This article was updated December 22nd, 2025.
Telegram has long been a popular communication tool for cybercriminals. Free, encrypted, and fairly anonymous, Telegram has been home to several criminal forums and marketplaces for years. Telegram is particularly prolific in hosting stealer log distribution channels which pose enormous risk to both enterprise organizations and consumer
Recently, however, that looked like it might change. The 2024 arrest of Telegram CEO Pavel Durov raised concerns among threat actors. This was particularly true after an announcement that Telegram would be cooperating more closely with law enforcement by releasing the phone numbers and IP addresses of users suspected of criminal activity.
Monitor Illicit Telegram Channels Alongside the Dark Web
Telegram est le #1 platform for stealer log distribution. Flare automatically scans illicit Telegram groups, dark web forums, and paste sites 24/7—alerting you when your credentials, brand, or executives are mentioned.
However, Telegram hasn’t stopped being a staple in the cybercrime ecosystem. It’s still the most popular messaging app in the criminal underground. This article explores why Telegram remains one of the most important data sources to monitor in 2026.
Why Do Cybercriminals Use Telegram?
Telegram est une application de messagerie avec des fonctionnalités de confidentialité et de cryptage améliorées. L'application fonctionne sur les plates-formes mobiles et de bureau populaires et synchronise les messages sur tous les appareils enregistrés d'un utilisateur. Outre les conversations privées en tête-à-tête, les utilisateurs de Telegram peuvent s'abonner à des chaînes sur lesquelles les propriétaires publient du contenu ou ils peuvent devenir membres de groupes dans lesquels tous les participants discutent de sujets.
Although cybercriminals mostly use a combination of messaging apps, our research shows that as of December 2025, Telegram is still the most-used communication tool among threat actors.
The Stealer Log Ecosystem on Telegram
Telegram is the number one platform used in the distribution of stealer logs, artifacts of infostealer malware infections that contain all of a single users credentials, session cookies, browser history, and other details of a device. In the 2020s infostealer logs have become the primary vector for account takeover attacks against both enterprise organizations and consumers. A single stealer log can expose dozens of accounts across corporate SaaS tools, banking portals, and social media, making one infection a gateway to widespread compromise.
Les groupes de télégrammes illicites offrent un meilleur anonymat
Cybercriminals doubt just how much anonymity they get when using forums Web sombre that administrators can easily monitor. While IP addresses and geolocations get hidden automatically through a special type of routing, there is the fear of being monitored by admins and having identities revealed. Telegram advertises that it is E2E encrypted and has no traditional admins monitoring its groups and one-to-one chats, which is attractive for anonymity.
Since the arrest of Pavel Durov, Telegram has started more actively cooperating with law enforcement, but compliance remains low. The sheer breadth of the cybercrime ecosystem creates challenges for law enforcement to focus and track actors across channels, and international jurisdictional challenges further complicate the picture.
Illicit Telegram Groups Perceived Anonymity
Telegram offers end-to-end encryption for messages by default, which helps to avoid potential man-in-the-middle attacks that can snoop on messages in transit. Small groups in Telegram provide perceived anonymity as they can be difficult for law enforcement and security teams to identify. Dark web forums and sur le dark web also have an encryption option but threat actors need to use something like Pretty Good Privacy (PGP) to ensure encryption, which is less convenient.
Les groupes de télégrammes illicites proposent des opérations renforcées
Un autre facteur important est la façon dont Telegram offre aux groupes de piratage et aux loups solitaires un moyen de renforcer leurs opérations. L'obligation d'enregistrer un domaine pour proposer des services et des outils à la vente rend les opérations des acteurs de la menace vulnérables aux attaques par déni de service distribué (DDoS) qui peuvent les mettre hors ligne. Les chaînes Telegram contournent cette exigence pour un domaine et garantissent que les cybercriminels peuvent rester en ligne tant que le service Telegram reste en ligne.
Menaces courantes sur Telegram
We see many of the same threats on Illicit Telegram channels that we see on dedicated dark web markets and forums. In many cases threat actors have moved directly off of more traditional Tor websites, and onto Telegram, offering the exact same goods and services.
In other cases we’ve seen Telegram act as a backup for major dark web forums. For example, after the recent takedowns affecting multiple instantiations of Breach Forums, new Telegram channels rapidly appeared which allowed threat actors to maintain communication.
Appareils infectés et chaînes de télégrammes illicites
Though threat actors can buy and sell infected devices on established autoshops such as Russian Market, but they are more often found on Telegram. Telegram is the hub of the infostealer ecosystem, threat actors actively use it to distribute infostealer malware licenses, logs from infections, and even as backend infrastructure for infection campaigns.
Threat actors distribute stealer logs in various ways depending on the channel. In many cases they distribute older stealer logs for free, while monetizing access to a private channel that contains fresher logs. This creates an attractive monetization opportunity for criminals in a busy ecosystem that is easy to administer and expand operations.
Vous voulez en savoir plus sur les malwares voleurs ? Lisez notre rapport : Disséquer le cycle de vie des logiciels malveillants Dark Web Stealer avec le framework MITRE ATT&CK.
Chaînes de télégrammes illicites et identifiants volés
There are billions of stolen credentials on the dark web. In the hands of a threat actor, these credentials can be abused to cause significant data breaches for individuals and organizations. Illicit Telegram channels are a common new vector that facilitates the routine distribution of stolen credentials. In some cases this may be for free and in other cases the credentials may be purchased through automated mechanisms on specific channels.
To learn more about Telegram channels and stolen credentials, check out our Threat Spotlights on d’identifiants compromis et sur informations d'identification divulguées et géographie.
Chaînes de télégrammes illicites et robots OTP
Through one-time password bots (OTP bots), threat actors can try to collect 2FA codes from victims at scale. When we conducted a search in 2022 on Telegram for the terms “OTP Bot” and “2FA Bot,” we found 1,700 results. In 2025, these same terms provide over 1.1 million results.
Il existe une demande active pour les robots OTP, car nombre de ces résultats affichent une activité dans les minutes suivant la requête. Généralement, les acteurs malveillants achètent d'abord l'accès aux identifiants de connexion au compte bancaire, puis recherchent la disponibilité du bot OTP dans les canaux Telegram axés sur la fraude.
Threat actors typically use OTP bots for personal financial fraud rather than corporate. However, this method could be applied to corporate attacks. For example, if a data breach exposes corporate logins, a malicious actor could find those victims’ phone numbers through OSINT, then leverage that to solicit one-time passwords to bypass 2FA controls.
Vous voulez en savoir plus sur les bots OTP ? Jetez un œil à notre Pleins feux sur les menaces : marchés de télégrammes illicites et robots OTP.
Telegram rendra-t-il le Dark Web redondant ?
Malgré l'émergence de Telegram en tant que nouvelle frontière du dark web, les cybercriminels continueront probablement à utiliser les forums souterrains du dark web. Ces forums offrent une gamme de fonctionnalités que Telegram n'offre pas, telles que des systèmes de notation intégrés, qui permettent aux acteurs d'établir des réputations. L'approche précédemment non interventionniste de Telegram et son refus de coopérer avec les forces de l'ordre ont également changé avec la suppression de plusieurs chaînes et groupes illicites qui rassemblaient de nombreux abonnés.
Il est peu probable que le dark web soit abandonné de sitôt en tant que plaque tournante de la cybercriminalité. Attendez-vous à ce que les cybercriminels répartissent leurs opérations entre les applications de messagerie et les forums et marchés souterrains traditionnels. Une surveillance complète nécessite une couverture à la fois du dark web et des applications de messagerie. Monitoring Telegram is more important than ever in 2026 as cybcercriminals continue to widely use the application.
Will Threat Actors Leave Telegram for Autres Messaging Platforms?
While cybercriminals are using other platforms, they’re unlikely to abandon the communities they’ve built on Telegram. There has been some migration, but so far only Signal seems to have benefited from the crackdown on Telegram. It is important to note, however, that criminals don’t stick to just one platform. Most criminals appear to be using Telegram as well as other messaging apps, and in fact they may change their messaging app depending on the data they are sharing.
All this is to say: old habits die hard. Just as Telegram hasn’t eliminated the dark web, other messaging services aren’t likely to eliminate Telegram.
Surveillance de l'activité de télégramme illicite with Flare
La fusée Gestion de l'exposition aux menaces (TEM) La solution permet aux organisations de détecter, hiérarchiser et atténuer de manière proactive les types d’expositions couramment exploitées par les acteurs de la menace. Notre plateforme analyse automatiquement le Clear & Dark Web et les canaux Telegram illicites 24h/7 et XNUMXj/XNUMX pour découvrir des événements inconnus, hiérarchiser les risques et fournir des informations exploitables que vous pouvez utiliser instantanément pour améliorer la sécurité.
Flare s'intègre à votre programme de sécurité en 30 minutes et remplace souvent plusieurs outils SaaS et open source. Apprenez-en davantage en vous inscrivant à notre essai gratuit or explore alternatives to other CTI platforms by looking at our Concurrents de Zerofox blog.
