Telegram’s dark web channels: A growing hub for cyber threats

Dancing around the milestone of 1 billion active users, Telegram is one of the most popular instant messaging apps on the planet. However, with a huge focus on anonymity and a dense user base, the app’s so-called “dark web” channels are quickly turning into a haven for cybercriminals. In this article, we explain the concept of Telegram’s dark web channels and their impact in fostering new cyber threats for businesses.

What is the dark web and how does Telegram fit in?

The dark web is the intentionally hidden part of the internet accessible only through specific tools, such as Tor (The Onion Router) browser or the I2P (Invisible Internet Project). It uses encryption to provide anonymity to users, their activities, and hosted websites. While some may consider the dark web and the deep web to be synonyms, the deep web is actually a much broader web class that makes up the majority of the internet, yet isn’t public-facing (for example, found on most search websites) or indexed.

Like the dark web (and many other apps), Telegram uses end-to-end encryption to provide extra security. This also allows Telegram’s users to utilize features such as self-destructing messages, so called “secret chats,” and groups which the platform's visitors can access anonymously. That is partly why these groups are often referred to as Telegram’s “dark web” channels.

Needless to say, such connotations draw a worrying picture. While Telegram is a legitimate app, unrelated to traditional dark web forums, its significant focus on anonymity may attract those who want to exploit the app’s features for nefarious purposes. Because of this risk, some sources have even labeled the app as a destination for cybercriminals[1]. And although Telegram’s owners have taken measures to limit the number of cyber threats (for example, by eliminating some of the Chinese cybercrime markets[2]) the risks seem to persist.

Telegram’s dark web channels

Telegram’s dark web channels are private or invite-only messaging groups, in which users chat, share information, or otherwise collaborate between themselves. While in no way related to the dark web, these channels are nicknamed “dark web” because of the encryption and secrecy that surrounds them. This moniker also comes from the fact that threat actors may often use these channels to share leaked credentials, disturbing content, or other sensitive information.

According to the Telegram moderation overview[3] page, the platform blocks tens of thousands channels and users daily, specifically due to violation of the app’s Terms of Service. This moderation also spans millions of messages, including abusive, illegal, and otherwise harmful content. Based on Telegram’s data, more than 14 million groups and channels have been blocked by the app in the first half of 2025 alone. However, even with these efforts, countless Telegram dark web groups continue to exist.

Common types of illegal activities on Telegram

The most common types of illegal activities on Telegram include:

• Hacking and cybercrime. Some secret Telegram groups host hacker hubs in which threat actors may share their achievements or distribute malware such as phishing kits. Malware distribution is also prevalent in public Telegram channels, so users should be careful not to engage with suspicious links and users.
• Black market transactions. Telegram’s emphasis on anonymity makes the app a perfect platform for conducting shady deals. Telegram’s dark web channels may offer users stolen credit cards, counterfeit goods, or illegal weapons and substances.
• Fraud rings and scams. Like any other social media platform, Telegram is also full of malicious opportunists looking to scam unsuspecting users. Investment fraud, fake job listings, and social engineering schemes are just a few types of scams you may encounter in Telegram groups.
• Corporate espionage and data leaks. Telegram’s focus on anonymity makes the platform a perfect place for sharing leaked company databases, performing insider trading, or even stealing intellectual property. Hackers may also use the platform's private groups to sell stolen information — all to the highest bidder.
• Dark web content and underground networks. With almost a billion users, Telegram is a popular messaging app to share all kinds of content, including one that breaks the law. Telegram’s private (and sometimes, public) groups may host pirated content, darknet drug markets, or extremist propaganda.
• Child exploitation and illegal adult content. Similar to the dark web, Telegram’s capabilities allow malicious users to share content such as child sexual abuse material (CSAM), revenge porn, and other non-consensual content.

All of these activities breach Telegram’s terms of service[4]. However, with millions of Telegram users posting terabytes of content each day, moderation is a herculean process.

Business risks: Why you should be concerned

Even though most threats on Telegram seem to be oriented towards standalone users, businesses may also face significant cyber risks. Despite the app constantly removing hacking forums, fraud rings, and black-market groups, they still reappear under new names and aliases. And since cybercriminals can operate with relative freedom in many private and invite-only Telegram channels, businesses on this platform can face risks such as:

• Impersonation and brand scams. Threat actors can disguise themselves as representatives of legitimate businesses and use Telegram to approach users with technical support, goods, services, and fake job offers. These scams often result in identity theft and credit card fraud, causing financial loss for victims and damaging a brand’s reputation.
• Corporate data leaks. Suffering a data breach is stressful enough, let alone finding out the company’s data has been leaked on Telegram’s private groups. Hackers may exploit the platform’s focus on anonymity to share leaked credentials, business secrets, and sensitive customer data.
• Employee involvement. Whether intentionally or by accident, employees can also be a business risk. And it’s not just speculation — bank employees have been caught trying to sell customer data on Telegram[5] before. Alongside insider threats, accidental employee errors (such as adding the wrong person to the wrong message group) can occur too.
• Supply chain risks. If a company suffers a supply chain cyberattack, it’s highly likely that stolen data will appear on Telegram. The platform hosts an unknown number of hidden hacker channels keen on exposing or selling stolen data.

Real cases of corporate data leaks on Telegram

The aforementioned cyber threats are not just speculation — businesses have suffered from leaked sensitive data exposure on Telegram before. Here are some real examples of the most relevant data leaks appearing on Telegram.

State Bank of India (SBI) employee data leak

In July 2023, hackers used Telegram’s @sbi_data channel to expose the personal information of over 12,000 SBI employees, including names, addresses, contact numbers, PAN numbers, and photo IDs. The hackers posted stolen sensitive data on the platform, claiming to have exploited the company's weak cybersecurity. According to the reports, perpetrators then disseminated stolen information through social media platforms, eventually putting it up for sale on the dark web forums. SBI faced significant reputational damage, particularly regarding its adherence to data protection regulations.

Qilin ransomware attack on Synnovis

In June, 2024, the Qilin ransomware group targeted Synnovis, a laboratory services provider for National Health Service (NHS) hospitals in South-East London. The attack led to the exposure of hospital and patient data. Attackers exfiltrated 400 GBs of sensitive information and subsequently leaked it on Telegram after ransom negotiations failed. The breach highlighted vulnerabilities in healthcare supply chains and the misuse of Telegram for data dissemination. Moreover, the attack led to the cancellation of over 1,100 operations and 3,000 outpatient appointments across seven major hospitals, subsequently costing £32.7 million in damages.

Morocco's Social Security database breach

In April, 2025, hackers breached Morocco's National Social Security Fund’s (CNSS) systems, leaking sensitive personal data on Telegram. The agency, which manages pensions and insurance for millions, confirmed that hackers bypassed its security but did not identify those responsible. Leaked data reportedly included sensitive financial information about prominent figures and institutions. While reports don’t mention any financial loss yet, the incident has caused huge reputational damage with the anti-corruption group Transparency Maroc demanding public revelation of those responsible for auditing and managing cybersecurity systems.

How businesses can protect themselves

Protecting your business from online threats is a perpetual challenge. With cybercriminals finding new ways to breach databases, install ransomware, and otherwise harm your business, keeping up with cybersecurity trends is crucial. To limit the chances of your company’s data appearing on Telegram, companies should invest in strategies such as employee education, data breach monitoring, regular online system testing, and constant threat intelligence.

To save some time and effort, consider using NordStellar — a cyber threat monitoring and threat exposure management solution. NordStellar helps companies safeguard against cyber risks by thoroughly evaluating external attack surfaces. In addition, the service provides dark web monitoring tools, capable of detecting leaked credentials and other sensitive information the moment they appear on the dark web.

References

[1] Sabin, S. (2024a, August 27). How Telegram became a destination for criminals. https://www.axios.com/2024/08/27/telegram-pavel-durov-encryption-hackers-criminals

[2] Dube, M. (2025, May 16). Telegram just wiped out $35B Chinese cybercrime markets. NewsBytes. https://www.newsbytesapp.com/news/science/telegram-takes-down-35-billion-black-markets-for-stolen-data/story

[3] Telegram moderation overview. (n.d.). Telegram. https://telegram.org/moderation

[4] Terms of service. (n.d.). Telegram. https://telegram.org/tos/eu

[5] Herzlich, T. (2024, December 30). Rank-and-file bank workers sell client data to online scammers: report. New York Post. https://nypost.com/2024/12/30/business/rank-and-file-bank-workers-sell-client-data-to-online-scammers-report/