A few weeks ago, folks in Argentina started reaching out to our team about Telegram takeovers with some unusual characteristics. Notably, these incidents didn’t require victim interaction and even impacted individuals using basic best practices for operational security (opsec).
Through our investigation we learned that these were not isolated cases. Victims shared common groups and crypto-related profiles within Argentinian communities, suggesting the attacks were targeting a specific user demographic.
In every case, attackers intentionally triggered Telegram's Multi-Factor Authentication (MFA) codes delivered via SMS. Immediately afterward, login logs consistently showed identical information:
Device: Telegram iOS, 11.5.2 (29993), iPhone 16 Plus, iOS, 18.2.
Location: Buenos Aires, Argentina.
Categorizing and analyzing all collected incidents, we traced this specific attack pattern back to at least February 7th of this year and have designated the threat actor behind this attack as SLOVENLY COMET. We encourage anyone with information about SLOVENLY COMET to reach out at [email protected].
A crucial observation across successful account takeovers was the reliance on SMS-based account access codes. After testing multiple hypotheses, a coordinated effort by local security researchers and our team pointed an emerging theory: a compromise within SMS gateway providers.
After further examination of the evidence (including screenshots, logs, and data leaks) and with help of industry peers, our suspicions were confirmed. A Telegram bot systematically intercepted SMS messages containing MFA codes.
The log contained tens of thousands of entries like this one:
24/03/2025 2:31 AM | Argentina
+54XXXXXXXXXX | Personal through Infobip Direct: 82082
12345 es tu contraseña temporal de Amazon. No la compartas con nadie.
--
26/03/2025 1:23 PM | Chile
+569XXXXXXXX | WOM through LabsMobile International +5644332XXXX
Asignamos tu Minibus Patente XXXXX +569XXXXXXX. Sigue tu viaje aquí https://tvip.cl/XXXXXX. 26 mar. 03:02 - 03:37 hrs
--
10/03/2025 4:59 PM | Uruguay
+598XXXXXXXX | Antel through Bformosa 5980
Tu Token de seguridad de **Banco Formosa** es 123456. No lo compartas o divulgues. Evita las estafas.
Our analysis also verified the authenticity of these records, indicating the compromise had persisted unnoticed for several weeks.
Because many companies use the same handful of SMS gateway providers, attackers successfully intercepted SMS-based MFA messages from numerous prominent services including Google, Microsoft, Apple, Telegram, Facebook, Mercadolibre, Amazon, Binance, Betfun, Instagram, TikTok, Temu, and Signal, as well as regional services such as Mercado Pago, Mi Argentina (Argentina), Banco Formosa (Uruguay), TRANSVIP (Chile). Based on internal investigations, publicly available information, and leaked data, we believe at least 50 services were affected.
Additionally, the intercepted messages included highly sensitive data such as credentials, personal details, and MFA codes, which explains how Telegram account takeovers occurred without user interaction.
The compromise was identified in a critical infrastructure layer essential to these SMS services. We’ve already notified relevant parties, telecom operators, and government agencies, all of whom are actively investigating the situation and developing appropriate mitigations.
We expect greater clarity about this incident to emerge in the upcoming days as more organizations in this supply chain disclose details from their own investigations. This information will shed more light on how to enhance user protection against similar attacks. Meanwhile, we suggest all individuals and organizations reconsider their dependence on SMS for MFA.
Specifically:
This attack is a painful reminder of how interconnected technology services are and that supply chains are only as strong as our weakest link.
This investigation was led by The Red Guild and Opsek (Pablo Sabbatella). For more information or inquiries, you can contact them via their respective websites.
If you believe you have been impacted by SLOVENLY COMET, you can message the SEAL 911 Bot to be automatically connected with our security specialists. SEAL 911 is a free service offered by SEAL for responding to ongoing or imminent Web3 security incidents at any time of the day.