Telegram has been growing in use among cybercriminals, Intel 471 found. In fact, Telegram is considered the preferred method of anonymous communication as opposed to in-forum messaging services monitored by administrators. 

The messaging service provides actors with near real-time encrypted communication, if both parties are online simultaneously, whereas in-forum messaging requires waiting for unencrypted mail notifications, Intel 471 says in new research, “Why cybercriminals are flocking to Telegram.”

This lag time, along with other security risks associated with forum communications, regularly encourages actors to provide additional contact details in forum advertisements, such as email addresses and Telegram IDs, Intel 471 researchers say. “Additionally, threat actors conveniently can remain in the Telegram application for multiple levels of communication. For instance, a Telegram user can use the same handle to access individual private messages and group and channel communications, a feature that most messaging platforms have that’s not been integrated into forum communications. The messaging service also allows threat actors to bypass the need for a web host or domain service that potentially would leave them vulnerable to distributed denial-of-service (DDoS) attacks.”

In addition, where threat actors live and the language they speak can influence the decision to use underground forums or Telegram-like services. Chinese threat actors, for instance, “likely leverage Telegram to evade attention from law enforcement since most Chinese cybercrime forums and domestic IM platforms, such as WeChat or QQ, are monitored by regional authorities,” Intel 471 says. 

While Telegram does not have a direct payment option built into the platform, its simple structure makes it a go-to option for cybercriminals seeking a basic and effective method to manage and engage in illicit business. As cybercriminals find themselves making more money by using the service, Intel 471 expects Telegram to remain a key communication tool among threat actors.

For more information, visit the full report at