Login

u/Neednostuff

▲ 1 r/cybersecurity_help

Multi-stage Telegram account hijacking targeting a Business Group (MTS Serbia)

Hello everyone,

I’m facing a persistent and sophisticated attack on my Telegram account, and it seems to be part of a larger breach involving a business cellular contract (MTS Biz Morava, Serbia). I need help identifying the exact attack vector and how to stop it.

The Context:

  • Target: Multiple phone numbers (mine + 3 others) under the same business contract.
  • The Breach: Fake Telegram accounts were created for the other 3 users without their knowledge. My existing account was compromised twice.

Timeline of my specific case:

  1. First Breach (1 month ago): My account was hacked despite having 2FA (cloud password) enabled. However, no recovery email was linked at the time. I had to wait 7 days to reset the account entirely.
  2. Second Breach (2 days ago): This time, I had a strong 2FA password AND a recovery email linked.
  3. The Bypass: Even with 2FA, the attackers managed to:
    • Input the login code.
    • Gain "partial access" to the session.
    • Change my recovery email to their own without triggering a lockout.
    • Initiate a full account reset process.
  4. Current Status: I am trying to cancel the reset process, but the confirmation codes/voice calls are not reaching my SMS/device, suggesting they might have hijacked the signal or are suppressing the notifications.

Technical Observations:

  • Checking *#62# showed standard carrier forwarding to the "Missed Call Alert" service (+381650009600), but the breach happened regardless.
  • The fact that multiple users under the same Business Contract are affected suggests the entry point might be the Carrier’s Business Portal or a SIM Swap targeting the entire group.
  • I did have one desktop session running from my PC, so I guess they could have stolen the live session, but I've disconnected that session since then, and attackers keep trying.

My Questions:

  1. Since this involves a Business Plan, is it possible they are intercepting SMS via a compromised Carrier Management Portal?
  2. How else can they even do this? I'm careful about security, and this is the first time I can't understand the methods being used.

Any insight would be greatly appreciated.

reddit.com
u/Neednostuff — 3 days ago