This article was updated on August 4, 2025 with updated information
Illicit Telegram channels have become a growing concern in the realm of cybercrime.
Threat actors want to connect with each other in fast, reliable, and “anonymous” ways. Telegram has been their answer, and malicious actors are increasingly moving off of Tor and onto the instant messaging platform.
Flare CMO Eric Clay and CTO & Co-Founder Mathieu Lavoie talked about the realm of unauthorized Telegram channels, along with the diverse methods cybercriminals employ to conduct their nefarious activities. Check out our full webinar recording, The New Dark Web?: Illicit Channels and their Impact on Cybersecurity, and/or keep reading for the highlights.
Relationship Between Telegram and the Dark Web
Traditional dark web marketplaces found on Tor serve as a (partially) trusted middleman between vendors and buyers with built-in escrow services. On the other hand, Telegram has thousands of individual channels, which are “direct to consumer” and vendors sell stolen credit cards, combolists, leaked credentials, and infected devices directly to other cybercriminals. In this model reputation is everything.
Compared to marketplaces on the traditional dark web, Telegram channels often specialize in selling specific classes of illicit goods such as combolists, configurations, and malware.
In addition, the channels serve as a backup method for communication that can sometimes be more reliable than traditional forums or discussion services. For example, law enforcement recently arrested the leader of Breach Forums and shut down the website. Telegram served as a backup channel for communication for Breach Forum moderators, as they assured users that they would continue operations.
Telegram and the dark web are closely intertwined, and the instant messaging platform supports gaps in dark web activities.
Telegram’s Role in Spreading MaaS
Telegram offers many functionalities and includes a fully functional API, allowing for bots and other more complex use-cases which can create automation capabilities not present on traditional Tor marketplaces. This enables threat actors to seamlessly sell subscriptions to channels, automatically deliver purchased data, and even leverage Telegram channels as command and control infrastructure for malware.
These functionalities make Telegram the preferred choice for many (if not most threat actors). High degrees of automation, lax moderation, and end to end encryption create the perfect environment for a vast underground economy.
A Sign of Telegram’s Resilience
Things change quickly in the world of cyber crime, and apps come and go all the time, so does Telegram, which was founded in 2013, still play a prominent role in the criminal underworld?
Many suspected that users would flock to other platforms following the arrest of its founder, Pavel Duvov, by French authorities in 2024. The arrest was presumably prompted by Telegram’s high tolerance for illicit activities. Soon afterward, Telegram announced it would make policy changes and begin working more closely with law enforcement, even agreeing to turn over IP addresses of suspected cyber criminals.
These changes prompted many Telegram users to announce they would leave the platform for alternatives like Discord, Signal, Tox, or Session. Faced with a user exodus and mounting scrutiny from law enforcement, Telegram could have faded into obscurity—or at least migrated away from criminal activity. However, all signs suggest the status quo remains unchanged as Telegram continues to be as popular as ever with threat actors of all kinds.
Why Telegram Remains So Popular
We will look more closely at the numbers below, but let’s first consider why the malicious actor community has not left Telegram in significant percentages.
First of all, even though Telegram has been significantly more cooperative with authorities, such as taking steps to remove illicit channels, the increase still totals a small amount. The vast majority of illicit channels have not been removed. Users still have easy ways to bypass Telegram’s policy changes. Plus, Duvov has once again taken an adversarial stance in public communications, suggesting his, and his company’s, commitment to oversight may be temporary. When it comes to cybercrime, Telegram is still open for business.
The second reason hackers haven’t left Telegram is because none of the alternatives compare. The same features that made Telegram appealing in the first place—scale, simplicity, secrecy—are still available and still superior to most other platforms. Plus, Telegram still has perhaps the largest number of threat actors collected in one place. For threat actors that want to connect with as many buyers, sellers, or collaborators as possible, quickly and easily, nothing else compares to Telegram—not even the dark web itself.
That could of course change, whether due to pressure from authorities or challenges from competitors. Still, it’s a true sign of Telegram’s resilience that the billionaire founder was arrested—an aggressive move on the part of the French government—yet Telegram looks almost identical to before.
Our Research Into Cybercrime on Telegram
Flare has been monitoring threat actors and collecting threat intelligence that gives unparalleled insight into the criminal underworld. We have been closely tracking Telegram activity for years, giving us a unique ability to compare activity before and after Duvov’s arrest. Our research confirms that little has changed on Telegram; it remains as active and dangerous as ever, with few signs of things slowing down.
These are some of the key takeaways from our research:
- Over 77 million posts with Telegram links/IDs were shared on cyber crime forums or channels in 2024. Discord was in distant second place with just 2 million.
- The number of Telegram links/IDs being shared since August 2024, when Duvov was arrested, is as high or often higher than before that date.
- More posts contain links/IDs to Telegram than any other platform by orders of magnitude.
- Most threat actors with a presence on other channels are also on Telegram, suggesting that users have not left the platform but rather expanded to others.
What’s the Future of Telegram?
Some signs indicate that Telegram is reforming its ways and committing to work with law enforcement much more extensively than before. Other signs suggest that Telegram has little desire to change, and they’ve done nothing thus far to spark a mass exodus from the platform. So what’s the future of Telegram? Will it get better or worse in terms of cybercrime?
To predict the answer, it helps to consider the relationship of Telegram to the dark web. We have previously called Telegram the social media of the dark web.The advent of social media helped make the original internet more accessible, digestible, and valuable to people who preferred to stay on one website rather than navigate through a vast information ecosystem. Similarly, Telegram makes it more convenient for threat actors to find, connect, and collaborate with each other compared to congregating somewhere on the dark web.
Telegram remains the king of cybercriminal social networks, with more reach than any other, making it hard for hackers to leave Telegram and lose all those connections. Controlling what happens on Telegram, even with extensive moderation, takes massive amounts of effort to catch a small amount of illegal material/activity. Combine that with Telegram’s natural tendency towards privacy and permissiveness, and it’s impossible not to reach a simple conclusion: The forces pushing Telegram to stay the same are much stronger than the forces pushing it to change.
Bottom line: Telegram may be evolving, but it will still be the center of the cyber criminal world into the foreseeable future.
Telegram Monitoring Best Practices
1. A threat intelligence solution can provide comprehensive Telegram coverage.
Security analysts can gain valuable information about external threats through monitoring Telegram. For example, they could learn about new risks, geopolitical context that impacts their cyber risk profile, and targeted companies or industry verticals.
2. Automation supports monitoring of relevant channels.
With the sheer volume of Telegram channels, manual monitoring is impossible for full coverage of all relevant channels. Threat actors operate across thousands of channels and often create new channels, change their names, and merge channels, making automated approaches to monitoring much more effective.
Security teams can automate Telegram monitoring through finding a solution that covers both illicit Telegram and traditional Tor marketplaces.
3. Eliminating noise helps focus on what matters most.
Security teams can gain context and efficiently prioritize with actionable intelligence that improves key security metrics like mean time to detect (MTTD).
The Changing Face of Telegram Monitoring
Just because threat actors haven’t fled from Telegram doesn’t mean they haven’t changed their behavior since the crackdown on the platform. On the contrary, they are acutely aware that illicit channels are under more scrutiny and their identity could be turned over to law enforcement. They’re dealing with that risk by using more secrecy and subterfuge on Telegram while also ensuring they have backups elsewhere.
For companies that currently practice Telegram monitoring or plan to soon, this has several implications. It underscores the need for automation to monitor massive (and growing) amounts of illicit conversations, as well as machine learning to find patterns, trends, and connections that would otherwise be invisible. It proves the need for human analysts who know the ins and outs of Telegram as well as the cyber criminals they’re tracking. Finally, it illustrates why Telegram monitoring must be complemented by threat hunting elsewhere on the internet in order to catch everything consistently.
Telegram Monitoring with Flare
Flare provides the leading threat intelligence solution for organizations. Our technology constantly scans the online world, including the clear & dark web, to discover unknown events, automatically prioritize risks, and deliver actionable intelligence you can use instantly to improve security. Flare monitors and archives thousands of Telegram channels, enabling your security team to boost your company’s security posture by automating these processes.
Our solution integrates into your security program in 30 minutes to provide your team with actionable intelligence and automated remediation for high-risk exposure. See what external threats on Telegram are exposed for your organization by signing up for our free trial.
