Flare Academy Training: The Burglar's Guide to Web Application Testing: Stealing Secrets Like a Hobbit
Sign Up
Free Trial
Book a Demo
Get Full Access

Telegram Fraud & Cybercrime: A Rising Concern in 2023

  • Reading time: 8 min

This blog was edited on July 7, 2025, with updated information.

Since its launch in 2013, Telegram has positioned itself as a privacy-first messaging app offering encrypted voice and video calls, group functionality, and powerful file-sharing capabilities. 

Its sleek design and emphasis on user security have attracted millions worldwide — including a growing population of cybercriminals. With anonymous registration, limited oversight, and the ability to reach huge audiences through channels and groups, Telegram has become a go-to platform for digital fraud, black-market transactions, and organized cybercrime. What began as a tool for secure communication is now a bustling underground hub for malicious activity. 

What is Telegram? 

Telegram is a messaging application known for its security. The app is able to encrypt voice calls, video calls, and voice chats. Telegram allows users to communicate with large groups of people, either by creating groups for up to 200,000 people, or by creating channels capable of broadcasting to and sharing files with an unlimited audience.

Telegram also offers “secret chats,” which offer end-to-end encryption, a self-destruct timer for messages and files, and prevent forwarding of messages. With enhanced security features like these, as well as the ability to easily share large files, Telegram has become a favorite app for scammers, hackers, and other cybercriminals. 

The recent arrest of its CEO hasn’t changed Telegram’s status as a haven for cybercriminals. Some threat actors expressed concerns when Pavel Durov was arrested in August 2024 and the company subsequently announced it would be working more closely with law enforcement, but Telegram is still the most popular messaging app for cybercrime.

Cybercrime on Telegram

There’s one big reason for Telegram’s popularity among criminals: it’s easy. Like most apps, Telegram is designed to be lightweight and intuitive; anyone who is familiar with other messaging apps will likely have no problem navigating Telegram. 

The bar for entry is low and anonymous; all a user needs is a phone number to sign up. Threat actors can easily distribute their own stealer logs, malware and other threats without the need to pay escrows on traditional dark web marketplaces. Telegram users can quickly create new accounts or rename existing accounts, and because it doesn’t offer a centralized view of an account’s activity, it is extremely challenging for law enforcement to track individual threat actors across forums and marketplaces. 

For those interested in setting up a cybercrime community, it’s simple and quick to create a channel or a group. This is in stark contrast to the dark web, where a site or a forum might take days or weeks to set up.

Channels are also set up to be searchable. For new users interested in cybercrime, that means they can immediately search hundreds of fraud and cybercrime channels, many with names that include keywords related to specific types of cybercrime, like “malware,” “CCV,” or “RAT.” 

Simple as it is to navigate, it’s not easy to track criminal activity on Telegram. While the dark web is monitored by law enforcement and government agencies, that’s not always the case on Telegram, which acts as a decentralized forum for criminals. If threat actors believe a channel has been infiltrated, it can be deleted and replaced in minutes.

Telegram is used for almost every type of cybercrime. Below are a few of the most common: 

A criminal community

Threat actors need a community too. Telegram groups are often used by criminals as a base of operations. Threat actors routinely use the app to discuss tactics for attacks, share information, and talk about the tools they use.

The malware economy

Not every cybercriminal has the coding expertise to build their own malware, and for some, it’s more cost-effective to simply buy it. Some Telegram groups and channels act as a marketplace for malware code. Many channels specialize in selling specific variants of malware, such as infostealers and ransomware. Threat actors develop the code, sell it to other criminals, and it is then used in an attack against individuals or organizations.

A marketplace for stolen data

When passwords, credit card numbers, or other sensitive information is stolen in a data breach, there’s a good chance that information will show up on Telegram. Threat actors routinely use Telegram to distribute and sell stolen credentials and other information. For example, criminals often use Telegram to sell stealer logs, files that contain millions of unique credentials that malware victims had saved in their browsers.

What is Telegram Fraud?

Telegram fraud refers to any malicious or deceitful activity that takes place on the Telegram messaging app. The rise of Telegram fraud and cybercrime is due in part to the ease of channel creation and user anonymity of the app. Compared to a traditional dark web site on Tor which may take days or weeks to set up, Telegram channel and group creation takes seconds. 

Threat actors have also been using Telegram for distributing infostealer malware logs, files that contain millions of unique credentials that malware victims had saved in their browsers. As cybercrime continues to proliferate on Telegram it is becoming increasingly critical for organizations to build an effective monitoring approach.

The types of fraud conducted on the app can often include financial scams, phishing attempts, and other types of activity targeting users to provide their personally identifiable information (PII). In addition, Telegram has become a hotbed for selling malware, discussions of cybercrime and other high-risk activity.

Screenshot of threat actor on Telegram promoting RedLine stealer malware. White text over a black background. The advertisement includes explanation of features, what information it collects, and more.
Threat actor promotes RedLine stealer malware on Telegram

How Threat Actors Use Telegram to Conduct Fraud

There is plenty of crime on Telegram, but Telegram fraud is in its own category. 

Telegram fraud is any malicious or deceitful activity that takes place on Telegram: anonymous accounts, encrypted messaging, and large group channels — to commit fraud. It can take many forms, but some of the most common include:

Phishing scams

Threat actors often execute their phishing scams by creating fake websites or login pages for users. They do so by creating lookalike websites targeted at popular service websites such as banking, cryptocurrency exchanges, or other financial institutions. In some cases, links to malicious websites are shared on Telegram as well. 

Romance and emotional manipulation scams

Romance scams have been around for centuries. Long ago, scammers used ads in the newspaper to ensnare victims. Now they use Telegram. In some cases, scammers will initially reach out to victims on Facebook, then move their conversations to Telegram where they escalate the scam in a more anonymous setting, asking for money and bilking victims out of thousands of dollars.

Cryptocurrency scams

Get rich quick scams have always been a staple of con artists, and it’s no different on Telegram. Fake channels and bots promise victims guaranteed returns on cryptocurrency investments. They may show fake testimonials or payment screenshots to appear legit, and then encourage victims to move money in ways that are difficult to trace for law enforcement. 

Marketplace fraud

Some Telegram groups act as black or gray markets, not just for stolen data, but for anything. However, the trouble with an unregulated market is just that — it’s not regulated. Scammers take advantage of this, advertising goods or services, taking payment, and disappearing without delivering anything. In some cases, the scammers may be scamming one another. 

Malware Deployment

Threat actors may use Telegram to distribute malware code, such as infostealer malware and ransomware, to other threat actors who then deploy it against consumers and companies. Many channels exist that specialize in selling various variants of ransomware and malware to other actors. We have also seen a limited number of threat actor groups using Telegram as their primary meeting place. 

Threat actor advertises RedLine stealer malware on Telegram. The text is mostly white over a navy background. The listing lists price to rent for a month, the pro plan, the benefits of the pro version, where to purchase the malware, and who to contact for help (the latter 2 are blurred out).
Threat actor promotes RedLine stealer malware on Telegram, offers different plans

Anonymous Accounts & Activity

A key draw of Telegram is the anonymity and encryption that the application offers. Users can easily sign up with a phone number and are provided with the ability to quickly search for hundreds of fraud and cybercrime channels, many with names like “FRAUD CHANNEL” making it easy for threat actors to find what they are looking for. In addition, compared to dark web forums, Telegram offers users the ability to quickly create new accounts, rename accounts, and doesn’t offer a centralized view of an accounts activity, making it extremely challenging to track individual threat actors across forums and marketplaces.

Telegram Fraud: What Threat Actors Find Appealing

Many individuals often ponder what makes Telegram users an appealing venue for cybercrime discussions. Aside from the popularity of the app, one of the main reasons Telegram and other online messaging apps have made scam activity appealing to criminals is how quick and easy channels and rooms are set up, and the fact that if threat actors believe a channel has been infiltrated it can be deleted and replaced in minutes.

While messaging apps have made it better for us to connect socially, it has also opened the door for thieves to steal from consumers and businesses without much recourse. Some other reasons why Telegram fraud can be appealing to threat actors include:

  • It is borderless – this app is driven by being an international messaging platform. Therefore, it can be easier to connect with someone in a country or region successfully. This can allow cybercriminals to discuss with other threat actors globally.
  • Users can remain anonymous – the app is also focused on anonymity and end-to-end encryption messaging, which allows users to create anonymous accounts. It can make it challenging for law enforcement to identify and arrest the perpetrators. This anonymity provides a safe haven for cybercriminals to engage in their fraudulent activities without the fear or retribution of being caught.
  • It is user-friendly – Telegram is ultimately a user-friendly app that facilitates both group conversations and channels, while also enabling P2P encrypted messaging. This makes it particularly appealing to actors who may be tired of the laborious set up required to create a dark web forum or market.
  • Actors can employ a direct to consumer model of crime – Threat actors can easily distribute their own stealer logs, malware and other threats without the need to pay escrows on traditional dark web marketplaces.

How Can Your Security Team Prevent Telegram Fraud?

Telegram’s original mission may have centered on free, private communication, but today it also serves as fertile ground for fraud, data theft, and digital deception. Its ease of use, anonymity, and massive reach make it attractive not only to legitimate users, but also to cybercriminals looking to scale their operations quickly and quietly. 

While the recent arrest of Telegram’s CEO and increased collaboration with law enforcement have raised questions about the platform’s future, its role in the cybercrime ecosystem remains significant. As Telegram continues to evolve, so too does the need for greater awareness of how its features can be exploited — and what individuals and organizations can do to protect themselves.


1. Establish robust monitoring for relevant cybercrime channels: Flare’s platform automates monitoring and archiving over 4,000 Telegram channels, creating a vast historic database for cybercrime activity. 

2. Ensure that your vendor is monitoring stealer logs: If you employ a cybersecurity vendor make sure that they are actively monitoring channels providing stealer logs, including hidden and private channels.

3. Avoid clicking on links or downloading files from unknown sources: In general, the use of strong passwords and multi-factor authentication will reduce your risk of being victimized. Building strong security policies for your organization can help prevent threats from Telegram as well.

Telegram Monitoring with Flare

Flare provides the leading Threat Exposure Management (TEM) solution for organizations. Our technology constantly scans the online world, including the clear & dark web, to discover unknown events, automatically prioritize risks, and deliver actionable intelligence you can use instantly to improve security. Flare monitors and archives tens of thousands Telegram channels, enabling your security team to boost your company’s security posture by automating these processes. 

Our solution integrates into your security program in 30 minutes to provide your team with actionable intelligence and automated remediation for high-risk exposure. See it yourself with our free trial.

Share This Article
View posts

Flare

Related Content

,

The Fall of LockBit and the Rise of 2025 Ransomware Chaos

Read More
, ,

The State of Ransomware in 2025: Extortion-Only Struggles and New Tactics

Read More

Steal, Deal, and Repeat: Takeaways from Europol’s 2025 IOCTA Report

Read More
4.9

“What used to take about 1500 hours to complete can now be done in 1 week. Flare allows me to empower junior analysts to do dark web investigations that were previously impossible, hence liberating bandwidth.

Senior Security Specialist at a MSSP

4.9

“Other solutions would present us with thousands of potential leaks which were impossible to work with for our small team, Flare was the only one that could successfully filter and prioritize data leaks with their 5-point scoring system.”

CTI Director at a Major North American Bank

4.9

“Flare enables us to react quickly when threats are publicized. It helps us protect our brand and financial resources from data breaches.”

CISO in a Major North American Bank

4.9

“We audited dozens of different solutions and Flare was the only one making CTI easy and understandable for all, with the right data.”

Senior Advisor at an IT Services Industry

Start your free trial today

Experience Flare for yourself and see why Flare is used by organization’s including federal law enforcement, Fortune 50, financial institutions, and software startups.

START FREE TRIAL
Flare logo
Get a Demo
Free Trial
Linkedin Twitter Facebook Youtube
Copyright 2025 Flare Systems, Inc.
1751 Rue Richardson, Unit 3.108, Montreal, Quebec, H3K 1G6, Canada

Made in Canada 🍁
Collecting Cybercrime Intelligence Globally

soc 2 cybersecurity company
Flare logo
Free Trial
Get Full Access
Log in