Telegram’s dark web channels: a growing hub for cyber threats

With a user base of over 1 billion active users, Telegram is one of the most popular instant messaging apps on the planet. However, its heavy focus on anonymity and massive user base has made it a haven for cybercriminals—a space often referred to as Telegram’s dark web. In this article, we explain how this ecosystem works and its impact in fostering new cyber threats for businesses.

Key takeaways

• With nearly 1 billion users and a focus on anonymity, Telegram has become a primary hub for cybercriminals to share leaked data and collaborate.
• While the app is legitimate, private Telegram channels often host illicit activities ranging from corporate espionage and malware distribution to brand impersonation.
• Modern dark web monitoring must extend beyond traditional forums to include encrypted messaging apps, as effectively monitoring Telegram allows security teams to identify leaked credentials or company databases before they are exploited.

What is the dark web and how does Telegram fit in?

The dark web is the intentionally hidden part of the internet accessible only through specific tools, such as the Tor (The Onion Router) browser or the I2P (Invisible Internet Project). It uses encryption to provide anonymity to users, their activities, and hosted websites. While some may consider the dark web and the deep web to be synonyms, the deep web is actually a much broader web class that makes up the majority of the internet, yet isn't public-facing (for example, found on most search websites) or indexed.

Like the dark web, Telegram (and many other apps) uses end-to-end encryption to provide extra security. This also allows Telegram's users to utilize features such as self-destructing messages, so-called “secret chats,” and groups that the platform's visitors can access anonymously. That is partly why these groups are often referred to as Telegram's “dark web” channels.

Needless to say, such connotations draw a worrying picture. While Telegram is a legitimate app, unrelated to traditional dark web forums, its focus on anonymity and privacy may attract those who want to exploit the app's features for malicious purposes. Because of this risk, some sources have even labeled the app as a destination for cybercriminals. And although Telegram's owners have taken measures to limit the number of cyber threats (for example, by eliminating some of the Chinese cybercrime markets), the risks seem to persist.

Telegram's dark web channels are private or invite-only messaging groups, in which users chat, share information, or otherwise collaborate with each other. This moniker also comes from the fact that threat actors may often use these channels to share leaked credentials, disturbing content, or other sensitive information.

According to the Telegram moderation overview page, the platform blocks tens of thousands of channels and users daily, specifically due to violations of the app's Terms of Service. This moderation also spans millions of messages, including abusive, illegal, and otherwise harmful content. Based on Telegram's data, more than 14 million groups and channels have been blocked by the app in the first half of 2025 alone. However, even with these efforts, countless Telegram dark web groups continue to exist.

Common types of illegal activities on Telegram

The most common types of illegal activities on Telegram include:

• Hacking and cybercrime. Some secret Telegram groups host hacker hubs in which threat actors may share their achievements or distribute malware such as phishing kits. Malware distribution is also prevalent in public Telegram channels, so users should be careful not to engage with suspicious links and users.
• Black market transactions. Telegram's emphasis on anonymity makes the app a perfect platform for conducting shady deals. Dark web Telegram channels may offer users stolen credit cards, counterfeit goods, or illegal weapons and substances.
• Fraud rings and scams. Like any other social media platform, Telegram is also full of malicious opportunists looking to scam unsuspecting users. Investment fraud, fake job listings, and social engineering schemes are just a few types of scams you may encounter in Telegram groups.
• Corporate espionage and data leaks. Telegram's focus on anonymity makes the platform a perfect place for sharing leaked company databases, performing insider trading, or even stealing intellectual property. Hackers may also use the platform's private groups to sell stolen information — all to the highest bidder.
• Dark web content and underground networks. With almost a billion users, Telegram is a popular messaging app to share all kinds of content, including some that breaks the law. Telegram's private (and sometimes, public) groups may host pirated content, darknet drug markets, or extremist propaganda.
• Child exploitation and illegal adult content. Similar to the dark web, Telegram's capabilities allow malicious users to share content such as child sexual abuse material (CSAM), revenge porn, and other non-consensual content.

All of these activities breach Telegram's terms of service. However, with millions of users posting terabytes of content each day, moderation is a herculean process.

Business risks: why you should be concerned

Even though most threats on Telegram seem to be oriented towards individual users, businesses may also face cyber risks. Despite the app constantly removing hacking forums, fraud rings, and black-market groups, they still reappear under new names and aliases. And since cybercriminals can operate with relative freedom in many private and invite-only Telegram channels, businesses on this platform can face risks such as:

• Impersonation and brand scams. Threat actors can disguise themselves as representatives of legitimate businesses and use Telegram to approach users with technical support, goods, services, and fake job offers. These scams often result in identity theft and credit card fraud, causing financial loss for victims and damaging a brand's reputation.
• Corporate data leaks. Suffering a data breach is stressful enough, let alone finding out the company's data has been leaked on Telegram's private groups. Hackers may exploit the platform's focus on anonymity to share leaked credentials, business secrets, and sensitive customer data.
• Employee involvement. Whether intentionally or by accident, employees can also be a business risk. And it's not just speculation—bank employees have been caught trying to sell customer data on Telegram before. Alongside insider threats, accidental employee errors, such as adding the wrong person to the wrong message group,can occur, too.
• Supply chain risks. If a company suffers a supply chain cyberattack, it's highly likely that stolen data will appear on Telegram. The platform hosts an unknown number of hidden hacker Telegram channels keen on exposing or selling stolen data.

Real cases of corporate data leaks on Telegram

These cyber threats are not just speculation—businesses have suffered from leaked sensitive data exposure on Telegram before. Here are some real examples of the most relevant data leaks that appeared on Telegram.

State Bank of India (SBI) employee data leak

In July 2023, hackers used Telegram's @sbi_data channel to expose the personal information of over 12,000 SBI employees, including names, addresses, contact numbers, PAN numbers, and photo IDs. The hackers posted stolen sensitive data on the platform, claiming to have exploited the company's weak cybersecurity.

According to the reports, perpetrators then disseminated stolen information through social media platforms, eventually putting it up for sale on the dark web forums. SBI faced reputational damage, particularly regarding its compliance with data protection regulations.

Qilin ransomware attack on Synnovis

In June 2024, the Qilin ransomware group targeted Synnovis, a laboratory services provider for National Health Service (NHS) hospitals in South-East London. The attack led to the exposure of hospital and patient data. Attackers exfiltrated 400 GBs of sensitive information and subsequently leaked it on Telegram after ransom negotiations failed. The breach highlighted vulnerabilities in healthcare supply chains and the misuse of Telegram for data dissemination.

Moreover, the attack led to the cancellation of over 1,100 operations and 3,000 outpatient appointments across seven major hospitals, subsequently costing £32.7 million in damages.

Morocco's Social Security database breach

In April, 2025, hackers breached Morocco's National Social Security Fund's (CNSS) systems, leaking sensitive personal data on Telegram. The agency, which manages pensions and insurance for millions of people, confirmed that hackers bypassed its security. Leaked data reportedly included confidential financial information about prominent figures and institutions. While reports don't mention any financial loss, the incident has caused huge reputational damage, with the anti-corruption group Transparency Maroc demanding public revelation of those responsible for auditing and managing cybersecurity systems.

How businesses can protect themselves

Protecting your business from online threats is a perpetual challenge. With cybercriminals finding new ways to breach databases, install ransomware, and otherwise harm your business, keeping up with cybersecurity trends is crucial. To limit the chances of your company's data appearing on Telegram, companies should invest in strategies such as employee education, data breach monitoring, regular online system testing, and constant threat intelligence.

To save time and effort, consider using NordStellar—Threat Exposure Platform. NordStellar helps companies safeguard against cyber risks by thoroughly evaluating external attack surfaces. In addition, the service provides Dark Web Monitoring tools, capable of detecting leaked credentials and other sensitive information the moment they appear on the dark web or a Telegram channel.