Telegram entered 2025 under unprecedented pressure. Public scrutiny, regulatory attention, and leadership turmoil forced the platform to do something it had long resisted, enforce at scale.
Moderation volumes surged, automation expanded, and millions of channels and groups were removed in a single year. On paper, this looks like a turning point.
In practice, it wasn’t the collapse of cyber criminal activity on Telegram; it was an evolution, for sure, but not a collapse.
What we are seeing in 2026 is not a mass exodus from the platform, nor a meaningful decline in threat actor coordination. Instead, Telegram’s crackdown has triggered a familiar pattern. Criminal ecosystems adapt faster than platforms can reform.
Read the just released Telegram report, by Tal Samra and Or Shichrur for evasion methods, statistics and monitoring recommendations:
https://checkpoint.cyberint.com/telegrams-crackdown-criminal-resilience
Over 43 Million & Channels Blocked
Telegram’s own transparency data shows a dramatic rise in takedowns throughout 2025, with baseline moderation levels climbing sharply and staying high into early 2026. Peaks that once appeared sporadically now occur regularly, some reaching hundreds of thousands of removals in a single day.
Yet scale alone does not determine effectiveness.
Our tracking shows that while over 43 million channels and groups were blocked in 2025, only a fraction were tied to activity that directly impacts businesses and organizations. Carding operations, Fullz marketplaces, and hacking communities were disrupted repeatedly, but rarely dismantled. The same actors reappeared under new names, new links, and new access models, often within days.
Telegram has raised the cost of operating openly, but not high enough to force migration or abandonment.
Why threat actors stayed when many expected them to leave
During moments of uncertainty, especially following the arrest of Pavel Durov in late 2024, underground discussions briefly focused on alternatives. Smaller platforms and privacy-focused messengers were tested. But none gained traction. Why?
The reason is simple. Telegram still delivers unmatched reach, discovery, and network effects. In our analysis of invite links shared across underground forums and marketplaces, Telegram outpaced every other messaging platform by orders of magnitude. The closest alternative accounted for less than six percent of the volume.
Criminal ecosystems rely on scale. Recruitment, reputation, distribution, and monetization all benefit from visibility. Telegram continues to provide that at a level no competitor matches. As long as that remains true, moderate pressure alone will not displace it.
Adaptation is now the primary defense mechanism
Rather than migrate, threat actors refined how they operate.
We see widespread use of gated access through request-to-join features designed to block automated moderation tools. Channel bios increasingly include performative compliance disclaimers, often tagging Telegram leadership directly, despite ongoing illicit activity. Backup channels are created in advance and bundled into private community structures so audiences can be reassembled quickly after takedowns.
One notable pattern is the separation of functions. Telegram remains the broadcast and coordination layer, while one-to-one negotiations or sensitive exchanges move briefly to other platforms or private conversations before returning. This hybrid approach minimizes exposure without sacrificing reach.
What this means for security professionals and SOC teams
The rising baseline of Telegram’s moderation activity shows continued investment and automation. But enforcement has resulted in containment, not eradication.
For security teams, this has two implications.
- First, monitoring Telegram remains nonoptional. It continues to be a primary signal source for early indicators of fraud, data exposure, brand abuse, and emerging attack infrastructure.
- Second, static detection is insufficient. The pace at which threat actors recreate channels and reshape communities requires continuous tracking, correlation, and validation.
Then, understanding which activity affects your brand and how it connects to real risk is crucial. This is where a gap often appears. Intelligence without context and action is often pointless and overwhelms teams. Context without action delays response. And, that’s where actions such as takedowns, leaked credential remediation, IPS controls, IoC dissemination, virtual patching, and more need to happen at lightning speed.
Telegram is not going anywhere.
Despite aggressive moderation, Telegram remains the dominant hub for cybercriminal communication. Telegram remains the platform of choice, making continuous monitoring essential as threat actors adapt to ongoing enforcement. Understanding how criminals adapt under pressure is more valuable than counting how many channels disappear.
Read the full report for evasion methods, statistics, and monitoring recommendations:
https://checkpoint.cyberint.com/telegrams-crackdown-criminal-resilience
About the Author: Yochai Corem is VP of Exposure Management at Check Point Software, where he leads the Exposure Management unit following the acquisitions of Cyberint, Veriti and Cyclops. He brings more than 20 years of experience across cyber security sales, product leadership, marketing, and business development.
Before joining Check Point, Yochai served as CEO of Cyberint, building a threat intelligence platform focused on external attack surfaces and underground ecosystems. Under his leadership, Cyberint combined domain expertise with advanced intelligence to elevate external risk management.
Yochai is recognized for advancing unified exposure management by integrating internal telemetry, external intelligence, and safe automated remediation, helping organizations move from visibility to measurable risk reduction.
Yochai Corem — VP Exposure Management at Check Point https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjexPeW4H3OqEJ35ESDzqA6aTWUaHUeNrj5LzHacekPBt9O9K2VVehzDker3WRXqItljaE3MbuYDtTF85-8utyrmr5Nly58b7RAL7nxOAVvXYaIdTIemM_OAZ_lJnwb60Tk3ulMI77iMNClJgph0UVglDJ_g_WDWrz3g2UNyjcB1ru-MXsxX4zekstEFv0/s1600/Yochai.png
