Telegram is increasingly being used as a marketplace and coordination layer for cybercrime and hacktivist activity, offering criminals a faster and more accessible alternative to traditional underground forums hosted on the Tor network, according to new threat research.
A report by the cyber threat intelligence firm CYFIRMA, summarised by the security site Hackread, argues that Telegram now functions as a central “office” for multiple types of malicious actor: financially motivated criminals selling access and malware; hacktivist groups mobilising supporters; and state-linked operators distributing narratives and leaks.
The shift is presented as partly practical. Tor-based forums have historically required specialist knowledge to access, while also being exposed to law-enforcement disruption. Telegram, by contrast, provides public channels, rapid broadcasting, simple file sharing, and a low barrier to entry. New channels can be created quickly if older ones are removed, allowing groups to maintain continuity and retain audiences.
CYFIRMA’s assessment describes Telegram channels where criminal groups advertise “initial access” to corporate networks, including remote access services and VPN gateways. Sellers sometimes publish evidence of access, such as screenshots of portals and cloud dashboards, including environments hosted on Microsoft Azure and Amazon Web Services. The same channels may offer subscriptions to malware or bundled datasets of usernames and passwords, reflecting an established market for compromised credentials and stealer logs.
Automation is a significant factor. Telegram bots can support criminal transactions by checking credentials, confirming payments, or managing subscriptions, reducing the time and negotiation that previously characterised forum-based trading. That can make procurement of illicit services resemble standard online purchasing, with the messaging platform providing both storefront and customer support.
The research also highlights intimidation tactics used in extortion campaigns. Groups can use public channels to pressure victims by publishing samples of stolen files and posting countdowns to full disclosure, seeking to force payment before an announced deadline. Telegram’s broadcast format enables this approach at scale, with direct reach to journalists, researchers, and other observers who monitor such channels.
The reported ecosystem includes hacktivist and politically aligned actors. ENISA’s Threat Landscape 2025, which reviews incidents affecting the EU between July 2024 and June 2025, notes that hacktivist activity accounted for almost 80 per cent of recorded incidents in its dataset, driven mainly by low-level distributed denial-of-service attacks. The report also describes how cybercriminal operators respond to law-enforcement pressure by decentralising operations and adapting tactics, including aggressive extortion.
Telegram’s role in hacktivist operations has been documented across multiple investigations. The pro-Russia group NoName057(16) has been linked to a volunteer-driven DDoS model in which supporters are recruited via Telegram and directed to use a toolkit known as DDoSia. Researchers describe this as a way of distributing participation beyond a core group, expanding the volume of traffic directed at selected targets.
For some groups, Telegram is not only a coordination channel but also a public venue for claims of responsibility. Participants can be instructed to flood particular websites and then encouraged to share results, while organisers publish updates and screenshots. CYFIRMA’s report, as presented by Hackread, names groups including NoName057 and Cyber Fattah as examples of actors using Telegram-linked mobilisation to run DDoS operations.
The pattern is also visible among smaller collectives. Arctic Wolf’s profile of the Indonesian hacking group IndoHaxSec describes how the group uses its Telegram presence alongside tactics such as website defacement, DDoS activity, and “hack-and-leak” operations, demonstrating how Telegram channels can serve as a hub for communication, publicity, and recruitment.
For defenders, the operational implications are clear: activity that once clustered on closed forums and dark web markets is increasingly visible in semi-public spaces. That visibility can aid monitoring, but it also lowers friction for would-be buyers and participants. The marketplace model described by CYFIRMA places a premium on basic security controls that reduce the value of stolen credentials, including phishing-resistant multi-factor authentication for remote access, and tighter monitoring of cloud administrative panels and exposed services.
Telegram has long positioned itself as a general-purpose communications platform. The CYFIRMA findings suggest that, for many malicious actors, it is increasingly treated as infrastructure: a place to advertise services, manage transactions, mobilise supporters, and apply pressure on victims in real time.
