Hackers couldn't abandon the beloved messenger.
Telegram has attempted to restore order, but cybercriminals are in no hurry to leave. Even mass blocking and stricter regulations haven't eliminated the platform from their daily operations.
A new report from Check Point states that the messaging app sharply strengthened its moderation following the arrest of Pavel Durov in France in August 2024. The major changes took effect in February 2025, and over the course of the year, the administration blocked more than 43.5 million channels and groups. A significant portion of the blocks targeted communities associated with the sale of stolen data, bank cards, and other types of cybercrime.
Meanwhile, the scale of the purges is only growing. While Telegram previously removed approximately 10,000–30,000 channels per day, by the end of 2025, that figure had risen to 80,000–140,000, and at peak times, over 500,000 blocks per day were blocked. Judging by the graph in the report, these surges are becoming more frequent and noticeably larger.
It would seem that this pressure should have pushed criminal groups to other platforms. In practice, nothing of the sort occurred. The report's authors found no signs of a mass exodus. Even when individual groups attempted to leave, their efforts quickly fizzled out. For example, the AKULA group briefly migrated to the SimpleX Chat messenger in 2025 , but soon returned due to the new platform's low popularity.
Telegram remains the primary communication channel. Over the past three months, researchers have recorded approximately 3 million invitation links to Telegram channels in the underground community. By comparison, its closest competitor, Discord, had a less than 6% of that number.
Instead of retreating, the attackers have changed their tactics. Channels are increasingly blocking access through membership requests to weed out automated systems and outsiders. Fake "disclaimers" mentioning Durov appear in descriptions, where administrators claim their activities are supposedly legal. At the same time, backup channels are being created to gather audiences in advance in case of a ban. Discord remains Telegram's main competitor , but its share of the underground community is incomparably smaller.
As a result, Telegram has become more restrictive, but it hasn't stopped being a convenient platform for cybercriminals. Blocks hinder work, but they don't break the system. Communities quickly recover, relocate their audiences, and continue operating almost without interruption.
Telegram has attempted to restore order, but cybercriminals are in no hurry to leave. Even mass blocking and stricter regulations haven't eliminated the platform from their daily operations.
A new report from Check Point states that the messaging app sharply strengthened its moderation following the arrest of Pavel Durov in France in August 2024. The major changes took effect in February 2025, and over the course of the year, the administration blocked more than 43.5 million channels and groups. A significant portion of the blocks targeted communities associated with the sale of stolen data, bank cards, and other types of cybercrime.
Meanwhile, the scale of the purges is only growing. While Telegram previously removed approximately 10,000–30,000 channels per day, by the end of 2025, that figure had risen to 80,000–140,000, and at peak times, over 500,000 blocks per day were blocked. Judging by the graph in the report, these surges are becoming more frequent and noticeably larger.
It would seem that this pressure should have pushed criminal groups to other platforms. In practice, nothing of the sort occurred. The report's authors found no signs of a mass exodus. Even when individual groups attempted to leave, their efforts quickly fizzled out. For example, the AKULA group briefly migrated to the SimpleX Chat messenger in 2025 , but soon returned due to the new platform's low popularity.
Telegram remains the primary communication channel. Over the past three months, researchers have recorded approximately 3 million invitation links to Telegram channels in the underground community. By comparison, its closest competitor, Discord, had a less than 6% of that number.
Instead of retreating, the attackers have changed their tactics. Channels are increasingly blocking access through membership requests to weed out automated systems and outsiders. Fake "disclaimers" mentioning Durov appear in descriptions, where administrators claim their activities are supposedly legal. At the same time, backup channels are being created to gather audiences in advance in case of a ban. Discord remains Telegram's main competitor , but its share of the underground community is incomparably smaller.
As a result, Telegram has become more restrictive, but it hasn't stopped being a convenient platform for cybercriminals. Blocks hinder work, but they don't break the system. Communities quickly recover, relocate their audiences, and continue operating almost without interruption.
