Longer underground channel lifespans are mirrored by sharply higher blocking rates, prompting fraudsters to explore alternatives
Modern messengers, such as WhatsApp, Telegram, Signal and others, are often used for illicit purposes. Kaspersky Digital Footprint Intelligence has conducted an in-depth monitoring of over 800 blocked cybercriminal Telegram channels between 2021 and 2024. While a range of illegal activities continues to be hosted on the platform, its environment has become noticeably more challenging for sustained underground operations.
Telegram’s bot framework and other built-in features make for a low-effort ecosystem for the underworld. A single bot can simultaneously manage queries, process cryptocurrency payments, and instantly deliver stolen bank cards, info-stealer logs, phishing kits, or DDoS attacks to hundreds of buyers per day, often without operator involvement. Unlimited, non-expiring file storage eliminates the need for external hosting when distributing multi-gigabyte database dumps or stolen corporate documents. This frictionless automation naturally favors high-volume, low-price, low-skill offerings, such as leaked bank cards or other data, hosting malware, etc. High-value, trust-dependent deals (for instance, zero-day vulnerability information) still remain on reputation-gated dark-web forums.
Kaspersky researchers found two clear trends related to illegal activities on Telegram. The average lifespan of shadow channels has increased, with the proportion of channels surviving over nine months more than tripling in 2023-2024 compared to 2021–2022. At the same time, Telegram’s blocking activity has risen significantly. Monthly takedown figures recorded since October 2024 – even at their lowest – are comparable to the peak levels seen throughout 2023, and the overall pace has continued to accelerate in 2025. This impedes malicious activities.
Other disadvantages of Telegram for cybercriminals include the lack of default end-to-end (E2E) encryption for chats, the inability to use their own servers for communication (due to the messenger’s centralized infrastructure), and closed server-side code, which makes it impossible to verify its functionality.
As a result, several established underground communities, including the nearly 9,000-member BFRepo group and the Angel Drainer malware-as-a-service operation, have already begun shifting primary activity to other platforms or proprietary messengers, citing repeated disruptions of their activities on Telegram.
“Fraudsters find Telegram a convenient tool for many malicious activities, but the risk-reward balance is clearly shifting. Channels are managing to stay online longer than a couple of years ago, yet the dramatically higher volume of blocks means operators can no longer count on long-term stability. When a storefront or service disappears overnight – and sometimes reappears only to be removed again weeks later – building a reliable business becomes much harder. We’re starting to see the early stages of migration as a direct consequence,” comments Vladislav Belousov, Digital Footprint Analyst at Kaspersky.
To help users and organizations stay protected, Kaspersky recommends the following practical measures:
- Report clearly illicit channels and bots to accelerate community-driven moderation.
- Use multiple sources of Threat Intelligence information (with coverage of surface, deep and dark web resources) to be notified about recent underground activities and stay aware of actual TTPs used by threat actors.
About Kaspersky Digital Footprint Intelligence
Kaspersky Digital Footprint Intelligence is a comprehensive digital risk protection service that helps customers to monitor their digital assets and detect threats from Surface, Deep and Dark web. With real-time alerts Kaspersky Digital Footprint Intelligence enables organizations to respond quickly and effectively to potential threats. Analytical reports complement these data with finished intelligence from our experts providing insights into cyber security risks and recommendations on how to mitigate them.
