Telegram bans and takedowns are now extremely massive and frequent. Pavel Durov, the CEO, is apparently trying to clean up his act, but cybercriminal ecosystems aren’t shrinking – they’re adapting. And quickly.
These past few years have been difficult for Telegram. The platform has traditionally allowed all sorts of activities to take place on it, but dramatically increased enforcement last year.
Stricter moderation was rolled out after Durov was detained in France in late 2024, and the French plainly explained that his arrest was related to rampant cybercriminal activity – illicit transactions, images of child sexual abuse, drug trafficking, money laundering – on Telegram.
Durov is, of course, still railing about free speech and the need to battle alleged censorship. But in reality, Telegram has been increasing its enforcement.
The villains are adapting quickly
“Millions of channels were taken down, Telegram bans became frequent, automation was introduced, and transparency around enforcement reached an all-time high,” Check Point researchers say.
Last August, for example, Durov told his 10.7 million followers that Telegram was cracking down hard on scammers trying to blackmail other users.
In 2025 alone, more than 43.5 million Telegram channels and groups were blocked. Moderation activity has continued to accelerate into early 2026, with daily takedowns rising from a historical baseline of roughly 10,000 to 30,000 to a sustained 80,000 to 140,000, punctuated by peaks exceeding 500,000 takedowns in a single day.
Some critics think all this could be just a little show to appease investigators in France and other countries.
But Check Point researchers think that’s not necessarily the case, and that the crackdown is sincere. Despite this, cybercriminals keep evading takedowns and continue their shady operations on Telegram.
“Cybercriminal ecosystems on Telegram are not shrinking. These communities are adapting, and quickly,” an analysis found.
Progress is too easy a conclusion, researchers say, because the impact of the crackdown is more nuanced.
Rather than leaving Telegram, threat actors have evolved how they operate inside it.
For instance, only about 20% of blocked channels were linked to criminal activity like hacking services, and thousands of messages referencing blocked channels continue to circulate, especially via forwarded content that keeps criminal knowledge alive even after takedowns.
Not relying on a single asset or channel
Besides, channels may disappear, but communities – if they’re strong or patiently cultivated – reform quickly. Backups are actually pre-created for many of the channels at risk, so that the community is ready.
“In fact, often, the audiences are preloaded, and operational continuity remains largely intact. Enforcement has increased friction, but it has not eradicated the use of Telegram by cybercriminals,” says Check Point.
In other words, rather than leaving Telegram, threat actors have evolved how they operate inside it. According to the researchers, several evasion techniques are now consistent across underground communities.
Many groups use “Request to Join” gating to block automated moderation bots, for example. Others add disclaimers in channel bios, cheekily tagging Telegram leadership and claiming compliance even when engaging in illicit activity.
Backup channels are created in advance, sometimes bundled together, allowing instant reconstitution after a takedown.
“Criminal content continues to circulate even when original sources are removed, extending the lifecycle of fraud data and operational guidance,” explains Check Point.
“This adaptation mirrors broader trends in cybercrime. Attackers no longer rely on a single asset or channel. They assume disruption and engineer redundancy. Telegram’s scale, usability, and discoverability still make it uniquely attractive for this approach.”
Is Telegram better than the darknet for threat actors?
Clearly, if moderation were truly displacing criminal communities, migration would be obvious. But it’s not.
Has your password leaked?
Telegram remains the platform of choice. Over the last three months alone, Check Point Exposure Management’s team identified approximately 3 million Telegram invite links shared across underground environments.
By comparison, Discord accounted for fewer than 6% of that volume, while Signal, SimpleX, and Matrix-based platforms barely registered.
“Even high-profile attempts to move failed. One notable threat group, AKULA, temporarily relocated to SimpleX in early 2025 but returned to Telegram after followers did not migrate at scale,” said the researchers.
Yes, some actors now use alternative apps for one-to-one communication, but Telegram continues to serve as the primary broadcast, recruitment, and marketplace layer. This isn’t a surprise as the platform has more than 800 million active users.
Some actors now use alternative apps for one-to-one communication, but Telegram continues to serve as the primary broadcast, recruitment, and marketplace layer.
Indeed, cybersecurity firm CYFIRMA recently said that threat actors, including ransomware groups, initial access brokers, and malware operators, are actually leaving traditional darknet marketplaces and turning to Telegram to buy illegally obtained login credentials and malware-as-a-service subscriptions.
“For financially motivated actors, Telegram functions as a scalable storefront and customer support hub. For hacktivists, it serves as a mobilization and propaganda amplifier. For state-aligned operations, it offers a rapid distribution channel for narratives and leaks,” said CYFIRMA in a blog post.
“In many cases, Telegram complements and increasingly replaces traditional Tor-based ecosystems by removing technical friction while maintaining operational flexibility.”
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked