Since its launch in August 2013, Telegram has become the go-to messaging app for privacy-focused users. To start using the app, users can sign up using either their real phone number or an anonymous number purchased from the Fragment blockchain marketplace. In the case of the latter, Telegram cannot be linked to the user’s real phone number or any other personally identifiable information (PII).

Telegram has also long been known for its hands-off moderation policy. The platform explicitly stated in its FAQ that private chats were entirely off-limits for moderation. Content moderation was instead user-driven, and reporting illegal activities was left primarily to the users themselves. By contrast, many of its peers, such as WhatsApp, invest heavily in moderating content and cooperation with law enforcement.

These characteristics have also made Telegram the messaging app of choice for cyber crime and other illegal activity. This includes distributing malware, selling illegal goods and services, recruiting associates and coordinating cyberattacks. For more organized cyber crime groups, Telegram is a hub for sharing operational intelligence and amplifying illicit business in much the same way as legitimate organizations do on mainstream channels.

However, Telegram’s approach to user privacy and content moderation changed significantly following CEO Pavel Durov’s arrest in France on August 24, 2024, with the company quietly changing its FAQ page and privacy policy in the following weeks. Although the app’s source code hasn’t changed, according to Telegram spokesperson Remy Vaughn, users can now report illegal activity for automated takedown or manual moderation. Furthermore, Telegram also updated its privacy policy, stating that, upon receiving a valid court order, it will disclose users’ phone numbers and IP addresses.

What does this mean for cybersecurity teams?

Although these changes are arguably a step in the right direction for law enforcement, they’re also driving a migration of cyber criminal activity to other platforms, such as Signal or Session. One cyber crime syndicate, known as the Bl00dy ransomware gang, publicly declared they were quitting Telegram as a direct result of the company’s policy shift. Many hacktivist groups have also followed suit, as have legitimate users who rely on Telegram for freedom of speech in oppressive regimes.

Unfortunately, one could also view such policy shifts as a mere displacement of illegal activity, with cyber crime becoming fragmented across an ever-wider range of platforms. Potentially, this may make it more difficult for law enforcement and cybersecurity analysts to track and disrupt threat actors. For example, red teams may have a harder time gaining access to these underground communities to identify and mitigate threats before they can cause real damage.

Telegram has long been a rich source of threat intelligence, with many public-facing channels being used to organize cyber criminal activity. While private chats have, for the most part, been completely off-limits to threat analysts and law enforcement alike, stricter moderation policies have also been applied to public channels, potentially making it easier to expose criminals. However, while few would argue that that’s a bad thing in principle, it does come with a caveat: Criminals might simply move elsewhere instead.

Perhaps even more concerning is the increased possibility of driving both cyber criminals and hacktivists into the arms of state-sponsored cyber crime and cyber espionage. This also opens up the likelihood of threat actors using end-to-end encrypted and decentralized platforms that have even less oversight than Telegram ever did. This could complicate efforts for red teams tasked with simulating attacks or monitoring these communities, thus reducing their abilities to detect threats early.

None of the above necessarily means that there will be a mass exodus of cyber criminal activity from Telegram. After all, with around 900 million monthly users, according to Telegram’s own data, the platform still has the massive audience that large-scale cyber criminal operations, like Malware-as-a-Service, need to expand their reach.

Also, new users can still sign up anonymously using a number purchased from the Fragment blockchain, in which case Telegram’s promise to comply with a request from law enforcement for a user’s phone number becomes irrelevant. That said, Telegram will still be able to share IP addresses, which could still potentially be used to track a user’s activity.

What can security leaders do to stay ahead of the threats?

As every security leader is well aware, the threat landscape is ever-changing and growing more complex as cyber criminal operations become more fragmented across platforms. Many threat-monitoring tools and strategies are struggling to keep up, thus providing limited or no coverage for platforms other than Telegram. The continuing rise of decentralized, open-source platforms will only further complicate threat hunting and analysis. In addition, rival states are developing their own platforms for cyber espionage and state-sponsored cyber crime.

It has never been more important to take a proactive stance on cybersecurity — one that spans all platforms and is capable of prioritizing threat attribution through multiple data points. That means drawing upon a combination of human expertise and advanced threat analytics tools to gain access to intelligence from channels that might otherwise remain hidden.

AI-powered threat intelligence offers a powerful augmentation to the expertise and insight of talented security analysts. For example, stylometry — which examines linguistic characteristics to create a unique profile of a user’s writing style — can help identify cyber criminals and detect insider threats, regardless of the platform they’re using. AI helps make that possible at a scale that human analysts alone can’t possibly hope to tackle.

Even as cyber criminals migrate to a growing range of other platforms, their behavior can still expose various patterns. With the ability to track their activities, such as the timing of certain posts and styles of interaction, analysts can build comprehensive profiles that can help them link operations and individuals across platforms.

While it will only get harder — if not impossible — to track data points like transactional metadata or cryptocurrency transaction histories, AI-powered behavioral analytics tools can help close the gap by helping human analysts identify threat actors and their attack vectors. This will only become more important as cyber crime activity scatters across platforms and security analysts try to maintain visibility into the next generation of cyber threats.