Telegram has solidified its position as the most widely used messaging platform among cybercriminals, according to a recent analysis of data from January 2024 to January 2025.
Despite heightened scrutiny and increased cooperation with law enforcement, the platform remains a cornerstone for illicit communications, outpacing competitors like Discord, Signal, and TOX.
Its widespread adoption highlights a delicate balance between accessibility and operational security that is critical for threat actors.
A Preferred Tool Despite Security Concerns
Telegram’s appeal lies in its user-friendly interface, API support, bot deployment capabilities, and ability to host groups of up to 200,000 members while permitting file sharing of up to 4GB.
According to Flare Report, these features have transformed it into more than just a communication tool it has become a de facto social network for cybercriminals.
However, its opaque encryption mechanisms and lack of independent security audits have raised concerns among more OPSEC-focused actors.
Additionally, rumors about the platform’s ties to Russia further fuel skepticism within the community.
The arrest of Telegram CEO Pavel Durov in August 2024 and the platform’s subsequent announcement of increased cooperation with law enforcement in September 2024 marked significant turning points.
Telegram began sharing user IP addresses and phone numbers upon legal requests starting in January 2025.
While these developments sparked discussions about migrating to alternative platforms, no substantial shift in usage patterns has been observed.
Signal Gains Traction but Remains Marginal
Signal has emerged as a potential alternative for some cybercriminals following Telegram’s policy changes.
Between September and December 2024, the number of Signal invite links shared within cybercriminal forums saw a noticeable uptick.
However, its overall adoption remains limited compared to Telegram, which continues to dominate the ecosystem.
The choice of messaging platforms often correlates with the type of criminal activity. For instance:
- Discord is popular among younger, low-level actors often involved in gaming-related fraud.
- TOX and Jabber are preferred by ransomware operators and those dealing in corporate database sales.
- Matrix and Session cater to niche activities such as drug trafficking and fraud schemes.
Interestingly, many threat actors use multiple platforms simultaneously to ensure accessibility and redundancy.
Telegram frequently serves as a central hub in these combinations, underscoring its resilience despite growing concerns.
Telegram’s dominance in the cybercriminal underground persists even amid rising scrutiny and competition.
While alternatives like Signal have gained some traction, they have yet to challenge Telegram’s entrenched position.
This enduring reliance on Telegram reflects its unique blend of convenience and functionality that continues to meet the needs of threat actors across various illicit activities.
