April 15, 2025

Telegram, once the Wild West of chat applications, has undergone significant changes. This shift came after its CEO and founder faced legal troubles with French authorities. (We recently covered this situation in another blog, if you haven’t read it, I highly recommend checking it out. Good Read Ahead) 

In short, Telegram is now implementing new trust and safety measures aimed at making the platform safer for users and curbing cybercrime. These efforts include banning and shutting down cybercrime-related channels, as well as making it harder to find them when they do operate. 

At first glance, this sounds like a huge win, something worth celebrating. We should be cheering, maybe even organizing a parade in honor of these developments. 

However, before we start throwing confetti, there’s a significant problem: these cybercriminal channels are still operating—they’re just harder for investigators to track and monitor. 

Locks only keep honest people honest… or, in this case, anything good on the internet can also be used for bad. 

A Frustrating Reality for Investigators 

This isn’t meant to be a criticism of Telegram (though it might sound like one), but rather an expression of investigator frustration. I fully support Telegram’s efforts to prevent illicit activities on its platform. It’s an uphill battle, especially considering how much easier it was for threat actors to operate on Telegram compared to traditional dark web sites. 

Previously, Telegram had key advantages for cybercriminals: 
👍Ease of access – Unlike dark web forums that require special browsers, Telegram is readily available. 
👍Simple search functionality – No need to memorize or hunt for links; just use the search bar. 
👍 A wider customer base – More users meant more potential buyers for illicit services. 

For investigators, this also made Telegram a gold mine of intelligence; until now. 

The Growing Challenges of Threat Intelligence on Telegram 

The issue isn’t just that threat actors aren’t getting the hint to leave Telegram. It’s that the new safety measures make investigating them exponentially more difficult. 

• Frequent bans, frequent reappearances – Some channels are getting shut down weekly, if not daily, only to resurface under new names. 

• Time-consuming investigations – Investigators now have to spend considerable time tracking a single channel and its possible reincarnations. 

• Obscured search results – Telegram has adjusted its search algorithm, making it harder to locate certain channels, even when using exact keywords. 

Gone Are the Days of Easy Telegram Monitoring 

Take the following example: 

A cybercriminal channel was banned and then quickly reopened. You’d assume it would be easy to find again, but if you search for a keyword from the screenshot, like “txtlog”, the new version of the channel won’t appear in the results. 

For threat intelligence teams, this is a nightmare. Valuable intelligence is still out there, but now there’s a significant delay before someone manages to find it. This lag time creates a window of opportunity for cybercriminals to regroup and continue their activities unchecked. 

Final Thoughts: A Step in the Right Direction, but Challenges Remain 

To conclude this rant, I want to acknowledge that Telegram’s efforts are commendable. Their actions prove that they are taking a stronger stance against cybercrime on their platform. 

As someone with experience in social media trust and safety, I understand the immense challenge of moderating a platform at this scale. But the fight isn’t over. The real goal should be deterring threat actors from returning at all, rather than just making it harder to find them. 

Hopefully, with continued improvements, Telegram can reach a point where cybercriminals realize it’s no longer a viable option—and investigators don’t have to spend all their time chasing shadows. 

Stay up to date with the latest from DarkOwl analysts. Follow us on LinkedIn.