Telegram has won over users worldwide, and cybercriminals are no exception. While the average user chooses a messaging app based on convenience, user experience and stability (and perhaps, cool stickers), cybercriminals evaluate platforms through a different lens.
When it comes to anonymity, privacy and application independence – essential criteria for a shadow messaging app – Telegram is not as strong as its direct competitors.
- It lacks default end-to-end (E2E) encryption for chats.
- It has a centralized infrastructure: users cannot set up their own servers for communication.
- Its server-side code is closed: users cannot verify what it does.
This architecture requires a high degree of trust in the platform, but experienced cybercriminals prefer not to rely on third parties when it comes to protecting their operations and, more importantly, their personal safety.
That said, Telegram today is widely viewed and used not only as a communication tool (messaging service), but also as a full-fledged dark-market business platform – thanks to several features that underground communities actively exploit.
Is this research, we examine Telegram through the eyes of cybercriminals, evaluate its technical capabilities for running underground operations, and analyze the lifecycle of a Telegram channel from creation to digital death. For this purpose, we analyzed more than 800 blocked Telegram channels, which existed between 2021 and 2024.
Key findings
- The median lifespan of a shadow Telegram channel increased from five months in 2021–2022 to nine months in 2023–2024.
- The frequency of blocking cybercrime channels has been growing since October 2024.
- Cybercriminals have been migrating to other messaging services due to frequent blocks by Telegram.
You can find the full report on the Kaspersky Digital Footprint Intelligence website.
