There were rumors that Megafon was leaking numbers. There was even an article on Habré, if my memory serves me right

I myself encountered a similar one.
I think the story here is completely different: this is not fraud and intruders, but "additional paid services" of the operator. Operators are actively friends with the so-called content providers, giving them the opportunity to deduct money from the subscriber account for downloading certain content, for example, for a picture, for a song, etc. Further, apparently, the friendship of content providers with file exchangers, there is nothing complicated here ...

I advise you to URGENTLY call Megafon and ask what paid services are connected.
Scheme: you climb into the Internet through a megaphone modem, on some fraudulent site a window pops up with any question, the answer is not important, you get it. SMS with a price of 450 rubles per month ... after a showdown with a vile service center, it turns out that when entering through a modem, it is enough to press a button in the dialogue to confirm the service. No confirmation SMS with a code.
PS Moreover, Megafon is clearly aware of it. when you start accusing them of complicity in fraud, they abruptly hang up at the call center. Another operator "suddenly" offered to share the losses with a megaphone, such as returning the money for half the "use" period.

Two years ago, Megafon allowed access to his personal account from his 3G Internet without a password, since the client itself was authenticated. However, a vulnerability was immediately revealed - by going to a malicious site, the client had the risk of being forcibly connected thanks to the scripts on this site, which accessed the personal account, to a paid service.
It's been "fixed".
However, I do not rule out that it is still possible, for example, to send SMS somewhere, being connected from the Megafon 3G Internet with substitution of the actual cell phone number (someone indicates the number of their robot as recipients and recognizes yours by the number of the SMS sender).
Or, alternatively, you could have an active session in your personal account.

I recently had such a situation with a deposit and Beeline. The only thing that saved me was that the beeline notifies its customers that they have connected a paid service. So there is a technical possibility, the only thing is the conscientiousness of the operator.

WapClick is such a WapClick
PS: no one canceled msisdn recognition