Why protect Telegram if my money is in Tonkeeper?

Because Telegram is the launchpad for 90% of scam attacks — drainer-link broadcasts from your name, access to chats with friends and exchange support, recovery of accounts on services that use Telegram Login. A hijacked Telegram becomes a social-engineering weapon against every contact you have.

Does SMS-based 2FA protect against SIM-swap?

No. SIM-swap is exactly how SMS codes are stolen — the attacker reissues your number to a new SIM via salesman social engineering or a bribe. The defence is Two-Step Verification with a cloud password that isn't tied to the phone number.

What is the Telegram cloud password?

It's a second password Telegram stores on its servers in encrypted form. It's requested when logging in from a new device AFTER the SMS code. Even if a SIM-swap delivers the SMS to the attacker, without the cloud password they cannot log in.

Can I recover the cloud password if I forget it?

Only via the recovery email you provided when setting it up. Without a recovery email and a forgotten password, Telegram offers an account reset after 7 days — which wipes all chats. So a recovery email is mandatory and itself must be protected with 2FA.

Does eSIM really protect against SIM-swap?

Significantly better than a physical SIM. Reissuing an eSIM requires either a physical visit to the carrier's office or a biometric procedure that's hard to fake on a call-centre call. Not absolute protection, but the risk drops by an order of magnitude.

What do I do if Telegram is already hijacked?

1. Urgently log into any device where you still have an active session. 2. Settings → Devices → Terminate all other sessions. 3. Immediately enable Two-Step Verification. 4. Change the recovery email and its password. If no active session is left anywhere — contact support@telegram.org with passport scan and Telegram Premium purchase history for verification.

How to protect a Telegram account from takeover: practice

Telegram is the user’s main gateway to TON, and at the same time the main single point of failure. Telegram account hijacking became a mass threat in 2025: in April 2025 alone, VChK-OGPU — the largest independent Russian-language channel with over 1M subscribers — was taken over via a classic SIM-swap. If this account holds active TON Connect sessions, a custodial Wallet with a balance, channel access, or just years of conversations with friends, losing it means losing far more than “an account”. This guide is 2025–2026 practice on how to protect it correctly, and what to do if it’s too late.

Why Telegram is a priority target

Unlike Instagram or Twitter, a Telegram account is often the operational centre of someone’s crypto life:

a built-in custodial Wallet with up to thousands of USDT;
TON Connect sessions in active dApps;
conversations with exchange support and KYC verification links;
admin access to channels and groups whose audience trusts you;
the ability to sign in to any Telegram-Login site as you;
archive of seed phrases and private discussions (if stored incorrectly).

A hijacked Telegram gives the attacker access to all of this in a single move. According to Chainalysis 2026, the average loss from Telegram account compromise grew 3.5x year-over-year from 2024 to 2025.

The main threat — SIM-swap

The script is painfully consistent.

The attacker collects victim data from open sources and breaches: full name, date of birth, phone number, last 4 digits of the passport. Often bought on a darknet marketplace for $5–50.
Calls the carrier’s call centre with the cover “I lost my SIM, I need an urgent reissue”.
The agent verifies on the same data the attacker has on hand. Reissues the SIM to a new card.
The attacker inserts the SIM into their phone. The victim’s old card goes inactive.
Opens Telegram, logs in by phone number, receives the SMS code, enters the account.
With only SMS-based protection — the attacker is in. With a cloud password (Two-Step Verification) — the next layer kicks in.

The whole sequence takes 10–30 minutes. Successful SIM-swaps happen in roughly 0.05–0.1% of attempts according to telco statistics — but for attackers it’s high ROI because targets are pre-selected.

Baseline defence: Two-Step Verification

This is mandatory for anyone whose Telegram is more than “hi mum”. 2 minutes to enable.

Open Telegram → Settings → Privacy and Security → Two-Step Verification.
Create a strong password different from every other one. Not “12345”, not your cat’s name. 12+ random characters, ideally from a password manager.
Recovery email — a required field. The email must have 2FA enabled via an app (Google Authenticator), not SMS. Never use an email tied to the same phone number — that’s a closed-loop vulnerability, not protection.
Password hint — not needed. Skip the step. Any hint reduces password entropy.
Write the password down on paper and store it in the same place as the wallet seed. Without it, recovery requires the 7-day account reset.

Once a cloud password is set, even SIM-swap won’t get the attacker in — they’ll request the SMS, get it, and hit the cloud-password requirement.

Layer 2: SIM card protection at the carrier

The cloud password protects Telegram, but SIM-swap is still dangerous — it gives access to bank, exchange and other-service SMS codes. Minimise the risk:

Set a port-out PIN or SIM-lock with the carrier. Most carriers offer a “no SIM reissue without in-person verification” option. Activate via the carrier portal or in their office. This means a SIM cannot be reissued by a call to the call centre.
Switch to eSIM if your phone supports it. Reissuing an eSIM requires either a biometric flow inside the carrier app or a physical office visit. For most attackers the bar is too high.
Don’t publish your phone number in public sources. If it has appeared in a leak — change it, ideally to one not tied to old accounts.

Layer 3: session hygiene

Telegram retains active sessions on every device you’ve ever logged into. Any old session is a potential entry point.

Open Settings → Devices.
Read the full list. Anything you don’t recognise — terminate.
Repeat the audit monthly. After any suspicious event — immediately.
Active sessions over public networks (stations, airports, cafés) are vulnerable to MITM attacks. Avoid logging into Telegram via public Wi-Fi without a VPN.

Layer 4: phishing resistance

Many Telegram takeovers don’t go through SIM-swap — they’re classic phishing.

Fake Telegram Web — telegram.web-login.app instead of web.telegram.org. The victim enters the SMS code on the fake site; the attacker forwards it to the real Telegram and gets in.
QR phishing (quishing) — the attacker sends a QR code “to confirm participation in a giveaway”. In reality it’s a Telegram QR login that adds the attacker’s device to your sessions.
Bots that ask you to “verify your account” — they trigger Telegram to send you a one-time code, you enter it into the bot “for verification”, and the attacker logs in.

Rules for all three:

Telegram Web only lives at web.telegram.org or web.telegram.k. Nowhere else.
Never scan a QR code from strangers, and never enter Telegram codes anywhere except inside the Telegram app itself.
Telegram officially sends codes only via the service “Telegram” account (blue tick). Any “bot” asking for the code is a scam.

Detailed phishing breakdown — anatomy of phishing.

Layer 5: device-side defence

The phone itself is a weak point.

PIN or biometrics on unlock — required. Without a PIN a stolen phone gives the attacker instant access to every session.
Disk encryption is on by default on modern iOS and Android — verify in settings.
App Lock inside Telegram — Settings → Privacy and Security → Passcode. Extra PIN when opening the app. Not a panacea, but adds 30–60 seconds for an attacker with an unlocked phone.
Auto-delete on chats with sensitive content (seeds, passwords, crypto instructions). Although seeds shouldn’t live in Telegram — see the secure seed-phrase storage guide.

What to do if the account is already hijacked

Time is critical — act in the first 30 minutes.

Step 1 — try to log in

Try Telegram on any device where you might still have an active session (old phone, tablet, work laptop). If you got in:

Settings → Devices → Terminate all other sessions. Kicks the attacker out everywhere except your device.
Immediately enable Two-Step Verification, if it wasn’t on. Set a fresh password and recovery email.
Check chats — has anything scammy been broadcast as you. Delete and warn contacts.
Change the recovery email and its password.

Step 2 — if no active session is left

If every device is logged out, the only option is Telegram Support.

Through telegram.org/support or support@telegram.org.
Describe the situation: hijack date, phone number, signs of takeover.
Attach evidence — Telegram Premium charge receipts on your card, screenshots of the old account on other devices, a passport photo (Telegram requests this in disputed cases).
Average response time — 1–7 days. Unfortunately too slow for an active scam case.

Step 3 — block threats in parallel

Lock the SIM at the carrier. File a SIM-swap complaint if you suspect the number was reissued.
Change passwords on every service that used Telegram-Login.
If a custodial Wallet with a balance was inside Telegram — it’s likely already drained. Follow the TON theft first-aid procedure.
Warn contacts — through any other channel (call, another messenger, work email). The first thing an attacker does is broadcast “lend me $200, urgent” to everyone in your list.

Final checklist

Twice a year, run through every item.

Two-Step Verification enabled, password 12+ characters, recovery email protected by app-based 2FA.
Active session list reviewed, anything unknown terminated.
Port-out PIN or eSIM on the number tied to Telegram.
PIN on the phone, disk encryption on.
App Lock inside Telegram active.
Strong passwords (via a manager) on every linked account: email, exchanges, banks.
Recovery email is not on the same phone number as Telegram.
No seed phrases or private keys in self-chats.

These 8 close 95% of Telegram-account attack scenarios. The rest is social engineering, and the only real defence against that is the habit of not rushing.