Iranian hackers using Telegram to steal data, warns FBI

Iranian hackers are stealing information from dissidents, opposition groups and journalists worldwide through Telegram, the US Federal Bureau of Investigation (FBI) has warned.

According to a warning issued on Friday, hackers first contact targeted individuals disguised as someone they know or under the guise of technical support. They then trick the victim into clicking a malicious link, which leads to a malware file designed to look like Telegram or WhatsApp. Once installed, the infected device connects to a specific Telegram bot, allowing hackers to remotely control the entire computer.

The FBI said hackers are able to steal files, take screenshots and record Zoom calls from victims' devices. Because these activities are conducted within legitimate Telegram network traffic, anti-malware software struggles to detect them.

The agency claims the hackers behind these attacks are working on behalf of Iran's Ministry of Intelligence and Security. The warning mentions a fake hacktivist group named 'Handala', which is pro-Iran and pro-Palestine. Earlier this month, the group claimed responsibility for a cyberattack on US medical tech giant Stryker, which resulted in data being wiped from thousands of company employees' devices.

Last week, the US Department of Justice alleged that Handala is essentially a front organisation for the Iranian government and played a direct role in the Stryker hack. At the same time, the FBI seized and shut down four websites connected to Handala and another Iranian hacktivist group, 'Homeland Justice'.

A Telegram spokesperson said the platform's moderators regularly remove accounts related to malware.