Phishing Scams on Telegram: Account Takeover and Crypto Seed Theft
Phishing on Telegram targets users with fake bot notifications, admin impersonation messages, and malicious mini-apps that harvest account login codes and crypto wallet seed phrases.
Part of: Phishing
Last reviewed: 1 June 2026
Telegram's combination of large groups, bot ecosystem, and encrypted direct messages creates multiple surfaces for phishing attacks. Account takeover is a particular priority for attackers because Telegram accounts often contain sensitive conversations, private channels, and crypto community memberships that can themselves be monetised.
The crypto-heavy nature of many Telegram communities makes seed phrase phishing especially lucrative. A single stolen seed phrase can drain a wallet containing significant cryptocurrency with no possibility of reversal.
How this scam works on Telegram
A common attack involves a fake Telegram notification from a bot that mimics Telegram's official security bot. The message warns that the account will be suspended unless a verification code is entered on a linked page. The page captures the login code and the victim's phone number, giving the attacker full account access.
In crypto communities, fake 'group admin' accounts DM members claiming to offer support or a special NFT airdrop. Clicking the link launches a page requesting a seed phrase or private key for wallet verification — information that gives complete control of the wallet.
Some sophisticated attacks use Telegram Web App (mini-app) phishing, where an in-Telegram web view loads a convincing fake exchange or wallet interface that captures credentials entered within the app.
Common red flags
- Telegram bot notification warning about account suspension and requesting a verification code
- DM from someone claiming to be a group admin offering airdrops or support
- Any link or mini-app requesting your seed phrase or wallet private key
- Mini-app URL does not match the official domain of the service it claims to represent
- Message from a contact with a slightly different username than a genuine admin you know
- Login code request in any channel or bot outside of your own two-factor authentication process
How to protect yourself
- Enable two-factor authentication (Two-Step Verification) in Telegram Settings > Privacy and Security
- Never share a login code or seed phrase in Telegram under any circumstances
- Verify admin identities by checking pinned messages or the official channel username
- Treat any unsolicited DM about account security or airdrops as suspicious
- Check mini-app URLs before entering any credentials — legitimate services display official domains
- Report phishing DMs via Telegram's report function before blocking
How to report it
- Report the account or bot via the three-dot menu in the chat: 'Report' > 'Fake Account' or 'Spam'
- Report phishing to Telegram at [email protected]
- File a complaint with the FBI IC3 at ic3.gov or your national cybercrime authority if cryptocurrency was stolen
Frequently asked questions
Does Telegram contact users about account security via DM?
Telegram communicates security alerts through its own official bot (Telegram) and through in-app notifications — not through DMs from unknown accounts. Any DM claiming to represent Telegram support or security that asks for a code or seed phrase is a phishing attempt.