A research report by cybersecurity firm CYFIRMA says the messaging platform Telegram has become a central operational environment for a wide range of cybercriminal activities. According to the analysis, threat actors are increasingly using Telegram channels, groups, and automated bots to coordinate attacks, distribute tools, and promote illegal services within the cybercrime ecosystem.
Researchers describe the shift as a structural change in how cybercriminal communities organize themselves online. Historically, many illicit activities took place on darknet forums hosted on Tor networks. These platforms required technical expertise to access and relied on reputation systems and escrow mechanisms for transactions. CYFIRMA’s report states that Telegram now provides similar functions while reducing barriers to entry and enabling faster coordination between actors.
Telegram’s architecture allows users to create public channels, private groups, and automated bots that can distribute files, publish messages to large audiences, and process transactions. Cybercriminal groups use these features to coordinate operations in real time and maintain communication even when individual channels are removed or disrupted. Because new channels can be created quickly and shared through invitation links, groups can rapidly rebuild their networks following takedowns or disruptions.
The CYFIRMA report identifies several categories of threat actors using the platform. Ransomware operators maintain channels where they list victims, publish stolen data samples, and announce deadlines for payment. These channels often display proof of compromise to pressure targeted organizations during extortion negotiations. Some groups also use Telegram to recruit affiliates and advertise revenue-sharing models for ransomware campaigns.
Initial access brokers, another key component of the cybercrime ecosystem, also use Telegram channels to advertise compromised networks and credentials. Listings frequently include details about the target organization, such as industry sector, revenue size, geographic location, and access privileges within the network. Buyers can evaluate these offers before purchasing access that may later be used for ransomware or data theft operations.
Malware developers and operators also use the platform to distribute tools and services. Channels may promote information-stealing malware, crypters, phishing kits, or loader frameworks through subscription-based models. In many cases, automated bots handle customer interaction, payment processing, and delivery of the malware builds. These services function similarly to legitimate software distribution systems but operate within underground communities.
Telegram is also used to circulate stolen data and breach information. Data leak channels often publish samples of databases or credential dumps to demonstrate authenticity before releasing or selling the full dataset. The forwarding and resharing features of the platform allow this information to spread quickly across multiple channels, increasing the visibility of breaches and complicating containment efforts.
Researchers say the platform’s accessibility and real-time communication features have contributed to its adoption by cybercriminal groups. Unlike traditional darknet forums that require specialized access tools, Telegram can be accessed through standard mobile or desktop applications, which lowers technical barriers for participants entering the underground economy.
The report concludes that Telegram now serves as a central operational layer for modern cybercrime activity. By combining communication, distribution, recruitment, and marketing functions in one environment, the platform allows threat actors to coordinate operations more efficiently and scale their activities across a global network.