This phishing threat exploits Telegram’s Mini Apps platform, a feature that allows apps to run inside the Telegram interface without opening external browsers. Attackers create fake Mini Apps mimicking legitimate giveaways of popular digital collectibles (NFT-like 'Telegram Gifts'), often tied to celebrities such as UFC fighter Khabib Nurmagomedov. Victims receive private messages offering free gifts via these Mini Apps and are prompted to enter their Telegram login credentials directly within the app. Telegram’s platform currently lacks a robust vetting process for Mini Apps, enabling attackers to publish malicious apps without prior review. The phishing apps appear highly convincing because they run inside the official Telegram client and sometimes even reference legitimate Telegram channels to add credibility. The campaign uses AI-generated text, sometimes with leftover prompts, indicating rushed development. The attack is global, targeting both Russian and English-speaking users, focusing on those active in related channels. Once credentials are stolen, attackers hijack the Telegram accounts, potentially using them for further scams or data theft. Telegram users are advised to verify the authenticity of giveaways, check verification badges properly, avoid entering credentials in Mini Apps, and enable two-factor authentication and passkeys. The campaign highlights a significant security gap in Telegram’s Mini Apps ecosystem, turning a popular messaging platform into a vector for credential theft and account compromise.

For European organizations, the primary impact is the compromise of employee Telegram accounts, which can lead to unauthorized access to corporate communications, social engineering attacks, and potential lateral movement if Telegram is used for business purposes. Compromised accounts may be used to distribute further phishing or malware campaigns internally or externally, damaging organizational reputation and trust. The theft of credentials can also result in loss of sensitive personal or corporate information shared via Telegram. Given Telegram’s popularity in certain European countries, especially among younger demographics and crypto communities, the risk of widespread account hijacking is significant. Additionally, organizations involved in marketing, PR, or customer engagement via Telegram channels may face reputational damage if their accounts are impersonated. The ease of exploitation and lack of vetting for Mini Apps increase the threat’s reach and persistence. The campaign’s targeting of NFT and crypto enthusiasts aligns with European markets where these technologies are gaining traction, potentially amplifying the impact.

European organizations should implement targeted user education campaigns emphasizing the risks of Telegram Mini Apps phishing and the importance of verifying sources before interacting with giveaways or Mini Apps. Enforce the use of Telegram’s two-step verification and passkeys for all employees to add layers of authentication beyond SMS codes. Encourage the use of password managers to maintain strong, unique passwords for Telegram accounts. Monitor Telegram usage within the organization for suspicious activity, including unexpected Mini App interactions or credential requests. Establish policies restricting the use of unofficial Mini Apps or third-party Telegram bots for business communications. Collaborate with IT security teams to integrate anti-phishing solutions that can detect and block phishing attempts within messaging apps. Promote awareness of AI-generated content indicators as potential phishing signs. Finally, maintain incident response plans specifically addressing account hijacking scenarios on messaging platforms, ensuring rapid recovery and communication protocols.