Skip to content

Telegram Security

Community & Marketing

Authored by:

matta
matta
The Red Guild | SEAL
zedt3ster
zedt3ster
Sigma Prime
Fredrik Svantes
Fredrik Svantes
Ethereum Foundation
Auditware
Auditware
Auditware

Reviewed by:

matta
matta
The Red Guild | SEAL

Summary

🔑 Key Takeaway: Stay vigilant with group chats on Telegram. Implement verification steps and secure communication practices to protect against sophisticated interception attacks.

While Telegram is widely used in the crypto community, it's crucial to understand its security limitations. Telegram does not offer end-to-end encryption (E2EE) by default, which means your messages could potentially be accessed by third parties. Additionally, Telegram's reliance on phone numbers for account creation can expose users to SIM swapping attacks, and its peer-to-peer call feature can reveal your IP address to other users. If E2EE is a priority, consider using Signal.

However, if you choose to use Telegram, the following best practices can help enhance your security.

For Individuals

These settings apply to your personal Telegram account. All team members and admins should configure these on their own accounts.

Account Security Checklist

  • Account Settings:
    • Privacy & Security >
      • Security >
        • Two-Step Verification > On
          • Telegram does not require a login by default. However, you can set up a password that acts as a "second" 2FA method when logging in from a new device.
          • Telegram sign-ups require a phone number, but you can also enable two-factor authentication via a password—your main protection if you're ever SIM-swapped. Don't reuse this password anywhere else.
          • Do not set a password hint, do add a recovery email
          • SMS Codes: Telegram sends a code via SMS, which is not secure.
          • Email Recovery: Offers email recovery, which is more secure but lacks options for authenticator apps or hardware keys.
          • Backup Password: If you lose this password, access to your account may be compromised. Write it down offline and ensure it is not lost.
        • Local passcode > On (recommended)
          • This feature adds a passcode to access your Telegram app after a period of inactivity. The default setting is "away for 1 hour."
          • Store Passcode Securely: Do not lose this passcode—store it offline if needed.
          • Unique Passcode: Ensure it is different from your phone's unlock passcode.
        • Active sessions >
          • Telegram supports auto-terminating inactive sessions. You can also manually review and end any suspicious active sessions.
          • Review and delete all unused sessions
          • Terminate old sessions > 1 month
      • Privacy >

        • Consider adjusting the following settings based on your country, usage, and purpose for using Telegram:

        • Phone Number > Who can see my phone number > Nobody

          • Making your phone number visible can expose you to unwanted contact or social engineering attacks. Restricting visibility helps safeguard your personal info.

        • Phone Number > Who can find me by my number > My Contacts

        • Phone Number > Exceptions > Remove all

        • Last Seen & Online > Who can see my timestamp > Nobody/My Contacts

        • Last Seen & Online > Exceptions > Remove all

        • Profile Photo > Who can see my profile photo > Everybody

          • Set to Everybody to stop scammers from impersonating your profile picture.

        • Bio > Who can see my bio > Nobody (depending on use of Telegram)

        • Date of Birth > Who can see my date of birth > Nobody

        • Date of Birth > Exceptions > Remove all

        • Forwarded Messages > Who can add a link to my account when forwarding my messages > Nobody

        • Calls > Who can call me > Nobody/My Contacts

        • Calls > Exceptions > Remove all

        • Calls > Peer-to-peer > Use peer-to-peer with > Nobody/My Contacts

          Note: Peer-to-peer calls leak your IP address to callers. Set to Nobody to preserve anonymity

        • Calls > Peer-to-peer > Exceptions > Always allow > Remove all

        • Groups & Channels > Who can add me to groups and channels > Nobody/My contacts

          • This helps prevent being added to random groups that may impersonate legitimate groups and lead to scams.

        • Groups & Channels > Exceptions > Remove all

        • Voice Messages > Who can send me voice messages > Nobody/My contacts

        • Voice Messages > Exceptions > Remove all

        • Messages > Who can send me messages > My Contacts and Premium Users (or Everybody/My Contacts depending on use of Telegram)

      • New chats from unknown users > Archive and Mute > Enabled
      • Bots and website > Clear Payment and Shipping Info
      • Auto-Delete Messages > Set a time frame (e.g., 1 week) based on your risk tolerance
        • Consider the photo you shared with a friend several months ago. While it might have slipped your mind, an attacker who gains access to your account could find such information quite valuable.
    • Advanced >

      • Automatic media download > Disable all types in all cases

        Note: Automatic media download leaves you exposed to advanced malware attacks

      • Version and updates >

        • Ensure you are always using the latest version of Telegram to benefit from the newest security patches and features.
        • Check for Updates: Visit your device's app store regularly
        • Update automatically > Enabled
        • Install beta versions > Disabled

Authentication Guidelines: When establishing a secret chat, compare the encryption keys outside of telegram, in an established/authenticated channel, outside of telegram. When establishing a peer-to-peer (encrypted) call, compare the emojis in an established/authenticated channel, outside of telegram. These are your defenses against man-in-the-middle attacks. You must confirm these details if using Telegram for private communications. That said, it is suggested to use a secure platform like Signal for confidential communication.

Device-Level Security

Securing the device you use for Telegram is crucial for preventing unauthorized access to your account and messages.

  • Enable Full Device Encryption:

    • Ensure your device has full disk encryption enabled
    • For iOS: This is enabled by default with a passcode
    • For Android: Go to Settings > Security > Encryption and follow instructions

  • Set Strong Device Passcodes:

    • Use alphanumeric passwords rather than simple PINs
    • Enable biometric authentication as a secondary measure

  • Keep Your Device Updated:

    • Install OS updates promptly to patch security vulnerabilities
    • Update Telegram to the latest version regularly

  • Install Security Software:

    • Use reputable anti-malware software on your device
    • Consider privacy-focused apps that detect network anomalies

  • Secure Your Backups:

    • Ensure any device backups containing Telegram data are encrypted
    • Be cautious about cloud backups that might store Telegram messages

Advanced Privacy Measures

Consider Using a Different Phone Number

Even if you implement all the recommended security measures, there are still valid reasons to use a separate phone number. For instance, it can help prevent your contacts from discovering your Telegram account or reduce the risk of accidental number exposure. This is particularly important because the "Share My Phone Number" option is enabled by default whenever you add a new contact.

Using a VoIP Number

Telegram restricts many VoIP providers, but services like Google Voice or Burner might work. Purchase a burner number solely for Telegram if you prefer additional anonymity.

Using an Anonymous Number

In December 2022, Telegram introduced support for anonymous numbers purchased through its TON blockchain infrastructure. You can also check out Fragment for such options.

Use Secret Chats for Enhanced Privacy

For conversations that require an extra layer of security, use Telegram's Secret Chats, which offer end-to-end encryption.

  1. Start a Secret Chat: Open the chat with the desired contact, tap on their name, and select Start Secret Chat
  2. Benefits:
    • Messages are encrypted and can only be read by you and the recipient
    • Offers self-destruct timers for messages
    • Prevents forwarding of messages to other chats

Data Settings

Go to: Settings > Privacy and Security > Data Settings

  • Sync Contacts: Disable (depending on use of Telegram) to prevent syncing your contacts.
  • Suggest Frequent Contacts: Disable (depending on use of Telegram) to avoid unsolicited contact suggestions.

Best Practices for Safe Use

  • Use Secret Chats: When messaging someone, create a 'secret' chat to ensure encrypted 1:1 communication, providing end-to-end encryption for sensitive transactions.
  • Verify Group Invites and Authenticity: Always triple-check group invitations and confirm the legitimacy of group chats through separate channels to avoid joining impostor groups that share malicious links.
  • Beware of Unsolicited DMs: Never trust direct messages from anyone sending links or posing as "support," "exchanges," or "team" members.
  • Double-Check Payment Details: Verify payment information through multiple methods before transferring funds to prevent fund redirection.
  • Block and Report Scammers: Use the block function to prevent further contact, and report spammers/scammers instead of just deleting chats.
  • Be Cautious with Third-Party Bots and Integrations:
    • Third-party bots can enhance functionality but may also introduce vulnerabilities.
    • Only add bots from reputable sources
    • Limit the permissions you grant to bots
    • Periodically review and remove unnecessary bots
  • Exercise Caution with Mini Apps: Avoid logging in or providing information to mini apps that redirect outside of Telegram. Triple-check the username of the mini app to ensure its legitimacy, as Telegram lacks a bot verification system. Never download or run any commands from Telegram on your device.
  • Enhance Privacy with a VPN: Advanced tip: Set up a proxy or VPN to hide your IP address while using the Telegram app.
  • Stay Vigilant Against Scam Ads: Be aware that anyone can post ads in channels, with 99% being scam ads. Exercise caution when interacting with advertisements.

Platform-Specific Risks: Man-in-the-Group Attack

Attackers can exploit Telegram's group chat features to intercept and manipulate communications between two parties. Here's a concise example of how such an attack might occur:

Scenario: Intercepting a Payment Deal

Step 1: Initial Communication
  • Alice and Bob decide to finalize a cryptocurrency deal using a Telegram group chat named "Crypto Deals".
Step 2: Attackers Create Cloned Groups
  • Attacker 1 creates Group A impersonating Alice.
  • Attacker 2 creates Group B impersonating Bob.
Step 3: Replicating Conversations
  • In Group A (Impersonating Alice):
    • The attacker, posing as Alice, relays Alice's messages from Group B to maintain the conversation.
  • In Group B (Impersonating Bob):
    • The attacker, posing as Bob, mirrors Bob's messages from Group A, acting as a middleman without altering the content.
Step 4: Swapping Payment Details
  • In Group A:
    • Fake Alice and Bob agree to the terms of the deal.
    • Bob shares his payment address.
  • In Group B:
    • Fake Bob shares his swapped payment address.
    • The conversation continues normally, with neither Alice nor Bob aware of the swap.
Step 5: Execution of the Scam
  • Alice sends the payment to what she believes are Bob's details but are actually those of Fake Bob.
  • The attacker now controls both ends of the conversation, having successfully redirected the funds.

For Team Members

These guidelines apply to team members who help manage Telegram groups/channels but don't have full administrative access.

Team members should:

  • Ensure their individual account settings are configured according to the checklist above
  • Each admin must follow the guidance for securing their individual accounts
  • Add a suffix to your username, for example: "MyName | will never DM you"
  • Understand how to verify the authenticity of admins and official messages
  • Be aware of the Man-in-the-Group Attack scenario described above

For Admins

These settings and practices apply to Telegram group/channel administrators with elevated privileges.

Channel & Group Settings Checklist

Channel Settings

  • Open channel > click channel name > Channel settings
    • Sign messages > Enable (if non-repudiation is desired)
    • Administrators > Review the list and remove any unnecessary

Group Settings

  • Open group > click group name > click three dots > Manage group
    • Channel type > Private (if public discoverability is not necessary)
    • Channel type > Content protection > Enabled (if confidentiality is needed)
    • Sign messages > Enabled
    • Chat history for new members > Hidden
      • This is not available if Topics are enabled
    • Permissions:
      • Send media > should be restricted appropriately
        • At minimum, Files and Embed links should be disabled
      • Add members > Disabled (if not necessary) [1]
      • Pin messages > Disabled
      • Change group info > Disabled
      • Slow mode > At least 10s, if not obstructive
      • Exceptions should be restricted to valid use cases
        • Team members should have exceptions granted to them for these rather than them being admins, when possible
    • Invite links > Review and remove unnecessary
      • Links should be limited by time period or number of users, when not obstructive
    • Administrators > Review and remove unnecessary & review permissions of each admin
      • Again, it is recommended to add exceptions for team members rather than add them as admins, when possible
      • Remove unnecessary permissions, especially Add new admins
      • Aggressive Anti-Spam > Enabled
    • Members > Review and remove unnecessary (If a confidential channel)

Admin Permissions Management

If you manage Telegram groups or channels, properly configuring admin permissions is crucial for maintaining security.

  • Limit Admin Privileges:

    • Go to your group/channel, tap the group name, select Administrators
    • Only grant necessary permissions to each admin
    • Avoid giving "Add Users" permission to untrusted admins

  • Implement Admin Verification:

    • Establish a verification process before promoting members to admin
    • Use separate channels (like voice calls) to confirm admin identities
    • Document when admin changes occur and why

  • Configure Group Settings:

    • Restrict member actions such as sending media or links
    • Enable "Slow Mode" for large groups to prevent spam
    • Use discussion groups for channels to control information flow

  • Audit Admin Activities:

    • Regularly review admin actions in the group
    • Remove inactive or suspicious admins
    • Consider using admin action logs if available

  • Handle Admin Transitions Securely:

    • Have protocols for transferring ownership if needed
    • Revoke admin rights immediately when team members leave

  • Limit Group Permissions: Restrict who can add members to groups to prevent unauthorized cloning and protect against raids.

Additional Recommendations

  • Add a disclaimer in the description and/or as a pinned message to your channel that states that you will not DM users, and that support will only be offered via the public channel and dedicated support channels [2]
  • Add a suffix to admin usernames, for example: "MyName | will never DM you"
  • Each admin must follow the guidance for securing their individual accounts

Educate Community Members on Security Practices

If you're managing a community on Telegram, educating your members about security is vital for collective protection.

  • Regular Security Announcements:

    • Schedule periodic reminders about security best practices
    • Pin important security announcements in your group/channel
    • Create dedicated security FAQ channels or posts

  • Clear Verification Procedures:

    • Establish and communicate how official communications will occur
    • Create verification steps for new members to follow
    • Document how to verify the authenticity of admins and official messages

  • Threat Awareness Training:

    • Share examples of common scams targeting your community
    • Post screenshots of phishing attempts (with sensitive info redacted)
    • Explain the "Man-in-the-Group Attack" and how to avoid it

  • Incident Reporting Protocol:

    • Create clear guidelines for reporting suspicious activity
    • Designate security-focused admins to handle reports
    • Acknowledge reports publicly (without specifics) to encourage vigilance

  • Security Resources:

    • Develop simple, accessible security guides for members
    • Share platform-specific security updates when Telegram releases them
    • Create a security checklist for new community members

Notes

[1] Member Control

Restricting the ability to add only to admins allows for revocability of invite links to stop raids or to freeze the channel if needed.

[2] Security Disclaimers

Telegram channels and groups should not be used for any confidential communication, as they are not end-to-end encrypted, except for 1:1 "secret chats" (which should not be commingled with unencrypted chats).

Example disclaimer: "We will NEVER message you directly to offer support or assistance with our product. For support, please email us at support@<company>.com. DO NOT interact with anyone DMing and claiming to be a <company> member. Please report scams to reports@<company>.com"

Help us improve!

Spotted an error or have ideas to enhance this content?

Your contributions are valuable to us. Learn more

✏️ Contribute today!