The Dark Side of Telegram: How Cybercriminals Weaponize Bot APIs for Stealthy Data Exfiltration
Do Son 
When the credential phishing form is submitted, the data will be exfiltrated via a Telegram bot | Image: Cofense
While millions use Telegram for secure, instant messaging, a darker side of the platform is emerging in the cybersecurity landscape. A new report from Cofense reveals that the platform’s once-heralded bot features are increasingly being hijacked by threat actors to serve as efficient Command and Control (C2) centers for data theft.
By leveraging the technically legitimate Telegram Bot API, cybercriminals are transforming simple automated accounts into “God-view” portals for stolen information.
Telegram’s extensive collection of web APIs is designed to help developers create automated tools. However, these same features allow malicious bots to post messages in private chats and upload arbitrary files—such as screenshots or archives of stolen credentials—directly to an attacker’s device.
As the report explains: “Telegram bots are often used by threat actors as a method of data exfiltration through a technically legitimate service.”
Between Q1 2024 and Q2 2025, approximately 3.8% of all malware-based campaigns and 2.3% of all credential phishing campaigns analyzed used Telegram as their primary C2 infrastructure.
The beauty of this technique for attackers lies in its simplicity. Because the traffic is directed toward api.telegram.org, it often blends in with legitimate network activity, evading basic firewalls.
Threat actors typically use the API in three ways:
- Direct Scripting: Making HTTPS requests directly from a malicious script executing on a victim’s machine.
- Credential Phishing: Sending form data (usernames and passwords) to a bot immediately after a victim submits it on a fake login page.
- Visitor Alerting: Notifying the attacker the moment a victim clicks a malicious link, providing real-time tracking of a campaign’s success.
The exfiltrated data isn’t just text; attackers frequently use the sendDocument method to upload files up to 50 MB, which often contain “screenshots and text files with stolen credentials”.
To counter this “legitimate” abuse, security teams are encouraged to look for specific API patterns. Most malicious requests follow a predictable structure:
Commonly abused methods to monitor include:
- sendMessage: Used for exfiltrating text-based data and credentials.
- sendDocument: Used for uploading larger stolen archives.
- getFile: Used by the attacker to download remote files to the victim’s environment.
If your organization does not use Telegram bots for business operations, the report recommends a simple but effective fix: “consider blocking Telegram Bot API requests” entirely by creating rules for the api[.]telegram[.]org/bot endpoint.
As always, the first line of defense remains user awareness. No bot can steal data if a user doesn’t first interact with a “suspect message, embedded link payload, or malicious file”.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
