{"id":55041,"date":"2025-12-16T11:34:04","date_gmt":"2025-12-16T16:34:04","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=55041"},"modified":"2025-12-16T11:34:04","modified_gmt":"2025-12-16T16:34:04","slug":"telegram-mini-app-phishing","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/telegram-mini-app-phishing\/55041\/","title":{"rendered":"Phishing in Telegram Mini Apps: what’s Habib’s papakha got to do with it?"},"content":{"rendered":"

Admit it: you\u2019ve been meaning to jump on the latest NFT reincarnation \u2014 Telegram Gifts \u2014 but just haven\u2019t gotten around to it. It\u2019s the hottest trend right now. Developers are churning out collectible images in partnership with celebs like Snoop Dogg<\/a>. All your friends\u2019 profiles are already decked out with these modish pictures, and you\u2019re dying to hop on this hype train \u2014 but pay as little as possible for it.<\/p>\n

And then it happens \u2014 a stranger messages you privately with a generous offer: a chance to snag a couple of these digital gifts \u2014 with no investment required. A bot that looks completely legit is running an airdrop<\/a>. In the world of NFTs<\/a>, an airdrop is a promotional stunt where a small number of new crypto assets are given away for free. The buzzword has been adopted on Telegram, thanks to the crypto nature of these gifts and the NFT mechanics running under the hood.<\/p>\n

\"Limited<\/a>

Limited time offer: a marketer\u2019s favorite trick\u2026 and a scammer\u2019s tool<\/p><\/div>\n

They\u2019re offering you these gift images for free \u2014 or so they say. You could later attach them to your profile or sell them for Telegram\u2019s native currency, Toncoin. You don\u2019t even have to tap an external link. Just hit a button in the message, launch a Mini App right inside Telegram itself, and enter your login credentials. And then\u2026 your account immediately gets hijacked. You won\u2019t get any gifts, and overall, you\u2019ll be left with anything but a celebratory feeling.<\/p>\n

\"By<\/a>

This is the first of the screens where, by filling in the fields, you receive a gift<\/s> lose access to your Telegram account<\/p><\/div>\n

Today, we break down a phishing scheme that exploits Telegram\u2019s built-in Mini Apps, and share tips to help you avoid falling for these attacks.<\/p>\n

How the new phishing scheme works<\/h2>\n

The principle of classic phishing<\/a> is straightforward: the user gets a link to a fake website that mimics a legitimate sign-in form. When the victim enters their credentials, this data goes straight to the scammer. However, phishing tactics are constantly evolving, and this new attack method is far more insidious.<\/p>\n

The bad actors create phishing Mini Apps directly inside Telegram. These appear as standard web pages but are embedded within the messaging app\u2019s interface instead of opening in an external browser. To the user, these apps look completely legitimate. After all, they run within the official Telegram app itself.<\/p>\n

\"Scammers<\/a>

To make it even more convincing, scammers often add a plausible-sounding limit on gifts per user<\/p><\/div>\n

This leads the victim to think, \u201cIf this app runs inside Telegram, there must be some kind of vetting process for these apps. Surely they wouldn\u2019t let an obvious scam through?\u201d In practice, it turns out that\u2019s not the case at all.<\/p>\n

How is this scheme even a thing?<\/h2>\n

A core security issue with Telegram Mini Apps is that the platform does almost no vetting before an app goes live. This is a world apart from the strict review processes used by Google Play and the App Store \u2014 although even there, obvious malware<\/a> occasionally slips through<\/a>.<\/p>\n

On Telegram, it\u2019s far easier for bad actors. Essentially, anyone who wishes to create and launch a Mini App can do so<\/a>. Telegram does not review the code, functionality, or the developer\u2019s intent. This turns a security flaw within a messaging service boasting nearly a billion global users<\/a> into a global-scale problem. To make matters worse, moderation of these Mini Apps within Telegram is entirely reactive \u2014 meaning action is only taken after users start complaining or law enforcement gets involved.<\/p>\n

\"Phishing<\/a>

This is a global operation, with phishing lures being distributed simultaneously in both Russian and English. However, the Russian version gives away a tell-tale sign of the scammers\u2019 haste and lack of polish. They forgot to remove a clarification question from the AI that generated the text: \u201cDo you need bolder, more official, or humorous options?\u201d<\/p><\/div>\n

In this case, the bait was \u201cgifts\u201d from UFC fighters: a giveaway of \u201cpapakhas\u201d \u2014 digital gift images of the traditional Dagestani hat released by Telegram in partnership with Khabib Nurmagomedov. An auction for these items did take place, with Pavel Durov even posting about it on his X and Telegram (Khabib reposted these announcements but later deleted<\/a> them after the auction ended). However, there were only 29\u00a0000 of these \u201cpapakhas\u201d released, which wasn\u2019t enough to satisfy all the eager fans. Scammers seized on the opportunity, assuring fans they could get the exclusive items for free. The phishing campaign was a targeted one \u2014 focusing on users who\u2019d been active on the athlete\u2019s channel.<\/p>\n

How the scammers lull their victims<\/h2>\n

The criminals leveraged the name of the popular Portals platform \u2014 a legitimate service for games, apps, and entertainment within Telegram. They created a series of Mini Apps that were visually almost indistinguishable from the real ones, and promoted them as free giveaways \u2014 airdrops.<\/p>\n

\"The<\/a>

To add a veneer of authenticity, the scammers even listed the official Telegram channel for Portals in the phishing Mini App\u2019s profile. However, the legitimate Portals Market bot has a different username: @portals<\/p><\/div>\n

That said, the scam campaigns themselves show signs of being rushed and cutting design and copywriting costs \u2014 with obvious signs of AI involvement. Some of the messages contain leftover text fragments clearly generated by a neural network, which the scammers either forgot or couldn\u2019t be bothered to edit.<\/p>\n

How to protect your Telegram account from being hacked<\/h2>\n

The golden security rules are simple: stay vigilant, and learn the key hallmarks of these attacks:<\/p>\n