Advertising, phishing and capitalization
On a widely followed Telegram channel about Dress Up fashion, mid-July brought a troubling message from a supposed manager urging the audience to “raise the capital.” The public story shows the channel thwarting a scammer who claimed to be an ad professional.
According to Ekaterina Lemekh, author of Dressed to Kill, the attacker asked for channel statistics through a tool called Telemetry-plus before any ad purchase. She shared a link, and nothing appeared suspicious at first because the data seemed to come from standard sources that provide statistics. When she attempted to visit Telegram again, a registration window appeared as if she had never logged in before.
The scammer then contacted a fraudulent assistant and demanded money, threatening to “harm” the channel’s viewers unless the owner paid up. In a conversation with socialbites.ca, Lemekh explained that once the attackers gained access, they transferred control of the channel to another account using the old alias, and then the page was deleted.
Subsequently, the subscribers could not detect any change because the administrator’s name and the photo looked unchanged, notes Lemekh.
Investigators later found that the scammers were using the Dressed to Kill channel as a stepping stone, planning a post that would promise subscribers a dramatic capital increase of 8 to 12 times. The fake manager requested a 15 percent cut of the net profit for this service.
Participants were sent a private message with a link to a bot that was pitched as a way to gamble on cryptocurrency price movements. The initial stake was reported as 15 thousand rubles, with higher amounts possible. The deception claimed that users would deposit money, keep playing, and then withdraw profits; in reality, no profits appeared, and the scammers directed victims to contact a supposedly legitimate bot’s support. The bot masqueraded as Quotex, a platform associated with digital asset trading.
In total, about ten Dressed to Kill subscribers are said to have fallen for the scam, each transferring around 15 thousand rubles, with one subscriber sending 130 thousand rubles. Through persistent effort, Lemekh and the community managed to regain access to the channel. However, a flood of complaints led Telegram to place a “Scam” badge on the channel, a warning the platform uses for accounts with numerous fraud reports.
According to Lemekh, mail and Telegram support offered little help. Volunteers responded through the messaging app, with no official representatives visible. A recovery specialist eventually helped lift the badge, but the process highlighted the slow and fragmented support from the platform. The episode underlined the vulnerability of channel owners and their followers to coordinated deceit.
Channel Play Mechanics
In a discussion with socialbites.ca, Pavel Kovalenko, director of the Informzaschita anti-fraud center, described the Dress to Kill case as a textbook phishing scenario. A fake page is created to lure victims into entering their credentials through social engineering, a tactic that leverages trust and familiarity to extract sensitive data.
The expert noted that account theft and phishing via Telegram are growing trends. Telegram channels draw frequent traffic from users, increasing the pool of potential victims compared with standard email or other social networks. This elevated exposure heightens the risk of compromised accounts.
Researchers from the Incident Response Center CERT-GIB, part of Group-IB, suggested that the Telemetry-plus resource used by the scammers was designed to appear like a legitimate channel statistics tool. They observed several red flags, including the registration date in early July and a domain and content setup that resembled known telemetry sites. Phishing sites often mimic legitimate services, and this case followed that pattern.
When attempting to load channel statistics, the process required the user to submit a channel link. A warning would claim that the channel lacked a database entry and needed to be added. The form accepted any input with no validation. Victims were then asked to authorize by connecting the channel from the owner’s account so the supposed bot could read statistics. The redirect led to an unfamiliar authorization domain that had recently appeared. Researchers also noted that the homepage previously hosted a landing page for an affiliate ad distribution program. The flow likely redirected users to the Telegram authorization channel to complete the scam.
Possible schemes
Vladimir Zykov, director of the Association of Professional Users of Social Networks and Messengers, stated that Dress to Kill is not an isolated incident. He pointed to multiple scam schemes that rely on hijacking a Telegram channel and its owner’s identity. The attacker can exploit a variety of scenarios, especially during busy periods when the channel owner is away. A copied SIM card, for example, could enable the attacker to re-register the channel and remove the original owner. Personal information, including private messages, can be exposed in such breaches. Recovery often hinges on the mobile operator and can require in-person steps that are challenging when traveling. The expert also warned about public Wi‑Fi networks used for nefarious logins where attackers gain access to usernames and passwords.
Phishing schemes vary widely, but the core tactic remains constant: tricking users into providing credentials. Scammers constantly devise new ways to obtain login details, and the situation in Telegram reflects this ongoing risk.
How to register your Telegram account
Dmitry Galov, a cybersecurity expert at a leading security firm, discussed the attackers’ incentives for hacking Telegram channels. Motives can range from ransom to broader control of assets. He stressed that social engineering, phishing, and remote malware are common attack vectors. To reduce risk, users should adopt strong security practices. Enabling two-factor authentication adds a crucial layer of protection because a verification code alone is not sufficient for an attacker who may also need a password.
Galov also advised reviewing the Active Sessions section to see which devices are logged in. If any unfamiliar device appears, the session should be terminated and the password changed if necessary. Avoid clicking suspicious links in messages and refrain from entering personal information on dubious pages, even when the message appears legitimate. When in doubt, installing a security solution on devices and scanning incoming files or archives can help prevent threats.