From Chat App to Dark Web: How Telegram Became the New Hub for Cybercrime

For millions of people around the world, Telegram is a secure and convenient way to chat with friends, follow news channels, or join community groups. However, beneath the surface of everyday messaging, a massive shift has taken place in the criminal underworld.

According to a new intelligence report from Cyfirma, “Telegram is no longer just a messaging application. It has evolved into a primary operational playground for modern threat actors.”

For years, the internet’s criminal underground was synonymous with “Tor”—the special browser required to access hidden darknet forums. These forums were highly exclusive, requiring technical know-how to enter and a good reputation to stay.

But there was a problem for the hackers: when law enforcement agencies inevitably busted a darknet forum, the entire criminal ecosystem would collapse overnight. Vendors lost their storefronts, buyers lost their money, and everyone had to scatter.

Telegram offers a perfect, resilient alternative. If the platform bans a hacker’s channel today, they can simply create a new one in minutes and automatically redirect their followers to a backup channel.

The Cyfirma researchers note: “What underground forums on Tor once represented, Telegram now replicates—but faster, more scalable, and significantly more accessible.”

What makes this shift so dangerous is how easy it is for anyone to get involved. You no longer need to be a coding genius to launch a cyberattack; you just need a Telegram account and a few dollars.

The report highlights a trend known as the “platformization of cybercrime.” Threat actors are now selling access to malware (like computer viruses and phone-spying apps) exactly like legitimate companies sell software subscriptions.

“This shift reflects a broader platformization of cybercrime. Services are packaged, automated, subscription-based, and marketed in real time,” the report explains.

Inside these Telegram channels, you can find a bustling digital mall offering a variety of illicit services:

• Initial Access Brokers (IABs): These are the burglars who pick the locks but don’t steal the goods. They break into corporate networks and use Telegram to sell the digital “keys” to the highest bidder.
• Malware-as-a-Service: Hackers selling monthly subscriptions to custom viruses, complete with software updates, customer support, and user tutorials.
• Automated Data Bots: Criminals use Telegram bots to instantly search through massive databases of stolen passwords and credit card numbers.

Telegram isn’t just a marketplace; it’s also a powerful megaphone. Hacktivists (hackers driven by political or ideological motives) use the app’s broadcast features to recruit volunteers, claim responsibility for attacks, and spread propaganda.

Similarly, ransomware gangs—who lock up a company’s data and demand payment—use Telegram to publicly shame their victims. By posting countdown timers and leaking small samples of stolen data, they use the platform to apply intense psychological pressure on companies to pay the ransom.

While the dark web isn’t completely dead, it has changed. Hackers still use traditional hidden forums to make their initial introductions, but the actual business—the buying, selling, and coordinating—has moved to the messaging app in your pocket.

As the Cyfirma report concludes: “Rather than replacing Tor entirely, Telegram has become the operational extension of it.”