Key terms and definitions for understanding the Telegram threat landscape.
A decentralized marketplace built on the TON blockchain for buying and selling Telegram-anonymous phone numbers and accounts. Fragment is frequently exploited by threat actors to acquire verified accounts en masse for launching impersonation and phishing campaigns while maintaining operational anonymity.
A smart-contract-based escrow mechanism requiring multiple signatures (typically 2-of-3) to release funds. In the context of Telegram takedown services, multi-sig escrow protects both parties: the client deposits funds into the contract, and the service provider only receives payment after the target is neutralized and the client approves release.
An attack vector where an adversary intercepts and steals a victim's Telegram session token (session string) to gain unauthorized access to their account. This bypasses two-factor authentication entirely, as the session token is generated after the initial login and remains valid until explicitly revoked.
The automated process of identifying impersonator or clone Telegram channels that mimic legitimate brands. Detection signals include Levenshtein distance on usernames, avatar perceptual hash comparison, subscriber spike anomalies, engagement ratio deviations, and the presence of verification scam bots.
Psychological manipulation tactics used on Telegram to trick users into revealing credentials, installing malware, or authorizing fraudulent transactions. Common vectors include fake support bots, OTP interception scripts, and impersonation of trusted entities like project admins or exchange representatives.
A technique where an attacker convinces a mobile carrier to transfer a victim's phone number to a SIM card under the attacker's control. This enables interception of SMS-based OTP codes, including those used for Telegram 2FA recovery, effectively bypassing account security.
The full compromise of a Telegram account by an adversary, allowing them to post as the legitimate owner, access private groups and channels, view contacts, and launch secondary attacks. ATO is typically achieved through session hijacking, SIM swapping, or phishing credential theft.
Automated Telegram bots that leverage the Telegram Bot API or MTProto API to distribute phishing links, spread malware, or conduct large-scale social engineering campaigns at low cost. These bots can operate under the radar by using disposable Telegram accounts and rotating API credentials.
Open-source intelligence gathering techniques applied to Telegram, including metadata extraction from public channels and groups, network graph analysis of cross-channel sharing patterns, automated scraping for IOC collection, and behavioral profiling of threat actor communication patterns.
A targeted operational process to neutralize malicious Telegram channels, bots, or groups through coordinated reporting, infrastructure analysis, and platform abuse mechanism exploitation. Effective takedowns require understanding of Telegram's moderation policies, proof-of-identity fraud documentation, and multi-vector escalation strategies.