Telegram recently made waves by updating its privacy policy, marking a significant departure from its long-standing reputation as a haven for privacy-focused users, including cybercriminals. The messaging platform, known for its hands-off moderation approach, will now share users’ phone numbers and IP addresses with law enforcement following court orders. This change applies to various criminal investigations, expanding beyond the previous limit of only terror-related offenses. You can read the full details of the new policy on Telegram’s Privacy Policy page.

What Telegram’s New Policy Means for Privacy and Security

The update comes amidst increasing legal pressures on Telegram and its founder, Pavel Durov, after his recent detainment in France. Authorities have been pressuring Telegram to combat the illegal activities flourishing on the platform, which ultimately led to this sweeping policy update. For more context on Durov’s detainment, you can check out our blog post: Durov’s Arrest and Telegram’s Transformation.

For years, Telegram was a go-to platform for those seeking to operate below the radar of law enforcement. For more context read our report: Telegram: How a messenger turned into a cybercrime ecosystem. This update signals a turning point, as the platform will now cooperate with authorities in criminal investigations. 

How Cybercriminals Are Reacting to Telegram’s Policy Update

KELA’s research reveals widespread unease within cybercriminal communities about these changes. Groups like Ghosts of Palestine have publicly declared their intentions to leave Telegram and seek out more privacy-centric platforms. RipperSec, another prominent hacktivist group, has already begun setting up backup channels on Discord, anticipating that Telegram’s cooperation with law enforcement will pose a threat to their anonymity​. Al Ahad, also hacktivists, created a Signal group and promised to close their Telegram channel soon. The GlorySec hacktivists even mentioned they “may or may not created” Facebook and Threads accounts, though without taking any actions.

Meanwhile, other groups are taking more pragmatic approaches. UserSec, for example, is now offering tutorials on how to maintain anonymity on Telegram, sharing tips on evading detection under the new data-sharing rules. On the BF Repo V3 Chat group, a Telegram chat related to BreachForums’ users, members have even floated the idea of creating a custom messaging platform using Telegram’s GUI as a foundation to continue their activities with less risk of exposure​.

Overall, KELA has witnessed different cybercriminals discussing Jabber, Matrix, and Session as alternatives to Telegram, however, mostly for private messaging or private groups — while Telegram provides them with an opportunity to create open communities around illegal activity. So far only Discord was mentioned as a platform that can provide the same functionality, as well as Signal groups.

Despite these initial responses, there hasn’t yet been a mass exodus of cybercriminals from Telegram. However, these discussions signal potential future movement as groups and individuals weigh their options in response to the platform’s shift.

Will Telegram’s Policy Shift Impact Criminal Activity?

It is yet unclear if this policy change has the potential to significantly disrupt criminal activity on Telegram and drive them to Discord or other platforms. While cybercriminals are definitely expressing their concerns on the matter, their operations on Telegram are just too scaled to be shifted to another platform right away. 

For example, infostealers’ operations use Telegram not only to sell and share harvested data through “clouds of logs”. Read more in our blog: Telegram Clouds of Logs – the fastest gateway to your network. Commodity infostealers provoked the emergence of cybercriminal gangs and teams working together to infect as many people as possible. To coordinate their activities, many use Telegram, creating all types of tools: channels for hiring new traffers and advertising the team, public and private chats for coordinating activities and discussions, and Telegram bots for automating tasks, payments and more. Such behavior is common among many malware-as-a-service operations, as well as hacktivists and other cybercriminals.  

Moreover, Telegram’s new dedicated team of moderators, leveraging AI, is stepping up efforts to monitor and remove illegal content from its search features. This heightened focus on moderation could make it more difficult for cybercriminals to operate openly on the platform​. However, many of them are used to deal with such barriers. As seen with groups like UserSec, some may attempt to exploit loopholes or develop strategies to continue their operations despite these new challenges. KELA is aware of cybercriminals maintaining backup Telegram channels for a while now; usually, once their main channel is banned, they will switch to another one, which was proactively advertised to their followers.

The policy shift won’t eliminate cybercrime on Telegram, but it’s likely to change how threat actors operate in the short and long term.

What This Means for Threat Intelligence: Insights from KELA

For companies like KELA, these changes present both challenges and opportunities. While some cybercriminals may move to other platforms, KELA’s unmatched coverage ensures we continue to track and monitor activity across a wide range of forums and messaging apps. It’s not just about knowing the right sources — it’s about gaining access to these underground communities. KELA’s combination of human expertise and advanced technology provides unique access to forums and channels that are often hidden from other intelligence providers.

This constant vigilance allows us to stay ahead of emerging trends, tracking where threat actors are moving and how they are attempting to evade detection. By adapting quickly to shifts in the cybercrime landscape, KELA ensures our clients receive actionable insights, helping them to stay proactive in their defense strategies, even as platforms like Telegram evolve.

Conclusion: The Future of Telegram and Cybercrime

Telegram’s recent policy shift is a clear response to mounting legal pressure and a broader need to curb the platform’s use for illegal activities. While the new rules may drive some criminals to more secure platforms, Telegram’s 900 million active users mean it will likely remain a key player in the cybercrime ecosystem for the time being

As these changes take hold, KELA will continue to provide critical intelligence on how threat actors are adapting to the evolving landscape, ensuring that security teams stay one step ahead of malicious activity.