“Telegram – Voicemail”: How an Old Phone Feature Can Expose a Modern Messaging App

In 2024–2025, Israel saw a wave of attempts to hijack Telegram accounts, some of which relied on an unexpected angle: the old-fashioned voicemail service provided by mobile carriers.

The attack pattern, informally dubbed “Telegram – Voicemail”, shows how a weak link in legacy telephony infrastructure can become the entry point into a modern messaging platform.

This article summarizes, in an informational and non-technical way, how the pattern works, how it was documented in the field, and what users and IT professionals can learn from it.

The core idea: a verification code that lands in voicemail

Telegram authenticates users using a one-time verification code sent to their phone number:

• By default – via SMS.

• But in some cases – via an automated phone call that reads the code aloud.

If the user doesn’t answer the call, the recorded message may be stored in the voicemail of that line.

Here is where an old weakness comes in:

• For many users, voicemail is enabled even if they never actively use it.

• The voicemail inbox is often still protected by a default PIN set by the carrier, or a very simple code.

In that situation, an attacker who manages to access the voicemail (for example by exploiting default PINs, weak codes, or remote access features) can, under certain conditions:

1. Listen to the Telegram automated call,

2. Capture the verification code,

3. Complete the sign-up or login process for a Telegram account registered to that number.

Once inside, the attacker can disconnect the legitimate owner from the account and use it for:

• Impersonation,

• Phishing and social engineering,

• Spreading content under someone else’s identity,

• Harvesting personal or sensitive information.

Out of responsibility, this article deliberately does not describe the full technical attack chain step by step, and focuses instead on the general principle and on mitigation.

How the pattern was spotted: a client case that didn’t add up

One documented case that brought this pattern into focus occurred in October 2024, during routine work by a system administrator and IT manager in a managed services company.

A client reported that a Telegram account had been opened on her phone number, even though she had never installed Telegram and had no intention of using it.

The account was recovered and secured – but shortly afterwards, it was compromised again.

The combination of:

• repeated compromise on the same phone number, and

• the way Telegram handles phone-based verification,

together with an understanding of how voicemail works on Israeli mobile lines, led to a working assumption:

This was not just a random glitch or a single fraud case – but a systemic attack pattern exploiting the link between Telegram and voicemail.

The incident was documented in an internal security report, describing a plausible pattern: a verification code delivered by automated call, stored in a voicemail inbox protected by a weak or default PIN, and retrieved remotely by an attacker.

The formal complaint: classified as “National Security”

Based on that analysis and out of concern for broader implications, a formal complaint was filed through Israel’s online reporting system for law enforcement and cyber authorities.

The complaint, submitted by system administrator Binyamin Brandstetter, described:

• the suspected attack pattern,

• the use of voicemail as the weak link,

• and the potential for systematic abuse of Israeli phone numbers, including “kosher” phones and users who are not even aware that a Telegram account has been opened in their name.

The report was classified under the category “National Security”, reflecting the concern that such a pattern could be used not only for fraud, but also for intelligence-gathering or targeted social manipulation.

According to the documentation, within about 15 minutes of submitting the complaint, Brandstetter received a phone call from an investigator:

• The investigator verified the details,

• Asked clarifying questions,

• And stated that the case would be passed on to the relevant units.

The speed and seriousness of this response suggested that the authorities also saw the potential for a wider-scale risk, and not just a “technical complaint” from a single client.

Initiative from the field as a complement to cyber agencies

This case illustrates how front-line technical staff can play a crucial role alongside formal cyber bodies:

• A sysadmin or IT manager who handles support for many end-users is often the first to see “strange patterns”.

• When they document, analyze and escalate what they see as a systemic issue rather than just a local bug, that information can quickly reach official cyber and law enforcement channels.

In that sense, the “Telegram – Voicemail” story is not only about a technical weakness, but also about the importance of professional initiative and civic responsibility among IT practitioners.

System response: public warnings and user guidance

After information accumulated about attempts to hijack Telegram accounts in this way, official cyber bodies in Israel began issuing public alerts.

In these advisories, the attack pattern was briefly described, and several mitigation steps were recommended, including:

• Disabling voicemail for users who do not need it.

• Changing the default voicemail PIN to a strong, unique code.

• Enabling two-step verification in Telegram, so that a one-time code alone is not enough to access the account.

Later, Israeli media outlets and internet organizations joined with their own explanations and step-by-step guides, in Hebrew and English, including coverage of the impact on:

• owners of “kosher phones”,

• and contexts where information security is particularly sensitive.

A broader pattern: when new apps rely on old infrastructure

The “Telegram – Voicemail” issue is not unique to Israel, and not unique to Telegram.

In previous years, similar cases were documented worldwide in other messaging apps, based on essentially the same idea:

• A modern messaging service,

• A phone-based verification mechanism,

• And a voicemail inbox whose security is stuck in the past.

Whenever a new service relies on an older infrastructure layer whose default settings were not designed with today’s threat landscape in mind, the weakest link can shift from the app itself to the legacy system it depends on.

Current status and the user’s share of responsibility

At the time of writing, public discussions suggest that there has not yet been a complete, end-to-end fix at all levels – neither on the application side, nor across all telephony providers.

As a result, a significant part of risk reduction still depends on user behaviour and configuration.

Key recommendations for users include:

1. Voicemail

   
   

   • If you don’t use voicemail – ask your mobile carrier to disable it.

   • If you do use it – make sure you change the default PIN to a strong, unique code.

   
   

2. Two-step verification in Telegram

   
   

   • Turn on two-step verification (an additional password) in Telegram’s security settings.

   • That way, even if a one-time code is exposed, it will not by itself grant access.

   
   

3. Review connected devices

   
   

   • Periodically check which devices are logged into your Telegram account.

   • Disconnect any device you don’t recognize.

   
   

4. Treat unrequested codes as a red flag

   
   

   • If you receive SMS or calls with verification codes that you did not request, assume someone may be trying to access your account.

   • This is the moment to tighten your security settings – and, if needed, to seek advice or report the incident.

Conclusion

The “Telegram – Voicemail” pattern is a clear example of how:

• a legacy telephony service,

• a modern messaging app, and

• weak default configurations

can combine into a real risk for personal accounts and sensitive information.

It also highlights a broader point: cyber defence is not only the domain of national agencies and large security companies. Sometimes, a single, well-documented incident report, submitted by a sysadmin under the category “National Security”, can be the missing link between a strange case in the field and a system-wide response.

For IT professionals, support staff and system administrators, the message is simple:

When something looks “off” in a way that doesn’t fit the usual pattern –

don’t just fix it and move on.

Document it, think system-wide, and, if warranted, escalate it.

In a connected world, that kind of initiative can make a real difference.

Further reading – Israeli reports and official warnings

Internet Association / Mako: Warning about Telegram account hijacking via voicemail

https://www.mako.co.il/nexter-news/Article-81161769550f591027.htm

Ynet (Hebrew): Cyber campaign against Israelis – Telegram accounts hijacked through voicemail

https://www.ynet.co.il/digital/technews/article/b1b11a7ftke

Ynetnews (English): Telegram accounts of Israelis hijacked via voicemail

https://www.ynetnews.com/business/article/sya8100kayg

IsraelDefense: Analysis of the Telegram voicemail fraud and how the attack works

https://www.israeldefense.co.il/node/64787

National Cyber Directorate (gov.il): Official recommendations for securing your Telegram account

https://www.gov.il/he/pages/_telegram_recommendations2024

Israel National Cyber Directorate: “Protect your Telegram account – how to prevent voicemail-based hijacking” (Telegram / Facebook)

https://t.me/s/Israel_Cyber/182

https://www.facebook.com/IsraelCyber/posts/1009067051252364

Further reading – Public explanations and broader context

Cybertis: Cyberattacks and scams during wartime – the new digital front, including Telegram voicemail attacks

https://www.cybertis.co.il/post/%D7%9E%D7%AA%D7%A7%D7%A4%D7%95%D7%AA-%D7%A1%D7%99%D7%99%D7%91%D7%A8-%D7%95%D7%94%D7%95%D7%A0%D7%90%D7%95%D7%AA-%D7%91%D7%96%D7%9E%D7%9F-%D7%9E%D7%9C%D7%97%D7%9E%D7%94-%D7%97%D7%96%D7%99%D7%AA-%D7%93%D7%99%D7%92%D7%99%D7%98%D7%9C%D7%99%D7%AA-%D7%97%D7%93%D7%A9%D7%94

Israel Internet Association – “Safe Internet” helpline: Support, reporting and assistance after scams and account takeovers

https://www.isoc.org.il/digital-literacy/report

Kaspersky: How to prevent WhatsApp and Telegram account hijacking – practical protection guide

https://www.kaspersky.com/blog/how-to-prevent-whatsapp-telegram-account-hijacking-and-quishing/53012/

From around the world – similar voicemail-based attacks (WhatsApp / Telegram)

Medium: “Taking over WhatsApp accounts by reading voicemails” – technical walkthrough

https://medium.com/@rramgattie/taking-over-whatsapp-accounts-by-reading-voicemails-68ad70dc2499

Sophos News: Attackers use voicemail hack to steal WhatsApp accounts (default voicemail PIN abuse)

https://news.sophos.com/en-us/2018/10/08/attackers-use-voicemail-hack-to-steal-whatsapp-accounts/

Times of Israel: Israelis’ WhatsApp accounts hacked due to a security loophole (verification code via voicemail)

https://www.timesofisrael.com/israelis-whatsapp-accounts-said-hacked-due-to-security-loophole/

Sophos News: Hackers target Telegram accounts through voicemail backdoor

https://news.sophos.com/en-us/2019/07/30/hackers-target-telegram-accounts-through-voicemail-backdoor/

GBHackers: Hackers hijack Telegram accounts via default voicemail passwords

https://gbhackers.com/hackers-hijack-telegram-accounts/

Cyberpress: Telegram accounts hijacked – overview of recent Telegram account takeovers

https://cyberpress.org/telegram-accounts-hijacked/

Infologo Security Blog: Hacking into WhatsApp accounts via voicemail – an ingenious approach

https://infologo.ch/en/blog/hacking-into-whatsapp-accounts-via-voicemail-an-ingenious-approach/

Swiss NCSC weekly review: Examples of account takeover via voicemail (including WhatsApp / Telegram)

https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2023/wochenrueckblick_32.html