CTI Academy
Login Get Started

Telegram as a Cybercrime Marketplace

What gets sold, the bots that run it, the Durov crackdown, and how CTI analysts monitor it for exposure.

Telegram has close to a billion users, and the overwhelming majority of them are using it as an ordinary messenger. A determined minority turned it into one of the busiest marketplaces in cybercrime.

TL;DR

  • Telegram is not the dark web, but it has become "dark web lite": no Tor required, public channels indexed in search, yet still hosting a full stack of criminal trade.
  • The ecosystem runs in four layers: communication, marketplace (stolen data, cards, access), automation (bots that search, validate, and sell in real time), and amplification (extortion and hacktivist broadcasting).
  • Telegram's 2025 crackdown, triggered by founder Pavel Durov's August 2024 arrest, removed millions of channels but did not shrink the underlying criminal networks — they adapted with backup channels, private gating, and anonymous Fragment-purchased phone numbers.
  • OTP bots that socially engineer victims out of their one-time passwords are now a defining 2026 threat, run as subscription SaaS-style services.
  • CTI analysts treat Telegram as an early-warning system: credentials and access are often advertised days or weeks before they are weaponized.

That transformation is the subject of this article, and it is worth stating the paradox up front. Telegram is not the dark web. There is no Tor, no onion routing, no hidden service. It is a mainstream app you can install from any app store. And yet, as the threat intelligence firm CYFIRMA put it in early 2026, what underground forums on Tor once represented, Telegram now replicates, but faster, more scalable, and significantly more accessible. The friction that used to define the criminal underground, the Tor browser, the reputation you had to build, the escrow you had to trust, has been replaced by instant channel creation, subscription malware, real-time broadcasting, and bots that will sell you stolen data in the time it takes to send a message.

To make this concrete, the figures throughout this article are real, redacted captures from active cybercrime channels. They are not illustrations. They are what the marketplace actually looks like from an analyst's screen. This is Telegram cybercrime as it actually operates. Let me walk through how it works, what changed after Telegram's founder was arrested in 2024, and why the crackdown that followed has not emptied the shelves.

Telegram Is Not the Dark Web, But It Behaves Like One

The distinction matters, because it shapes both how the ecosystem works and how you monitor it.

The classic dark web lives on Tor and I2P, reachable only through special browsers, deliberately hidden. Telegram is none of that. It is a standard messaging platform, which means channels are often just a link away, public channels are indexed in Telegram's own search, and groups can hold enormous audiences, up to 200,000 members each. It also means Telegram is not the fortress of privacy its reputation suggests: standard channels are not end-to-end encrypted, and the platform retains metadata, including the phone number tied to an account. Practitioners sometimes call it "dark web lite," a semi-public space where anyone with a link can walk in, but where participants still hide behind pseudonyms.

What Telegram offers that Tor forums never could is a hybrid architecture: public broadcast channels, private invite-only groups, and automated bots, all inside one app that people already have open on their phones. That combination of scale, speed, and automation is exactly why organized crime migrated so much of its trade here. It did not replace the dark web. It became a faster, louder front end to it.

Why Threat Actors Moved to Telegram

For years, Tor-based forums and darknet markets were the backbone of the underground. The move to Telegram was not about secrecy, since Telegram offers less of that than Tor. It was about business efficiency.

The advantages stack up quickly. There is almost no barrier to entry: no Tor setup, no reputation to grind, no escrow ritual to navigate. A vendor can spin up a channel in seconds and start broadcasting to an unlimited audience. Buyers and affiliates onboard instantly. Payments are coordinated in-app. And the platform's global reach means a listing is visible to a vastly larger pool of potential customers than any onion site. This is what CYFIRMA and others describe as the "platformization" of cybercrime: services packaged, automated, subscription-based, and marketed in real time, the same way legitimate software-as-a-service works.

Network effects then lock it in. With hundreds of millions of users, Telegram is nearly impossible for a competitor to replace. When one notable threat group, tracked as AKULA, tried relocating to the more secure app SimpleX in early 2025, it returned to Telegram after its followers did not migrate at scale. The audience is on Telegram, so the market stays on Telegram. Enforcement, as we will see, has changed criminal behavior without changing that basic allegiance.

The Layers of the Telegram Underground

CYFIRMA's research frames the Telegram criminal ecosystem as a stack of layers, and that model is the clearest way to organize what you are about to see. At the base is a communication layer, ordinary messaging and coordination. Above it sits the marketplace layer, where stolen credentials, corporate access, malware, and leaked databases are promoted. Then comes the automation layer, the bots that search logs, validate payments, and generate malware builds in near real time, which is what truly separates Telegram from a static forum. At the top is the operational and amplification layer, where ransomware crews publicize victims and hacktivists mobilize campaigns.

The four layers of Telegram cybercrime: communication, marketplace, automation, and amplification

The four layers of the Telegram underground. Each layer builds on the one below it, turning an ordinary messaging app into an end-to-end criminal supply chain.

The rest of this guide follows those layers, with real examples of each.

The Marketplace Layer: What Gets Sold

Almost anything you could find on a traditional dark web market can be found in a Telegram channel, often packaged to make the transaction as frictionless as possible. A few categories dominate.

Leaked databases and SQL dumps. When an organization is breached, the data very often ends up here.

Telegram channel distributing leaked databases as downloadable archives labeled sql dumps

Figure 1: A channel distributing breached databases as downloadable archives, tagged "sql dumps." Each file is a leaked dataset from a named organization (redacted). Free dumps like these, served to the channel's 1,200-plus viewers, act as a reputation builder, while the freshest and most valuable data is held back for private sale. Once a database is posted, it is mirrored endlessly, which is why a single breach becomes a permanent exposure.

Stealer logs and combolists. This is the fuel of the wider ecosystem, and Telegram is now its primary distribution channel. Infostealer malware harvests credentials, cookies, and autofill data from infected machines, packages them into "logs," and those logs are dropped into channels by the gigabyte.

Telegram stealer log and combolist channel with password-protected multi-gigabyte archives

Figure 2: A stealer log and combolist channel. The pinned files are multi-gigabyte log archives, password-protected and gated behind a channel join, with a "Buy private" upsell for fresher, exclusive data. "Combos" are combolists, the username-and-password pairs fed into credential-stuffing attacks. The scale is not abstract: Flare's 2026 analysis of 18.7 million stealer logs found that more than 2 million infections exposed enterprise single sign-on or identity provider credentials, roughly one in ten.

Carding: stolen cards, CVVs, and fullz. A large and openly advertised trade. The United Nations Office on Drugs and Crime has reported that criminal networks trade stolen credit card numbers and personal data at vast scale in Telegram channels with little moderation.

Telegram carding vendor advertisement selling stolen credit cards, CVVs, and fullz

Figure 3: A carding vendor advertising stolen cards, CVVs, and "fullz" (complete identity packages), with the selling point that the cards are "non-VBV" and "skip OTP," meaning they sidestep the extra verification step. The "replacement or refund if cc dead" guarantee and the "I also teach" offer show how closely these ads now mimic legitimate e-commerce, right down to customer service and tutorials.

Beyond these, the marketplace layer moves initial access to corporate networks, phishing kits, malware-as-a-service subscriptions, and increasingly, financial-fraud enablement tailored to specific regions. The same initial access brokers who advertise on dark web forums increasingly run their sales through Telegram channels, which is why the platform and the IAB ecosystem are best understood together. Check Point and other firms tracking Latin American activity found over 100,000 Telegram messages in 2025 and 2026 referencing the sale of verified local bank and fintech accounts. A parallel market sells KYC-bypass tools; MIT Technology Review documented 22 channels selling verification-bypass kits aimed at platforms like Binance, BBVA, and Revolut, part of a deepfake-driven fraud economy where a bypass can cost as little as thirty dollars.

The Automation Layer: Bots That Run the Shop

If the marketplace layer looks like a dark web forum, the automation layer is what makes Telegram genuinely different. Bots turn criminal services into self-serve products that run without a human in the loop.

Searchable log bots. Instead of scrolling listings, a buyer queries a bot.

Telegram searchable stealer-log bot returning credential record counts for a queried domain

Figure 4: The automation layer in action. A user sends a command with a target domain, and the bot instantly reports how many stolen records it holds, here 334 results for a single service. No skill required, just a query. This searchability is the core difference from a static forum post: the stolen data is indexed and available on demand, in real time.

OTP bots and 2FA bypass. Among the most consequential services on the platform. An OTP bot is automated software, typically sold as a subscription and controlled through Telegram, that helps an attacker capture the one-time password protecting an account. The attacker already has the victim's username and password, usually from a breach or an infostealer log, and initiates a login. The bot then calls or texts the victim, impersonating their bank, and uses a scripted social-engineering flow to trick them into reading back the code that just arrived. The single most important piece of defensive advice here is simple: a legitimate institution will never call and ask you to read them a code you just received.

What makes these a defining threat in 2026 is the business model, which Recorded Future and CybelAngel describe as indistinguishable from a legitimate SaaS operation, complete with pricing tiers, customer support channels, refund policies for failed attempts, and update logs announcing new bank targets. Intel 471 documented services charging monthly fees from tens to hundreds of dollars, with one widely reported tool advertising around an 80 percent success rate when the victim answers. The economics are brutal: a low-cost tool can reportedly earn its operator around $50,000 a month, and the volume of these services has exploded. On the other side of the ledger, the FBI logged over 5,100 account-takeover complaints in 2025 with losses exceeding $262 million, and that counts only the incidents victims noticed and reported. The lesson for defenders is that SMS and voice-call one-time passwords are no longer a strong second factor. Phishing-resistant MFA, FIDO security keys or authenticator-app codes, is the meaningful upgrade.

Broadcast and targeting feeds. The automation layer is not only for selling. It also distributes intelligence.

Telegram CVE notification channel broadcasting newly disclosed vulnerabilities

Figure 5: Telegram's broadcast layer distributes newly disclosed vulnerabilities to subscribers within minutes of publication. Defenders read feeds like this to patch faster. Access brokers and ransomware affiliates read the very same feeds to find fresh, exploitable targets before organizations can react, which fits the well-documented pattern of brokers weaponizing a new VPN or gateway CVE within hours. The same channel serves both sides of the fight.

Underneath all of this, bots also validate payments, generate malware builds, and manage affiliate access, letting entire criminal services operate at machine speed.

The Amplification Layer: Extortion in Public

At the top of the stack, Telegram becomes a megaphone. Ransomware and extortion groups do not just steal data; they broadcast the theft to force payment.

Telegram extortion leak channel showing a victim countdown timer and public ransom notice

Figure 6: An extortion leak channel publicizing a victim (redacted) with a countdown timer to "full leak" and a public ransom notice. The broadcast itself is the pressure tactic. Telegram's reach becomes leverage, turning an audience into a weapon against the victim. Groups use these channels to shame targets, threaten exposure, and drive traffic to dedicated leak sites, reinforcing extortion demands through visibility regardless of the technical scale of the underlying breach.

The same amplification machinery serves hacktivist collectives, who use channels to coordinate campaigns and claim attacks, and state-aligned operations, which use them to push narratives and distribute leaks. As CYFIRMA summarized, Telegram functions as connective infrastructure, linking access brokers to ransomware affiliates, leak channels to media visibility, and recruitment posts to active operations.

The Durov Effect: The 2025 Crackdown

For most of its history, Telegram was a permissive environment that rarely acted against this activity. That changed abruptly.

In August 2024, Telegram founder Pavel Durov was arrested outside Paris, and the platform was forced to abandon its hands-off posture. It updated its terms of service and privacy policy, began allowing users to flag previously off-limits private chats for moderation, rolled out automated detection, and agreed to disclose suspect users' IP addresses and phone numbers to law enforcement in response to valid court orders. The scale of enforcement that followed was, by Check Point's account, staggering: millions of channels taken down through 2025, administrative intervention reaching historic highs, and roughly a fifth of the blocked channels tied to criminal activity that directly affects businesses, from carding to fullz trading. Telegram also moved against the largest illicit markets on the platform, shutting down the two biggest Chinese-language "guarantee" marketplaces, Huione Guarantee and Xinbi Guarantee, in May 2025, venues that crypto-tracing firm Elliptic had shown handled more than $35 billion in transactions between them.

So the crackdown this year is real, sustained, and growing. Channels of exactly the kind pictured throughout this article are removed regularly, often within 24 to 72 hours of being publicly exposed. Which raises the obvious question: has it worked?

Why the Crackdown Has Not Emptied the Market

The uncomfortable answer from every firm tracking the space is that enforcement has increased friction without dismantling the underlying networks. Empirical intelligence from early 2026 confirms the criminal presence on Telegram has not shrunk. It adapted.

The resilience techniques are consistent across the underground. Backup channels are pre-created before a takedown even happens, often with audiences preloaded, so when a channel is removed the community simply reconstitutes within hours under the same vendor brand. Groups convert public channels into private, invite-only ones using "request to join" gating, which forces manual screening of members and blocks Telegram's automated moderation bots. And to defeat the platform's new willingness to hand over identifying data, sophisticated actors now register accounts using anonymous phone numbers purchased through the Fragment blockchain marketplace, decoupling the account from any real-world identity and rendering the IP-and-phone disclosure functionally useless.

Some groups did leave, at least temporarily. The Bl00dy ransomware gang publicly declared its departure over exposure fears, triggering a brief migration toward Signal and Session, and the AKULA group's move to SimpleX was mentioned earlier. But the pattern is departure followed by return, because the audience does not follow. Enforcement changed behavior, not allegiance.

The next pressure point is regulatory. Analysts widely expect a major jurisdiction, likely France or Germany, to formally designate Telegram under the European Union's Digital Services Act framework, forcing proactive monitoring of cybercrime channels. The consensus is that this will fragment the marketplace across smaller platforms rather than end it. Meanwhile in Russia, Telegram faces the opposite pressure, throttled and threatened with a full block, while Durov has stated the platform would shut down before disclosing message content. The market, for now, routes around all of it.

How CTI Analysts Monitor Telegram

Here is where all of this becomes actionable. For a threat intelligence function, Telegram is no longer optional to watch. It is a critical environment for exposure management, brand protection, and early threat detection, and ignoring it creates blind spots that attackers will exploit.

The monitoring challenge is real. Request-to-join gating hides the most sensitive channels, mirror channels make any single takedown temporary, and the sheer volume is overwhelming. This is why the discipline has shifted. Taking down a channel matters less than mapping the network of accounts, mirrors, and personas around it, because that network is what survives the takedown. Practically, an analyst watches for their organization's data surfacing in stealer log and database channels, queries log-search bots for their own domains to catch exposure early, tracks vendor and actor personas as they migrate and rebrand, and monitors extortion leak channels for the first sign a breach is about to go public. Credentials and access are very often advertised days or weeks before they are weaponized, so this monitoring is a genuine early-warning system, not just after-the-fact awareness.

Doing this well is a hands-on skill, and it is exactly what CTI Academy's practice environments were built to train. NullBase, a simulated underground forum and channel environment, lets you rehearse channel monitoring, persona correlation, and listing analysis without operating on live criminal infrastructure, which is both safer and more repeatable. LeakLens puts you inside credential-leak and stealer-log data so that checking whether your domains are exposed becomes a workflow you have actually run. And because this landscape moves weekly, staying current is its own habit, which is part of why we run todayincyber.io to keep the day's signal in one place.

Where CTI Academy Fits

Reading a glossary entry tells you Telegram hosts cybercrime. Being able to track a vendor across mirror channels, recognize a log-search bot, correlate an actor's personas, and spot your own organization's exposure before it becomes an incident is a different level entirely, and it is a skill built by doing.

That is what CTI Academy's Hunter track is for. The dark web and underground monitoring coursework takes you from the concepts in this article into hands-on practice inside NullBase and LeakLens, so you learn to work these platforms from the analyst's side. If you want to stop treating Telegram as someone else's problem and start monitoring it like a professional, start with the Hunter track.

Frequently Asked Questions

Is Telegram part of the dark web?

No. The dark web runs on Tor and I2P and requires special browsers, while Telegram is a mainstream messaging app. However, Telegram now hosts so much illicit trade that practitioners call it "dark web lite." Its standard channels are not end-to-end encrypted and it retains metadata like phone numbers, so it offers less anonymity than Tor.

What is sold on Telegram cybercrime channels?

Stealer logs and combolists, leaked databases, stolen credit cards and fullz, initial access to corporate networks, malware-as-a-service subscriptions, phishing kits, OTP and 2FA-bypass bots, KYC-bypass tools, and verified fraudulent bank accounts. Ransomware groups also use channels to publicize victims and pressure them into paying.

Why do cybercriminals use Telegram instead of the dark web?

Mainly for business efficiency, not secrecy. Telegram has almost no barrier to entry, requires no Tor or reputation-building or escrow, allows instant channel creation, reaches a massive audience, and supports automated bots that run criminal services in real time. Its enormous user base creates network effects that keep the market there.

What is a Telegram OTP bot?

An OTP bot is automated software, usually sold as a subscription and controlled through Telegram, that helps attackers capture the one-time password protecting an account. It calls or texts the victim while impersonating their bank and uses a scripted social-engineering flow to trick them into reading back the code. Phishing-resistant MFA such as FIDO keys defends against them.

Did Telegram crack down on cybercrime in 2025?

Yes. After founder Pavel Durov's August 2024 arrest, Telegram began cooperating with law enforcement, disclosing IP addresses and phone numbers under valid court orders, rolled out automated moderation, and removed millions of channels in 2025. However, criminal activity adapted rather than disappeared, using pre-built backup channels, private gating, and anonymous phone numbers.

Why does taking down cybercrime channels not stop the activity?

Because communities are built for resilience. Backup channels are created in advance with audiences preloaded, so a removed channel reconstitutes within hours under the same brand. Analysts increasingly focus on mapping the network of mirrors and personas around a channel rather than relying on takedowns alone.

How do organizations monitor Telegram for threats?

Through dark web and Telegram monitoring that watches for the organization's leaked data, credentials, and access appearing in channels and log-search bots, tracks threat-actor personas as they migrate, and monitors extortion leak channels for early signs of a breach. Because data is often advertised before it is used, this acts as an early-warning system.

Read more at CTI Academy Blog