Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 12 December 2025 07:31
Telegram, which over the course of its history has become one of the most popular messaging apps in the world, is gradually losing its status as a convenient platform for cybercriminals.
Kaspersky Lab analysts have monitored the lifecycle of hundreds of underground channels and concluded that stricter moderation is literally excluding the underground from the messaging app.
Experts point out that Telegram is inferior to dedicated secure messaging apps in terms of privacy protection: chats do not use end-to-end encryption by default, the entire infrastructure is centralized, and the server code is closed.
While this probably won’t pose a significant problem for the average user, it does mean dependency on third parties and the risk of deanonymization for criminals . It’s no coincidence that proposals to completely ban Telegram for business reasons are increasingly common on underground forums.
However, it is precisely the service’s built-in features that make it a convenient business platform for criminals.
Bots handle order acceptance and payment, sell infostealer logs, MaaS subscriptions, doxxing services, credit card fraud, and other minor online scams . This “lean” and highly automated criminal activity fits perfectly with the Telegram model : the owner is largely uninvolved in operations, and files posted to channels are archived indefinitely.
However, exclusive products— access to corporate networks, zero-day exploits —remain on traditional darknet forums with reputation systems, deposits, and transaction guarantees.
A separate section of the study is dedicated to the lifespan of underground channels. Based on data from over 800 blocked resources, analysts estimated their average lifespan at around seven months. However, the median has increased: while in 2021-2022, a channel lasted an average of five months, in 2023-2024 it reached nine. This does not mean that persecution has decreased: the blocking graph shows a sharp peak in 2022, linked to hacktivist activity, and consistently high levels until mid-2025. Even the lows at the end of 2024 are comparable to the peaks of 2023.
Cybercriminals are trying to adapt: they switch channels on demand, post “harmless” messages to disguise their identities, and annotate posts with disclaimers and statements about the legality of the content. However, a long-term analysis of resources shows that these measures are applied sporadically and generally fail to prevent blocking.
As a result , large communities are starting to look for alternatives. For example, in 2025, one of the largest groups, BFRepo , with nearly 9,000 members, announced its switch to the decentralized messenger SimpleX after a series of Telegram bans. Another well-known group, Angel Drainer, went even further and launched its own closed messenger with supposed support for modern cryptographic protocols, while simultaneously recommending users to abandon Telegram.
The report’s authors conclude unequivocally: Telegram once seemed like a relatively safe haven for criminals, but that era is coming to an end. Increased moderation and pressure from various actors, from copyright holders to hacktivist groups, are making the messenger’s underground infrastructure increasingly unstable.
However, the disappearance of underground channels from Telegram does not mean a reduction in cyber threats: criminal communities are simply migrating to other services or developing their own solutions . Analysts urge companies and cybersecurity specialists to closely monitor the platform migration and adapt their monitoring systems to new hotbeds of cybercriminal activity.
Redazione