Is Telegram Safe to Use? Learn Why Cybercriminals Use the App

Telegram is a popular messaging app, but its privacy features and ease of access have made it a preferred platform for cybercriminals. From phishing campaigns to ransomware distribution, criminals leverage Telegram to share illegal content, coordinate attacks, and target organizations worldwide.

In 2024, KELA's platform recorded a 200% increase in mentions of malicious AI tools across cybercrime forums, with Telegram playing a major role in sharing and distributing them.

In this blog, we’ll explore how criminals misuse Telegram, the specific security risks your business faces, and the steps you can take to detect, prevent, and respond to these threats effectively.

» Get started for free with KELA and strengthen your cybersecurity

What Is Telegram?

It is used by 1 billion people worldwide and is available on mobile devices, desktop computers, and web browsers.

Telegram is the top messaging platform used by cybercriminals for public communication. While it's commonly used for announcements and large group coordination, many criminals switch to more secure apps like Signal when handling sensitive conversations.

» Find out why your organization needs cyber threat intelligence

Stay Ahead of Telegram Threats

KELA’s threat intelligence helps your business detect and respond to criminal activity on Telegram—before it causes damage.

Learn More



Why Cybercriminals Prefer to Use Telegram

1. Low barrier to entry: Unlike dark web forums that require Tor browsers or specific configurations, Telegram is easy to access from any mobile or desktop device. It doesn’t demand technical expertise, which makes it a convenient starting point for less-experienced actors.
2. Anonymity and limited attribution: Telegram does not require verified personal information for account creation, and users can communicate without exposing phone numbers in public groups.
3. Scalability and large group management: One of Telegram’s strongest features is its support for massive public or private groups and broadcast channels. Criminals can easily build large audiences to distribute malware, stolen data, or scam content.
4. Bots and task automation: Telegram allows users to create and deploy bots that automate actions like collecting payments, delivering files, or managing subscriptions. These bots help cybercriminals streamline tasks such as phishing, ransomware delivery, or fraud operations.
5. Resilience and fast channel recovery: When Telegram shuts down a malicious channel or group, operators can quickly create new ones and migrate followers with minimal friction. This agility makes it hard for law enforcement or moderators to disrupt coordinated criminal activity long-term.
6. Support for large file sharing: Telegram supports the transfer of files up to 2GB per upload. This makes it a go-to platform for sharing leaked data, hacking tools, pirated software, and other illegal content.

» Make sure you understand the most targeted entry points by attackers

Consequences of Cybercriminal Activity on Telegram

The risks of Telegram-facilitated crime affect both individuals and organizations. Here's a breakdown of lower-impact to more serious consequences:

Low-Profile Consequences

• Phishing and scams: Users may be tricked into clicking malicious links, handing over credentials, or installing malware. This is often the starting point for larger attacks.
• Involuntary group participation: Individuals may be added to criminal groups without consent. This exposes them to illegal content and can place them under investigation if flagged.
• Reputation damage: Fake interactions, inflated metrics, or false reviews arranged via Telegram can distort a brand’s public image or social media presence.

» Here's everything you need to know about infostealers

High-Profile Consequences

• Data breaches and leaks: Criminals use Telegram to coordinate data breaches and then distribute the stolen data. This can lead to financial loss and major reputational damage for businesses and individuals.
• Distributed denial-of-service (DDoS) attacks: DDoS-for-hire services promoted on Telegram can be used to crash websites or networks. These attacks can disrupt business operations, cause downtime, and lead to loss of revenue or customer trust.
• Terrorism and child exploitation: Telegram has been misused to coordinate extremist activity and share child sexual abuse material. These crimes can trigger international investigations, legal action, and long-term damage to public safety and platform credibility.

» Learn how leaked credentials differ from compromised accounts

Real-World Examples of High-Profile Incidents Linked to Telegram

1. The Nth Room Case

The Nth Room incident was a high-profile case of digital sex crimes and sexual exploitation in South Korea. Between late 2018 and early 2020, thousands of victims, including many minors as young as middle school age were coerced into producing sexually explicit videos.

These videos were then distributed through Telegram channels, with tens of thousands of participants involved as perpetrators or consumers.

How it happened

Cybercriminals used Telegram and other messenger apps to lure victims with promises or threats. Victims were blackmailed into creating and sharing explicit content, which was systematically collected and disseminated within private Telegram groups known as “Nth Rooms.”

The anonymity and encryption features of Telegram made it difficult to track the perpetrators or shut down these groups promptly.

How it was addressed

Once exposed, the case sparked massive public outrage and a national crackdown. Authorities also pushed for stricter regulations on digital platforms to prevent similar abuses in the future.

» Discover how Telegram’s new data sharing rules affect cybercriminals

2. The Qilin Ransomware Attack

The Qilin ransomware gang launched a significant cyberattack targeting Synnovis, a laboratory service provider for the UK’s National Health Service (NHS).

The attackers stole approximately 400GB of sensitive patient data, including medical records, and demanded a ransom of $50 million. When their demands were not met, the group publicly leaked the stolen information.

How it happened Using sophisticated ransomware tools, Qilin infiltrated NHS’s network and exfiltrated large volumes of confidential data. They leveraged both Telegram and their own dedicated blogs as platforms to leak the stolen information and communicate demands, taking advantage of the platform’s reach and relative privacy.

The incident exposed vulnerabilities in healthcare cybersecurity and raised serious concerns about Telegram's privacy, especially in how ransomware groups exploit messaging apps for illicit activities.

How it was addressed

Following the attack, NHS services experienced major disruptions, with over 3,000 medical appointments canceled or delayed. UK authorities launched investigations to identify and apprehend the perpetrators, while healthcare providers reviewed and upgraded their cybersecurity measures.

» Discover how cybercriminals reacted to Telegram’s policy shake-up

Best Practices for Protecting Your Business Against Cybercrime on Telegram

• Employee education on Telegram risks: Educate your staff about the potential dangers of Telegram, such as malware, and exposure to illegal content. Awareness empowers employees to recognize suspicious activity and avoid unsafe links or groups.
• Update and enhance cybersecurity strategies: Review and revise your company’s cybersecurity policies regularly to address emerging threats linked to Telegram and similar platforms. Incorporate risk assessments focused on messaging app vulnerabilities and adapt your defenses accordingly.
• Implement Zero Trust and network segmentation: Adopt a Zero Trust security model where no device or user is automatically trusted, combined with network segmentation to limit lateral movement within your infrastructure. This helps contain any potential compromise that could arise from Telegram-related attacks.
• Maintain an accurate asset inventory: Keep a detailed catalog of all IT assets and endpoints that might interact with Telegram or other communication apps. Knowing what devices and systems are connected is essential for effective monitoring and rapid response to incidents.
• Deploy continuous monitoring and threat intelligence: Use Threat Intelligence Platforms (TIPs) and continuous monitoring tools to detect suspicious activity tied to Telegram, such as unusual data transfers or connections to known malicious groups.
• Establish a clear incident response plan: Have a simple plan for handling cybercrime on Telegram. Make sure everyone knows how to report threats and use takedown services when needed.
• Use secure communication features within Telegram: Encourage employees to use Telegram’s security features, such as enabling “Secret Chats” for end-to-end encryption and activating two-factor authentication (2FA).

» Understand how threat actors breach and exploit your data

How KELA Cyber Helps Businesses Manage Telegram's Security Risks

Telegram’s security risks create real challenges for businesses today. With KELA Cyber’s threat intelligence, you gain clear insight into how cybercriminals operate on the platform. This helps you understand the threats facing your organization and take action before problems escalate.

By monitoring malicious activity like scams, data leaks, and ransomware, KELA helps protect your data and assets. With expert support and timely intelligence, your team can respond confidently and reduce risk.

» Ready to get started? Contact us to learn more