Telegram QR Phishing Threat – Account Takeover with a Single Scan | CIP Blog

Telegram QR code phishing has recently been spreading rapidly, emerging as a significant cybersecurity threat. While Telegram is recognized for its strong security and privacy features, attackers are now exploiting its QR login functionality to compromise user accounts. With just a single scan, attackers can gain full access to an account, leading to far more sophisticated and severe consequences than traditional phishing attacks.

In this blog, we outline real cases of how attackers exploit Telegram’s QR login feature, analyzing the technical characteristics of phishing sites and suspicious indicators. We also highlight how Criminal IP can be used to detect and respond to such threats, and we provide a comprehensive overview of the risks associated with QR code phishing—also known as Quishing—and strategies to defend against it.

A New Method of Phishing: QR Codes (Quishing)

Threat actors are increasingly leveraging QR phishing (Quishing) by sending QR codes through emails or messages to lure victims into malicious websites. Although QR codes appear as simple images, their contents can only be revealed when scanned with a mobile device. This makes them an effective tool to bypass traditional security filtering systems.

These attacks are far more sophisticated than traditional phishing, which only attempted to trick users into clicking a link. Threat actors now leverage techniques such as split QR codes or overlapping QR codes, making detection even more challenging. Commonly, they impersonate cloud providers, banks, or messaging platforms, deceiving victims into scanning by presenting it as a “security check” or an “account activity review.”

Anatomy of Telegram QR Phishing Attacks

Telegram offers a login method on desktop browsers where users scan a QR code with the mobile app to authenticate.

Attackers exploit this sign-in flow to compromise user accounts as follows:

1. Phishing site embedded with a real QR code

The attacker generates an actual QR code from the official Telegram website and inserts it into a fake login page. The site’s interface closely resembles the original, making it difficult for users to recognize the deception.

2.User Scans the QR Code with the Mobile App

Login Approval Request notification displayed in the mobile app

When the user scans the QR code, it appears to be part of the normal authentication flow in the mobile app. The Telegram app even displays messages such as “Confirm,” which makes the phishing attempt seem like a legitimate login process.

3. Account takeover and secondary data exposure

Example of leaked Telegram user data shared in a dark web community | Source: MoneyToday

Once a user approves the login, their account becomes linked to the attacker’s browser session. Consequently, all information, including chat history, contacts, and files, is instantly accessible to the attacker. Stolen data is often sold or leaked on the dark web, leading to further exploitation.

What makes this attack particularly dangerous is that no credentials are entered during the process. Victims merely scan a QR code and tap “OK” in the app, yet this simple action grants the attacker full account access and can lead to significant secondary damage.

Detecting QR Code Phishing Sites with Criminal IP Domain Search

We analyzed domains of real Telegram phishing sites detected by Criminal IP Domain Search and identified the following characteristics.

Criminal IP Domain Scan Report: “https://telercg[.]com”

Criminal IP Asset Search results for the IP address ‘154[.]198[.]49[.]34’ linked to the phishing domain

Through Criminal IP’s Domain Search, the domain telercg[.]com was evaluated with a Critical risk score of 99%. The domain also shows a very short registration history, making it unlikely to be a legitimate or trustworthy official site. Such phishing domains should be blocked immediately, and continuous monitoring and detection of similar domains are strongly recommended.

The IP address associated with the detected phishing domain, 154[.]198[.]49[.]34, shows several warning signs as well. A detailed analysis of this IP confirms the severity of the attacker’s infrastructure.

The results of this analysis, conducted through Criminal IP Asset Search, are shown below.

Criminal IP IP Report: “154[.]198[.]49[.]34”

In an analysis of the IP address 154[.]198[.]49[.]34, the SSL certificate was found to be expired. An expired certificate means secure connections may not be properly established when users access the site, which is a strong indicator of low trustworthiness. If a phishing login page uses such a certificate, any credentials or personal data entered by users are at high risk of exposure.

Criminal IP Asset Search showing a vulnerability on port 22 among five open ports detected

Among the five open ports detected on the IP address, port 22 (SSH) was accessible and found to have a critical-level vulnerability. Given these signs, this IP address is more likely part of an attacker-controlled or compromised infrastructure rather than a legitimately maintained production server.

Domains linked to IPs with these risk indicators should be blocked immediately, and monitoring and access control for the relevant IP ranges should be strengthened.

Telegram Users: How to Prevent QR Code Phishing

QR phishing demonstrates that serious security incidents can occur not just from clicking a suspicious link, but from scanning an ordinary-looking QR code.

The following security practices are critical for proactively preventing such threats.

Verify the source before scanning: Always check the sender and the domain of any message or email containing a QR code.
Enable two-factor authentication (2FA): Strengthen the security of your Telegram and other critical accounts by enabling 2FA.
Pre-check suspicious domains: Use security platforms like Criminal IP to assess the risk level of domains before visiting them.

FAQ

Q1. How can I tell if scanning a QR code is safe?

Since the embedded link in a QR code is not immediately visible, it is difficult to assess its safety solely by sight. Therefore, avoid scanning QR codes from unknown sources. For protection, use apps that offer a URL preview or copy the extracted URL into a security analysis tool before accessing it.

Q2. What measures are necessary for prevention?

Domain filtering: Block newly registered domains or those with high-risk ratings in advance.
Adopt phishing detection tools: Use tools with automatic blocking features, such as AI-powered URL analysis platforms or Chrome extensions.
Regular monitoring: When suspicious links or traffic are detected, threat intelligence platforms such as Criminal IP should be used to respond early.

Conclusion

Phishing techniques that exploit QR codes—such as the fake Telegram login page hosted on telercg[.]com—are becoming increasingly sophisticated. Unlike traditional phishing that merely lures users into clicking a link, these attacks leverage mobile security blind spots and exploit users’ implicit trust in QR codes.

To effectively prevent such phishing attempts, it is essential to verify the safety of any QR code or embedded link found in messages or emails using a URL scanning tool like Criminal IP before accessing them. For users who find manual checks impractical, deploying Chrome extensions or other automated phishing-blocking tools is strongly recommended to ensure malicious sites are blocked in real time.

Source: Criminal IP (https://www.criminalip.io/) Cyber Security News (https://cybersecuritynews.com/hackers-weaponize-qr-codes-embedded/)