Admin security
Your community's Telegram got hacked: the admin playbook
If your community's Telegram channel is hacked, move fast: an attacker who stole an admin's live session can post a fake pinned "migration" or airdrop to your whole audience. In the first hour, announce the breach from a channel you still control, tell members the new-link or new-contract is the scam, and start Telegram's official channel-recovery. Only the channel creator (or Telegram support) can restore ownership. No third party can.
How an official channel actually gets taken over
When a project's Telegram gets hacked, founders almost always ask the wrong first question: "How did they guess our password?" They usually did not.
The realistic path is admin session theft. One of your admins runs Telegram Desktop. Malware on that admin's machine (a fake job PDF, a "partnership deck," a trojanized installer, a malicious npm or PyPI package) copies the local tdata folder. That folder holds the live authorization for the account. The attacker drops it into their own Telegram Desktop and is instantly logged in as your admin. No password, no SMS code, no 2FA prompt.
This is now an industrial market. Imperva's 2025 research found malicious PyPI packages built specifically to steal the Telegram Desktop tdata folder, with ready-to-use stolen sessions sold on dark-web forums for roughly $5 per 10 accounts up to $400 per 1,000 (Imperva, 2025). High-value admin and project accounts are worth far more, sold individually. Separately, CYFIRMA reported in February 2026 a campaign abusing Telegram's QR-login and authorization prompts to hijack sessions at scale.
The cruel part: a stolen session does not appear as a new login. Telegram thinks it is still your admin. So your "official" channel can be controlled by an attacker for hours while every dashboard looks normal.
Why this is worse for a community than for an individual
A personal account hack costs one person. A channel hack weaponizes trust you spent years building. Your members joined because they believe what gets pinned in your channel. The attacker is renting that belief.
Telegram-based crypto phishing and malware have climbed sharply over the past year, and the typical payload against a community is not data theft. It is a payment instruction sent to thousands of people who trust you.
The first hour: contain, do not negotiate
Speed matters more than polish. Work this in order.
1. Get a clean line of communication. Use a device you know is not compromised. If you suspect the admin's machine, do everything else from a different phone or laptop.
2. Try to pull privileges from the compromised admin. If the channel creator account is still yours and not the one that was stolen, go to the channel, open Administrators, and demote or remove the compromised admin immediately. This is your single highest-leverage move and only works if the creator account is intact, which is exactly why the creator account must be the most protected one you own.
3. Announce the breach everywhere you still control. Your X account, your Discord, your website banner, a backup Telegram channel. One clear line: "Our Telegram was compromised at [time]. Do not click the pinned message, do not send funds, do not connect a wallet, do not join any 'new' or 'migration' channel. We will only confirm the all-clear from [this verified handle/website]."
4. Name the specific bait. Tell members exactly what the attacker posted: the fake airdrop, the "we are migrating, join here" link, the new contract address, the support DM asking them to verify a wallet. The new link is the scam. Members should treat any urgent, high-reward, click-now message as hostile by default.
5. Warn against the second scam now, before it lands. Within minutes of a public channel hack, "recovery experts" will DM your members and your team offering to get the channel back for a fee. They cannot. They are the second scam. Say so publicly so your community is inoculated before the predators arrive.
Recovering the channel through Telegram (the only real path)
There is exactly one legitimate recovery route, and it runs through Telegram.
- If you still hold the creator account, you can demote rogue admins and reset admin invite links yourself. Do this first.
- If the creator account itself was the one stolen, you must recover that account through Telegram (account recovery via the phone number and 2FA, or Telegram support), then reassert ownership of the channel.
- If the creator account was deleted by the attacker, ownership transfer is not automatic. Telegram support involvement is required, it is slow, and it is not guaranteed.
Be honest with yourself and your community about that last point. Telegram is a small team relative to its user base, and channel-ownership disputes are handled reluctantly and slowly. Plan your member communications assuming recovery could take days, not minutes.
And to be blunt about the trust anchor of this whole space: only Telegram can recover a hacked account or channel. Anyone, on Telegram, X, or in your DMs, who claims they can recover it for you for a payment is running the second scam. Do not pay them. Do not share codes with them. Report and move on.
Hardening the rebuilt channel and every admin account
Once you have control back, rebuild assuming the same attacker will try again.
- Least privilege. Most "admins" do not need full rights. Give post-only or specific permissions. Reserve full admin and ownership for as few accounts as possible.
- Clean the compromised machine, do not just log out. If malware stole one
tdatafolder, assume that device is owned. Wipe and reimage before that admin logs back in. A "Terminate other sessions" click does not remove malware, and the attacker can simply re-steal. - 2FA on every admin, with the caveat. Turn on a Telegram cloud password (2FA) everywhere. But understand its limit: 2FA stops a fresh login, it does not stop a session that was already authorized and then stolen. A hijacked
tdatasession bypasses the password entirely. 2FA is necessary and not sufficient. - Separate the creator account. The owner account should live on a hardened device that does not browse, download decks, or run random installers. Treat it like a cold wallet.
- Reset all invite links and review admin logs. Rotate links the attacker may have grabbed and walk the recent admin action log for anything you did not do.
For the deeper reason a simple "Terminate session" is not enough here, see why terminating Telegram sessions doesn't work.
Why we built Sessions
We kept watching the same pattern hit projects we knew: one admin's live session gets lifted, the official channel posts a fake migration, and a thousand members lose money before anyone with the creator account wakes up. The breach was real for hours, and every login dashboard said everything was fine.
Sessions is a non-custodial guard for that exact blind spot. It watches a Telegram account (for a project, the admin and creator accounts) for a hijacked or replayed session and for unrecognized logins, and it ends the attacker's session the moment it sees a second live one. We kill the attacker's session as soon as a poll catches it, rather than waiting for an alert Telegram never sends.
It runs inside an attested AWS Nitro enclave. By design it cannot read your messages or move your funds, the code is open source and verifiable, and you can revoke it at any time. We are deliberate about scope: Sessions detects a takeover and cuts the attacker off fast. It cannot recover a lost account, and we will never claim it can. For the deep technical version, including what is forgeable and what is not in a stolen session, read how an attacker replays a stolen Telegram session.
If you run a community, the move is to protect the admin and creator accounts before the hijack, not to hunt for a recovery service after.
Frequently asked questions
- Our official Telegram channel is posting scams right now. What do I do first?
- Get to a device you trust, then try to demote or remove the compromised admin from the Administrators list (this only works if you still hold the creator account). Immediately announce the breach from your other channels and tell members not to click the pinned message, send funds, or join any new or migration channel. The new link is the scam.
- How did they get in if we never shared our password?
- Most likely they did not need it. An admin's live session was stolen, usually by malware that copied the Telegram Desktop tdata folder from that admin's machine. That gives an attacker full access as that admin with no password, no SMS code, and no new-login alert.
- Can someone recover our hacked channel for a fee?
- No. Only Telegram can restore a hacked channel, and only through legitimate account recovery and support. Anyone DMing you or your members offering paid channel recovery is the second scam. Do not pay them and do not share any codes with them.
- We turned on 2FA. Why did this still happen?
- 2FA (a Telegram cloud password) stops a brand-new login. It does not stop a session that was already authorized on an admin's device and then stolen. A hijacked tdata session reuses an existing, trusted login, so it bypasses the password entirely. 2FA is necessary but not enough on its own.
- How do we recover the channel if the creator account was the one stolen?
- You must first recover that creator account itself through Telegram (via the phone number and 2FA password, or Telegram support), then reassert channel ownership. If the attacker deleted the creator account, ownership transfer is not automatic and requires Telegram support, which is slow and not guaranteed.
- How do we stop this from happening again after we rebuild?
- Use least-privilege admin roles, keep the creator account on a hardened device that does not download files or run installers, wipe and reimage any machine that was compromised (do not just log out), enable 2FA on every admin, rotate all invite links, and monitor for a stolen admin session since the dashboard will not flag it.
Keep reading
Stop a takeover before it starts.
Sessions watches your Telegram around the clock and removes any session that isn’t you, automatically. Open, hardware-attested, and yours to revoke.