Telegram’s policy shift is changing the environment of cybercrime. With over 900 million monthly active users and growing by nearly 2.5 million users daily, Telegram has been one of the most widely used messaging apps among cybercriminals, hacktivist groups, and privacy-conscious users. Its appeal was simple: strong encryption, anonymous sign-ups, and zero tolerance for content moderation. But after the arrest of CEO Pavel Durov in France on August 24, 2024, Telegram quietly made major updates to its privacy policy and FAQ. The platform now allows users to report illegal activity, and it commits to disclosing IP addresses and phone numbers (if available) upon receipt of a valid court order.

These changes are being welcomed by some—but they also raise new questions for cybersecurity professionals. Threat actors are already shifting tactics, and for red teams, analysts, and defenders, the threat surface is becoming more fragmented.

What’s Changed in Telegram’s Policy?

1. Moderation Is Now Possible

Telegram’s long-standing stance of not moderating content in private chats has changed. While chats are still end-to-end encrypted, Telegram now allows users to report illegal activity within public and group channels. These reports can trigger either automated takedown processes or manual review by Telegram staff.

2. User Data Is No Longer Off-Limits

Telegram’s updated privacy policy now states that the platform will share user IP addresses and phone numbers if a valid court order is provided. Previously, Telegram refused to cooperate with law enforcement unless a request involved terrorism.

3. Anonymous Sign-Up Still Exists

Users can still register with a Fragment blockchain-purchased anonymous number. These +888 numbers aren’t tied to real identities, meaning that even if Telegram is ordered to hand over a phone number, it may not lead to a useful identity. However, IP addresses can still offer traceability.

4. The Audience Is Still Huge

Telegram’s global user base gives it immense reach. As of late 2024, it had around 900 million monthly active users, making it a valuable platform for cybercriminal campaigns such as Malware-as-a-Service (MaaS) and ransomware distribution.

Why Cybercriminals Are Leaving Telegram

Not all threat actors are willing to stick around. Within weeks of the policy shift, the Bl00dy ransomware gang publicly announced their departure from Telegram, citing the change as a direct reason. Several hacktivist groups and deep web forums echoed similar concerns.

Instead, they’ve started migrating to more decentralized or closed platforms like:

• Signal
• Session
• Tox
• Matrix
• Jabber/XMPP clients

These platforms offer stronger anonymity, reduced oversight, and often lack the moderation infrastructure that Telegram has now introduced.

But Telegram isn’t empty. Larger ransomware syndicates and cybercriminal businesses that rely on reach and automation still use the platform—especially for public announcements, affiliate recruitment, and bot-based scams.

Are Cybercriminals Really Leaving Telegram

Not entirely.

While some groups—like the Bl00dy ransomware gang—have exited Telegram, this isn’t a mass exodus. What’s really happening is a tactical shift.

• Smaller actors and risk-conscious hackers are migrating to apps like Session, Tox, and Matrix.
• Larger operations still use Telegram for broadcasting campaigns, onboarding affiliates, and automating services.
• Telegram’s anonymous signup option via Fragment means many users still enjoy a level of operational cover, making law enforcement requests for user data less effective in certain cases.

In short, cybercriminals are diversifying. They’re reducing exposure, spreading across platforms, and adapting to Telegram’s new rules rather than abandoning the app entirely.

What This Means for Cybersecurity Teams

Telegram used to be a high-value intelligence source, especially with many public-facing channels where threat actors coordinated openly. But this recent policy update is causing a fragmentation of cybercrime activity, which creates new tracking and visibility challenges.

This makes life harder for:

• Threat intel teams that previously relied on Telegram channels for insights
• Red teams trying to simulate emerging threat behavior
• Law enforcement attempting to track criminal networks

Four Actions for Security Leaders to Take Now

1. Broaden Visibility Beyond Telegram

Cybercrime isn’t disappearing; it’s just moving. Expand monitoring tools to include:

• Session
• Signal
• Matrix
• Tox
• XMPP-based networks
• Blockchain-linked forums

Also consider tracking wallet addresses and transaction flows that might link users across these networks.

2. Leverage AI-Powered Behavioral Analytics

Even when platforms change, threat actor behavior tends to repeat. Use:

• Stylometry to profile writing patterns and cross-match them across different platforms
• Interaction timing and emoji usage to create behavioral fingerprints
• Bot detection to identify campaigns using automated scripts

3. Combine AI with Human Context

AI tools can’t operate in isolation. Blend automation with analyst reviews to filter false positives and gain clarity. Collaborate with security communities to share verified indicators across platforms.

4. Update Legal and IR Playbooks

Ensure your team knows:

• How to issue and follow through with subpoenas to Telegram and similar platforms
• The legal steps needed to request IP data
• How to incorporate decentralized platforms into incident response simulations
• What indicators can still be gathered from blockchain-based anonymous signups

What’s Next

Telegram’s new moderation policy is a step forward for public safety, but not a knockout blow to cybercrime. It’s more likely to displace bad actors than dismantle them. As they migrate to fragmented and harder-to-monitor platforms, the tools and playbooks that worked before will fall short.

The concern isn’t just about smaller groups finding new homes. It’s about the rising use of decentralized and even state-run platforms, which will become the next operational bases for state-sponsored cybercrime, espionage, and financially motivated APTs.

Final Thoughts

Telegram’s policy update represents a shift—not an end. Security teams that see this as an opportunity to rethink how they monitor, analyze, and attribute threats across multiple platforms will be better positioned for what comes next. Criminals adapt fast. Defense teams must adapt faster. That means investing in cross-platform intelligence, AI-driven profiling, and legal preparedness. Telegram is still important—but it’s no longer the whole picture.