How Not to Get Hacked on Telegram
The lightweight chat client Telegram is one of the most common methods of communication in crypto, and there’s a good reason for that. SIM swap attacks, which transfer ownership of your phone number to a malicious attacker, are a common attack vector.
And once the attacker has your number in hand, they can cause all sorts of mayhem, most notably by obtaining two-factor authentication (2FA) codes for your important logins that are sent over text. A lot of tradfi banks and other services operate on legacy technology, for example, meaning that many only offer 2FA authentication via text. 2FA over text, plus SIM swap, often leads to a zero bank balance.
Telegram’s killer feature is that it allows an easy and convenient way to communicate with others via username, instead of phone number. If attackers don’t know your phone number, how can they SIM swap you? So goes the logic, and so a lot of crypto users just install Telegram, ignore the settings, and call it a day.
But that’s not enough. Since everyone is on Telegram, Telegram is the place where hackers concentrate a lot of firepower. If you’re not careful, there are ways to get pwned through Telegram, as well.
We’ve created a small guide to help crypto users secure themselves on Telegram, so that they can avoid the most blatant security pitfalls.
- Set up 2FA
You need to set up two-factor authentication to protect your account against hijacking. The primary login method uses a one-time code sent by text, so Telegram lets you set a password as the second factor. In case someone manages to SIM swap you, Telegram will prompt them for a password in order to access your account, instead of just letting them in based on having access to the phone number.
To do so, on the Privacy and Security tab, select Two-Step Verification (Telegram’s term for 2FA), and set a strong combination. You will rarely enter this password in, so make sure that you store it somewhere safe, like in a password manager, so you won’t forget it.
The consequences of forgetting that password are stark. You’ll have to reset your account. In essence, that means submitting a request to remove your account completely, after which you will have to wait seven days. After a week, the account will be deleted (including associated contacts, cloud chats, and channel subscriptions), at which point you will be able to create a new, empty account using the same phone number.
2. Restrict what information you share with other Telegram users
So as not to share unnecessary details with all 500 million Telegram users, you need to configure your profile privacy appropriately. Go to Telegram’s Privacy settings. We recommend the following:
- Phone Number → Who can see my phone number — Nobody.
- Data and Storage → Auto Download Media → Toggle off
- Phone Number → Who can find me by my number — My Contacts.
- Last Seen & Online → Who can see my timestamp — Nobody.
- Profile photo → Who can see my profile photo — My Contacts.
- Calls → Who can call me — My Contacts (or Nobody, if you prefer).
- Calls→ Peer-to-peer — My contacts (or Nobody, if you prefer not to share your IP address with chat partners).
- Forwarded Messages → Who can add a link to my account when forwarding my messages — My Contacts.
- Groups & Channels → Who can add me — My Contacts.
3. Modify data download and storage settings
On your mobile version of Telegram, navigate over to Privacy & Security → Data Settings and remove from Telegram storage any information you do not want to be there.
4. Check active sessions
Telegram allows multi-device support, which means you can have the same Telegram account open on various devices at the same time. Over time, you may forget that you are logged in to some phone/laptop, and that can be misused. To make sure this doesn’t happen, view all devices where your Telegram account is logged in. To do this, go to Settings/ Privacy and Security/Active sessions.
If you see any session that is still logged in that you want to be ended, simply click on that session and hit ‘Terminate’ to end it.
5. Disable P2P calls for everyone
With default settings, Telegram’s voice calls are made via P2P. When using P2P, the IP address of the user’s call object will appear on the Telegram control log. However, not all versions have control logs. For example, the Windows version does not, but the Linux version does.
The Telegram application does show that users can prevent IP addresses from being compromised by changing settings. Go to Settings: Private — Security — Voice Call — Change Peer-to-Peer to Never or Nobody. With this setup, the user will need to make a voice call through the Telegram server, although the IP address is hidden but at the expense of audio quality degradation.
Aside from the above recommendations, it’s important to follow basic security procedures that apply across the board.
- Don’t open executable files from other users
Some hackers just use Telegram as a method of communication with their potential victims, rather than attacking any features inherent to Telegram itself. For example, some hackers have set up channels that purport to give interested users software to ‘crack private keys’ and engage in hacking themselves. However, once opened by the victim, this ‘hacking software’ infects their computer with the HackBoss malware that replaces all crypto wallets on that computer with their own versions of those wallets. Of course, the modified crypto wallets then send all the funds to the attacker.
2. Watch out for impersonation
It’s extremely common for hackers and scammers to impersonate Telegram users by choosing a username that is very close to, but slightly different from, the original. For example, an attacker may try to impersonate dev0ps1
by creating the username devops1
. Make sure you know who you’re communicating with.
If you implement the above recommendations, you’ll be one big step closer to securing your crypto workflow.