

  • and has restrictions on being added to groups (they can only be added via a link).

You add them (or try to add them) to this chat. Telegram, trying to send a message on your behalf to such a user, considers it spam, marks you as a spammer, and terminates all sessions—both yours and the scammer's. After that, you log in again via SMS and regain control of your account. The main thing is to have access to your number.

The scheme is complicated and it's quite difficult to do it in time. But it has worked a few times, though there are no guarantees.

9. Ineffective Recovery Methods

Besides sad stories about how people lost their accounts, users also write to me about what they tried to do to solve the problem.

The most common one: getting a new SIM card. And it's completely useless. Telegram isn't like a bank that is connected to carriers to monitor SIM card changes. Telegram doesn't care who, how, or through which SIM card received the SMS code. If you have the code, you have access.

Some also reset their phones to factory settings or reinstalled Windows on their PC. Similarly, this is a completely useless activity. It won't restore access, but it might help if there's a virus on the device that passed the session to the attacker.

10. Ways Your Account Can Be Hijacked

Over a couple of years of practice in recovering access to Telegram accounts, I've identified the following reasons for losing account access:

  • Clicking a link that leads to a fake Telegram login and session transfer;

  • Custom clients promising to "recover deleted messages." I wrote about them above;

  • Malware. Someone's child installed a program on their computer to get money in some game. The program requested administrator rights and stole the user's session.

That's all. Globally, there are no other ways to hijack an account. I've been told many stories like "I didn't do anything and I was hacked," but then it turns out the person either voted using a "login with Telegram" feature or had a custom Telegram client installed. Simply put, I don't believe such stories; the person always gives away their session one way or another.

Instead of a Conclusion

Be careful with your accounts and always pay attention to where and what you enter.

I anticipate that after this article, people will start messaging me again asking for help to recover their accounts. I'm writing this for those people: please don't write to me. Unfortunately, I can't help. My method hasn't worked for a long time, and I won't be able to help you. Please refer only to point 8 of this publication.