New Delhi: Telegram, once a preferred hub for cybercriminal activity, is increasingly becoming inhospitable for underground operators. According to Kaspersky Digital Footprint Intelligence, which monitored over 800 blocked cybercriminal Telegram channels between 2021 and 2024, the platform’s environment has grown more challenging for sustained illicit operations despite its low-effort ecosystem.
Telegram’s bot framework and built-in features have long enabled frictionless automation for the underground. A single bot can process cryptocurrency payments, manage queries, and instantly deliver stolen bank cards, phishing kits, or DDoS services to hundreds of buyers daily. Unlimited file storage further facilitated distribution of stolen corporate documents and massive database dumps. This model favored high-volume, low-skill offerings, while high-value trades such as zero-day vulnerabilities remained confined to reputation-gated dark-web forums.
Kaspersky researchers identified two major trends. First, the average lifespan of shadow channels has increased, with the proportion surviving beyond nine months tripling in 2023–2024 compared to 2021–2022. Second, Telegram’s blocking activity has surged. Monthly takedowns recorded since October 2024 — even at their lowest — matched peak levels of 2023, with the pace accelerating further in 2025. This heightened blocking has disrupted malicious storefronts and services, undermining long-term stability for operators.
Additional disadvantages for cybercriminals include Telegram’s lack of default end-to-end encryption, reliance on centralized infrastructure, and closed server-side code that prevents independent verification. These limitations, combined with repeated disruptions, have prompted several underground groups — including the 9,000-member BFRepo and the Angel Drainer malware-as-a-service operation — to migrate to alternative platforms or proprietary messengers.
“Fraudsters find Telegram a convenient tool for many malicious activities, but the risk-reward balance is clearly shifting. Channels are managing to stay online longer than a couple of years ago, yet the dramatically higher volume of blocks means operators can no longer count on long-term stability. When a storefront or service disappears overnight – and sometimes reappears only to be removed again weeks later – building a reliable business becomes much harder. We’re starting to see the early stages of migration as a direct consequence,” said Vladislav Belousov, Digital Footprint Analyst at Kaspersky.
To help users and organizations stay protected, Kaspersky recommends reporting illicit channels and bots to accelerate community-driven moderation, and using multiple sources of Threat Intelligence — spanning surface, deep, and dark web resources — to remain aware of threat actor tactics, techniques, and procedures.
