Telegram’s Dominance in Cybercrime Persists Despite Policy Shift

Three months after Telegram's controversial policy changes fueled by the arrest of its CEO, Pavel Durov, predictions of a cybercriminal migration to alternative platforms have largely fallen flat. Despite initial outrage among threat actors, Telegram remains the dominant platform for cybercrime activities, with only minor exploration of alternatives such as Signal, Discord, and others.

Telegram's policy shift and cybercrime fallout

In September 2024, Telegram announced a policy shift, committing to sharing user data, including phone numbers and IP addresses, with law enforcement for criminal investigations. This marked a stark departure from the platform's previous privacy-first stance. The change followed Durov's arrest in France, which intensified legal pressure on the platform and fueled discontent among cybercriminals.

Hackers perceived the policy changes and Durov's detention as an erosion of the platform's lenient oversight, leading to widespread discussions about abandoning Telegram for platforms perceived as more secure.

While initial discussions suggested alternatives such as Signal, Discord, Matrix, and Tox could replace Telegram, real-world migration has been minimal. Data from KELA, a cybersecurity intelligence firm, reveals that reality hasn't changed much.

Although some groups explored Signal for its strong encryption, the platform has seen only a modest rise in adoption, primarily as a backup channel rather than a replacement. Discussions surrounding Discord's capabilities were common, but the number of links shared to Discord servers remained negligible compared to Telegram. Platforms like Tox, Jabber, Session, and Simplex were mentioned, but none gained significant traction.

Telegram, by contrast, continues to dominate the ecosystem, with over 246,000 links shared monthly, dwarfing the combined 682 monthly links for Signal and Discord.

Several cybercrime groups initially vowed to leave Telegram but have largely retained or resumed their activity on the platform:

• Bl00dy ransomware: After declaring their departure in September 2024, they reopened a new Telegram channel just a month later to continue sharing victim data and announcements.
• Team ARXU: Despite promoting a move to Signal, the pro-Bangladeshi hacktivist group remains active on Telegram, with its Signal link now inactive.
• Al Ahad: This Iraqi hacktivist group claimed to migrate to Signal but reopened new Telegram channels, rebranding to align with Telegram's updated rules.
• Moroccan Cyber Aliens and GlorySec: Both groups announced intentions to leave but continued posting regularly on Telegram.

In all cases, Telegram's extensive reach and ease of use outweighed concerns about its new policies.

Despite its policy changes, Telegram's entrenched user base, functionality, and familiarity have solidified its status as a preferred platform for cybercriminals. Threat actors continue to rely on Telegram's large audiences, backup channels, and group features, making a full-scale migration unlikely. The platform remains central to illicit operations, with alternatives serving as supplemental rather than primary venues.