Telegram is one of the most used messaging platforms in the world, making it the perfect target for bad actors looking to exploit its massive user base. This time, security researchers found a way to use specially crafted t.me links (or any other link) to expose your real IP address.
Here"s how it works: An attacker creates a special link that points to a proxy server under their control but disguises it as an ordinary username. When a user on an Android or iOS device clicks this link, the Telegram application automatically attempts to connect to the attacker"s server to test the proxy connection.
This happens before the user is ever asked for confirmation, bypassing any existing VPN or proxy settings, and potentially leaking the user"s real IP address directly to the attacker.
When you have a feature built for privacy, people will inevitably find a way to abuse it. Attackers can share these malicious links in channels or direct messages, making them look completely benign. They use the format below.
https://t.me/proxy?server=[proxy IP address/hostname]&port=[proxy_port]&secret=[MTProto_secret] An X account, 0x6rss, demonstrated how the secret parameter in the URL does not even matter, as the connection attempt happens regardless, similar to how NTLM hash leaks can occur on Windows.
ONE-CLICK TELEGRAM IP ADDRESS LEAK!
— 0x6rss (@0x6rss) January 10, 2026
In this issue, the secret key is irrelevant. Just like NTLM hash leaks on Windows, Telegram automatically attempts to test the proxy. Here, the secret key does not matter and the IP address is exposed.
Example of a link hidden behind a… https://t.co/KTABAiuGYI pic.twitter.com/NJLOD6aQiJ
MTProto allows the use of proxies for legitimate reasons. Telegram introduced its custom MTProto proxy system in 2018 to help users bypass internet censorship in restrictive countries. The feature works by relaying encrypted data to and from Telegram"s servers.
When BleepingComputer reached out to Telegram for comment, a spokesperson said that any proxy operator can see the IP address of people who connect to it and that this is not unique to Telegram. After being pressed, the spokesperson promised that a warning would be added to proxy links so users can be more aware of disguised links. Telegram did not say when it would roll out this fix.
Meanwhile, the platform recently introduced a major visual update for its iPhone users, bringing "Liquid Glass" and a whole new set of animations. There is also a new AI feature, powered by a decentralized network called Cocoon, that can generate summaries of long posts within channels.