The Israeli Internet Association warned Tuesday of a surge in attempts to hijack Telegram accounts belonging to Israelis through the exploitation of voicemail systems.
Hackers have been targeting existing Telegram accounts and, in some cases, registering new ones using the phone numbers of people who have never used the app, including minors, according to Yonatan Ben Hurin, director of the Safe Internet Help Line.
The association said the wave of attacks appears to be part of a broader cyber campaign that has likely originated in Bangladesh and Indonesia—countries from which Israel has experienced multiple cyber incidents since the start of the Iron Swords war. It remains unclear whether the operation is intended to spread terror, influence public discourse, or is simply criminal in nature.
In recent weeks, the association noted a significant uptick in reports, prompting Tuesday’s public alert.
“This campaign is marked by persistence,” Ben Hurin told Ynetnews. “Unlike WhatsApp attacks, which typically involve message chains, this approach is more invasive and includes accessing users’ personal voicemail. It’s especially concerning with Telegram, where a user’s entire chat history is stored.”
Exploiting default voicemail passwords
The attackers exploit a common vulnerability: many users never change the default PIN on their voicemail, often set to “1234.” The attack method involves initiating a Telegram login on a victim’s account. Telegram sends a verification code by voice call if the SMS option is bypassed. If the victim doesn’t answer, the message with the code is left in voicemail. Hackers then access the voicemail remotely using the default PIN and retrieve the code, allowing them to log in and take control of the account.
<< Get the Ynetnews app on your smartphone: Google Play: https://bit.ly/4eJ37pE | Apple App Store: https://bit.ly/3ZL7iNv >>
Hackers have also been known to place decoy calls from foreign or masked numbers—sometimes using Bangladeshi dialing codes—to distract victims and ensure the verification call goes unanswered.
Once inside, attackers disconnect the user from all devices, preventing them from regaining access. The compromised accounts are then used to impersonate the victim, scam contacts or distribute illegal content.
Some victims reported that, after the takeover, their profile pictures were changed to photos of attractive Asian women—possibly in preparation for phishing schemes or extortion. The use of fake female profiles is a known tactic in social engineering attacks.
How to protect your account
The Israeli Internet Association advises the public to disable voicemail services or, at the very least, change the default voicemail PIN to a strong and unique password. Users are also urged to activate Telegram’s two-step verification feature via Settings > Privacy and Security > Two-Step Verification.
Those who receive alerts about email changes or logins from unknown devices should act immediately by removing unfamiliar email addresses in the app’s settings and disconnecting unauthorized devices via Settings > Devices > Terminate All Other Sessions.
If a user is already locked out, Telegram allows for a one-week waiting period to reset the associated email. Alternatively, a Telegram Premium subscription enables immediate recovery via SMS.
First published: 17:48, 04.01.25