
Lukas Tamašiūnas
Dark web
Dancing around the milestone of 1 billion active users, Telegram is one of the most popular instant messaging apps on the planet. However, with a huge focus on anonymity and a dense user base, the app’s so-called “dark web” channels are quickly turning into a haven for cybercriminals. In this article, we explain the concept of Telegram’s dark web channels and their impact in fostering new cyber threats for businesses.
The dark web is the intentionally hidden part of the internet accessible only through specific tools, such as Tor (The Onion Router) browser or the I2P (Invisible Internet Project). It uses encryption to provide anonymity to users, their activities, and hosted websites. While some may consider the dark web and the deep web to be synonyms, the deep web is actually a much broader web class that makes up the majority of the internet, yet isn’t public-facing (for example, found on most search websites) or indexed.
Like the dark web (and many other apps), Telegram uses end-to-end encryption to provide extra security. This also allows Telegram’s users to utilize features such as self-destructing messages, so called “secret chats,” and groups which the platform's visitors can access anonymously. That is partly why these groups are often referred to as Telegram’s “dark web” channels.
Needless to say, such connotations draw a worrying picture. While Telegram is a legitimate app, unrelated to traditional dark web forums, its significant focus on anonymity may attract those who want to exploit the app’s features for nefarious purposes. Because of this risk, some sources have even labeled the app as a destination for cybercriminals[1]. And although Telegram’s owners have taken measures to limit the number of cyber threats (for example, by eliminating some of the Chinese cybercrime markets[2]) the risks seem to persist.
Telegram’s dark web channels are private or invite-only messaging groups, in which users chat, share information, or otherwise collaborate between themselves. While in no way related to the dark web, these channels are nicknamed “dark web” because of the encryption and secrecy that surrounds them. This moniker also comes from the fact that threat actors may often use these channels to share leaked credentials, disturbing content, or other sensitive information.
According to the Telegram moderation overview[3] page, the platform blocks tens of thousands channels and users daily, specifically due to violation of the app’s Terms of Service. This moderation also spans millions of messages, including abusive, illegal, and otherwise harmful content. Based on Telegram’s data, more than 14 million groups and channels have been blocked by the app in the first half of 2025 alone. However, even with these efforts, countless Telegram dark web groups continue to exist.
The most common types of illegal activities on Telegram include:
All of these activities breach Telegram’s terms of service[4]. However, with millions of Telegram users posting terabytes of content each day, moderation is a herculean process.
Even though most threats on Telegram seem to be oriented towards standalone users, businesses may also face significant cyber risks. Despite the app constantly removing hacking forums, fraud rings, and black-market groups, they still reappear under new names and aliases. And since cybercriminals can operate with relative freedom in many private and invite-only Telegram channels, businesses on this platform can face risks such as:
The aforementioned cyber threats are not just speculation — businesses have suffered from leaked sensitive data exposure on Telegram before. Here are some real examples of the most relevant data leaks appearing on Telegram.
In July 2023, hackers used Telegram’s @sbi_data channel to expose the personal information of over 12,000 SBI employees, including names, addresses, contact numbers, PAN numbers, and photo IDs. The hackers posted stolen sensitive data on the platform, claiming to have exploited the company's weak cybersecurity. According to the reports, perpetrators then disseminated stolen information through social media platforms, eventually putting it up for sale on the dark web forums. SBI faced significant reputational damage, particularly regarding its adherence to data protection regulations.
In June, 2024, the Qilin ransomware group targeted Synnovis, a laboratory services provider for National Health Service (NHS) hospitals in South-East London. The attack led to the exposure of hospital and patient data. Attackers exfiltrated 400 GBs of sensitive information and subsequently leaked it on Telegram after ransom negotiations failed. The breach highlighted vulnerabilities in healthcare supply chains and the misuse of Telegram for data dissemination. Moreover, the attack led to the cancellation of over 1,100 operations and 3,000 outpatient appointments across seven major hospitals, subsequently costing £32.7 million in damages.
In April, 2025, hackers breached Morocco's National Social Security Fund’s (CNSS) systems, leaking sensitive personal data on Telegram. The agency, which manages pensions and insurance for millions, confirmed that hackers bypassed its security but did not identify those responsible. Leaked data reportedly included sensitive financial information about prominent figures and institutions. While reports don’t mention any financial loss yet, the incident has caused huge reputational damage with the anti-corruption group Transparency Maroc demanding public revelation of those responsible for auditing and managing cybersecurity systems.
Protecting your business from online threats is a perpetual challenge. With cybercriminals finding new ways to breach databases, install ransomware, and otherwise harm your business, keeping up with cybersecurity trends is crucial. To limit the chances of your company’s data appearing on Telegram, companies should invest in strategies such as employee education, data breach monitoring, regular online system testing, and constant threat intelligence.
To save some time and effort, consider using NordStellar — a cyber threat monitoring and threat exposure management solution. NordStellar helps companies safeguard against cyber risks by thoroughly evaluating external attack surfaces. In addition, the service provides dark web monitoring tools, capable of detecting leaked credentials and other sensitive information the moment they appear on the dark web.
Know what hackers know — contact NordStellar professionals to learn how our solutions can help your organization stay ahead of cybercriminals.
[1] Sabin, S. (2024a, August 27). How Telegram became a destination for criminals. https://www.axios.com/2024/08/27/telegram-pavel-durov-encryption-hackers-criminals
[2] Dube, M. (2025, May 16). Telegram just wiped out $35B Chinese cybercrime markets. NewsBytes. https://www.newsbytesapp.com/news/science/telegram-takes-down-35-billion-black-markets-for-stolen-data/story
[3] Telegram moderation overview. (n.d.). Telegram. https://telegram.org/moderation
[4] Terms of service. (n.d.). Telegram. https://telegram.org/tos/eu
[5] Herzlich, T. (2024, December 30). Rank-and-file bank workers sell client data to online scammers: report. New York Post. https://nypost.com/2024/12/30/business/rank-and-file-bank-workers-sell-client-data-to-online-scammers-report/