Longer underground channel lifespans are mirrored by sharply higher blocking rates, prompting fraudsters to explore alternatives. Modern digital messengers, like WhatsApp, Telegram, Signal and various others, are now often being used for illicit activities. Kaspersky Digital Footprint Intelligence has conducted an in-depth monitoring of more than 800 blocked cybercriminal Telegram channels between the time-period of 2021 and 2024. While a range of illegal activities continues to be hosted on the platform, its environment has “become more challenging for sustained underground operations.”
Telegram’s bot framework and other built-in features “make for a low-effort ecosystem for the underworld.”
A single bot can manage queries, “process cryptocurrency payments, and instantly deliver stolen bank cards, info-stealer logs, phishing kits, or DDoS attacks to hundreds of buyers per day, often without operator involvement.”
Unlimited, non-expiring file storage eliminates the “need for external hosting when distributing multi-gigabyte database dumps or stolen corporate documents.”
This automation favors high-volume, low-price, “low-skill offerings, such as leaked bank cards or other data, hosting malware, etc.”
High-value, trust-dependent deals (for example, so-called zero-day vulnerability information) still remain “on reputation-gated dark-web forums.”
Kaspersky researchers found two “clear trends related to illegal activities on Telegram.”
The average lifespan of shadow channels has “increased, with the proportion of channels surviving over 9 months more than tripling in 2023-2024 compared to 2021–2022.”
At the same time, Telegram’s blocking activity has “risen significantly.”
Monthly takedown figures recorded since Oct 2024 – even at their lowest – are comparable to the “peak levels seen throughout 2023, and the overall pace has continued to accelerate in 2025.”
This reportedly impedes “malicious activities.”
Other disadvantages of Telegram for cybercriminals include the “lack of default end-to-end (E2E) encryption for chats, the inability to use their own servers for communication (due to the messenger’s centralized infrastructure), and closed server-side code, which makes it impossible to verify its functionality.”
As a result of this, more established underground communities, such as the nearly 9,000-member BFRepo group and the Angel Drainer malware-as-a-service operation, have begun “shifting primary activity to other platforms or proprietary messengers, citing repeated disruptions of their activities on Telegram.”
Vladislav Belousov, Digital Footprint Analyst at Kaspersky said:
“Fraudsters find Telegram a convenient tool for many malicious activities, but the risk-reward balance is clearly shifting. Channels are managing to stay online longer than a couple of years ago, yet the dramatically higher volume of blocks means operators can no longer count on long-term stability. When a storefront or service disappears overnight – and sometimes reappears only to be removed again weeks later – building a reliable business becomes much harder. We’re starting to see the early stages of migration as a direct consequence.”