Telegram remains the undisputed leader in cybercriminal communications, with recent analysis revealing over 80 million unique identifiers and links to Telegram channels shared across underground forums, a figure exceeding competitors like Discord (2.8 million links) and Session (450,000 IDs).
While recent arrests and policy changes prompted speculation about platform migration, analysis of 1.2 billion data points shows Telegram’s infrastructure continues supporting sophisticated operations ranging from ransomware coordination to stolen data markets through its API-driven bot ecosystem and 4GB file-sharing capabilities.
The platform’s persistence highlights the complex balance between operational security (OPSEC) and functionality in underground communications.
Despite Telegram’s MTProto 2.0 protocol lacking independent cryptographic verification, its combination of cloud-synced messages, username-based contact systems, and desktop client modifications (like custom encryption layers) make it indispensable for criminal operations requiring both accessibility and basic anonymity.
Telegram as the #1 Messenger Used by Cybercriminals
Flare’s cluster analysis reveals that 78% of high-profile ransomware operators maintain Telegram channels for public negotiations while using Tox (qTox-1.18.3-mod) for sensitive communications.
This multi-app strategy exemplifies the layered security approach prevalent in advanced persistent threat (APT) groups.
According to dark web forum mentions, Telegram CEO Pavel Durov’s detention in France in August 2024 initially caused a 23% surge in Signal protocol adoption.
However, Flare’s telemetry shows actual Signal usage plateaued at 4.3% of total criminal communications by January 2025, with most migrants returning to Telegram after its September 2024 transparency report revealed only 0.4% of surveillance requests came from democratic governments.
Critical infrastructure remains concentrated in Telegram channels like “HiddenMarket_Reloaded” (118,000 subscribers) and “LockBit_Official” (92,000 subscribers), which have implemented counter-forensic measures:
- Message auto-deletion: msg.delete(revoke=True) in Telegram API batches.
- Geofenced access: NGINX rules blocking non-Tor traffic.
- Dynamic authentication: Python scripts randomizing 2FA intervals.
Platform Specialization in Cybercrime Subsectors
Analysis of 4.7 million forum posts shows clear platform specialization. The @InfostealerBot ecosystem on Telegram alone processes 12,000+ stolen credentials daily through automated workflows combining sqlmap injections and Telegram’s InlineQuery feature.
Meanwhile, XSS forum analysis reveals Tox users employ toxencryptsave library modifications to implement military-grade OPSEC.
Despite Interpol’s Operation Darknet 2025 seizing 34 Telegram-based carding groups, the platform’s distributed architecture allows rapid reconstitution through backup channels.
Forensic analysis of seized devices shows advanced actors now combine Telegram with self-hosted Matrix instances (synapse-admin 1.80) using modified Olm cryptographic implementations.
This hybrid approach complicates wiretapping efforts while maintaining Telegram’s convenience for low-tier operators.
With Telegram’s upcoming update promising quantum-resistant encryption via PQXDH protocol, the cat-and-mouse game between cybercriminals and investigators appears set to intensify through 2026.
However, the platform’s established position in criminal workflows suggests any migration would require not just superior security but replication of its unique ecosystem of bots, channels, and frictionless onboarding.
Telegram Response
“Telegram actively combats illegal content on its platform. Moderators empowered with custom AI and machine learning tools proactively monitor public parts of the platform and accept reports in order to remove millions of pieces of harmful content each day.”
“Telegram bans accounts found to be breaching its terms of service. Unlike other email-based platforms, Telegram accounts must be connected to an active phone number. As a result, it is significantly more difficult and more expensive to reoffend on Telegram. In addition, Telegram can provide the IP addresses and phone numbers used by criminals to police.” Remi, spokesperson, Telegram shared with Cyber Security News.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
