SLOVENLY COMET hackers are terrorizing Latin Americans with a new trick.
A few weeks ago, Argentine users began reporting strange incidents of Telegram account breaches to cybersecurity experts. What made the situation unusual was that the account takeovers didn’t require any action from the victims. The attacks were successful even against those who strictly followed basic digital security rules.
An investigation revealed that these were not isolated incidents. The attackers were specifically targeting members of certain groups, primarily connected to Argentina’s cryptocurrency communities. In every case, the hackers deliberately triggered the sending of SMS messages containing two-factor authentication codes. Following this, identical login entries appeared in activity logs:
A thorough analysis of the collected data traced the earliest attacks back to February 7 of this year. The hacking group was assigned the codename SLOVENLY COMET. Experts are urging anyone with information about these attackers to email: [email protected].
After reviewing several theories, an international team of researchers, working with local specialists, proposed a hypothesis involving the compromise of SMS gateways. Further analysis of evidence—screenshots, system logs, and leaked data—confirmed the suspicion. A Telegram bot was discovered that systematically intercepted messages containing authentication codes. Its archive contained tens of thousands of entries in the following format:
The authenticity of these records was confirmed by experts — the leak had been ongoing for several weeks without being detected.
The scale of the threat turned out to be far greater than initially estimated. Since most companies rely on several major SMS providers, the hackers gained access to authentication messages from many popular services: Google, Microsoft, Apple, Telegram, Facebook, Mercadolibre, Amazon, Binance, Betfun, Instagram, TikTok, Temu, and Signal. The attack also affected regional services such as Mercado Pago, Mi Argentina (Argentina), Banco Formosa (Uruguay), and TRANSVIP (Chile). Overall, at least 50 different platforms were impacted.
The breach was found in a fundamental component of the SMS service infrastructure. All relevant organizations, telecom operators, and government agencies have been notified. An investigation is currently underway, and countermeasures are being developed.
Additional details are expected in the coming days, as affected companies prepare reports on their own investigations. In the meantime, developers are advised to stop enforcing SMS-based two-factor authentication — this method’s vulnerability to interception attacks has been known for over a decade. Instead, users should be offered reliable alternatives such as authenticator apps or hardware keys.
Users are also advised to review their device security settings and report any suspicious activity to law enforcement.
A few weeks ago, Argentine users began reporting strange incidents of Telegram account breaches to cybersecurity experts. What made the situation unusual was that the account takeovers didn’t require any action from the victims. The attacks were successful even against those who strictly followed basic digital security rules.
An investigation revealed that these were not isolated incidents. The attackers were specifically targeting members of certain groups, primarily connected to Argentina’s cryptocurrency communities. In every case, the hackers deliberately triggered the sending of SMS messages containing two-factor authentication codes. Following this, identical login entries appeared in activity logs:
A thorough analysis of the collected data traced the earliest attacks back to February 7 of this year. The hacking group was assigned the codename SLOVENLY COMET. Experts are urging anyone with information about these attackers to email: [email protected].
After reviewing several theories, an international team of researchers, working with local specialists, proposed a hypothesis involving the compromise of SMS gateways. Further analysis of evidence—screenshots, system logs, and leaked data—confirmed the suspicion. A Telegram bot was discovered that systematically intercepted messages containing authentication codes. Its archive contained tens of thousands of entries in the following format:
The authenticity of these records was confirmed by experts — the leak had been ongoing for several weeks without being detected.
The scale of the threat turned out to be far greater than initially estimated. Since most companies rely on several major SMS providers, the hackers gained access to authentication messages from many popular services: Google, Microsoft, Apple, Telegram, Facebook, Mercadolibre, Amazon, Binance, Betfun, Instagram, TikTok, Temu, and Signal. The attack also affected regional services such as Mercado Pago, Mi Argentina (Argentina), Banco Formosa (Uruguay), and TRANSVIP (Chile). Overall, at least 50 different platforms were impacted.
The breach was found in a fundamental component of the SMS service infrastructure. All relevant organizations, telecom operators, and government agencies have been notified. An investigation is currently underway, and countermeasures are being developed.
Additional details are expected in the coming days, as affected companies prepare reports on their own investigations. In the meantime, developers are advised to stop enforcing SMS-based two-factor authentication — this method’s vulnerability to interception attacks has been known for over a decade. Instead, users should be offered reliable alternatives such as authenticator apps or hardware keys.
Users are also advised to review their device security settings and report any suspicious activity to law enforcement.
