As Telegram steps up its blocking measures, the exodus of underground criminals is accelerating.
Kaspersky released a "Telegram channel cybercriminal analysis report" on the 24th. The Kaspersky Digital Footprint Intelligence team conducted an in-depth analysis of more than 800 cybercrime-related Telegram channels that were blocked from 2021 to 2024. The findings show that while illegal activity still exists on Telegram, operating conditions in the underground crime ecosystem have deteriorated significantly compared with the past.
According to the report, the average lifespan of underground Telegram channels has actually increased. The share of channels that lasted longer than nine months more than tripled in 2023–2024 compared with 2021–2022. But once channels are found, they are being blocked far more quickly than before. In fact, since October 2024, the number of removals per month, even at the lowest point, has been similar to the highest monthly level recorded during all of 2023. In 2025, blocking has sped up further, greatly undermining the persistence of criminal activity, the analysis said.
Kaspersky cited bot-based automation and low barriers to entry as the reasons Telegram has been used for cybercrime. A single bot can handle inquiries, process cryptocurrency payments, deliver stolen data, distribute phishing kits, provide DDoS attacks, and store and distribute large files without limit, enabling low-cost, high-volume, low-skill crime-as-a-service offerings, it said. By contrast, high-priced, trust-based transactions such as zero-day vulnerabilities are still conducted mainly on dark web forums.
However, some pointed out that Telegram poses structural limitations for cybercriminals because end-to-end encryption (E2EE) is not enabled by default, it uses a centralized infrastructure, and its server-side code is closed. With these shifts, parts of major underground communities such as the BFRepo group and the Angel Drainer (MaaS) organization have already moved their activities to other platforms or custom-built messengers.
Vladislav Belousov, a Kaspersky digital footprint analyst, said, "Telegram has long been a convenient tool for cybercriminals, but as blocking has surged, the risk-reward equation is clearly changing," and added, "In an environment where channels are repeatedly created and blocked, long-term operations are becoming difficult."
Kaspersky urged users and corporations to actively report illegal channels and bots and to continuously monitor the latest cybercrime trends and tactics, techniques and procedures (TTPs) by leveraging threat intelligence that spans the surface web, deep web and dark web.