TLDR

• Telegram, a popular privacy-oriented messaging and social media app, promised to overhaul its approach to platform moderation after French authorities brought criminal charges against its founder in 2024, alleging that the company’s historically minimal moderation and longtime refusal to cooperate with law enforcement investigators amounted to complicity in the illegal activities taking place on the platform.

• In 2025, Telegram reportedly removed more than 43.5 million channels and groups, including millions linked to cybercriminal activities. The scale of enforcement was unprecedented in the platform’s history, but analysts have found that Telegram remains a fixture of the cybercriminal economy.

• To investigate these claims ourselves, Open Measures analyzed the activity in Telegram channels and groups in our datasets from 2024 (before Durov’s arrest) to the present to assess how cybercriminal actors have adjusted to the platform’s shifting policies.

What is Telegram?

Telegram is a privacy-oriented, cloud-based messaging app launched in 2013 by Russian-born brothers Pavel and Nikolai Durov. The Durovs developed Telegram amid escalating pressure from the Russian government over their refusals to censor content on VK, seeking to create a secure communications platform that was impervious to government surveillance and speech restrictions.1 While Russian state actors have used Telegram to disseminate their own messaging, Russian officials have limited access to the app in their country, ultimately banning it outright in April 2026.2

The app’s design allows for greater degrees of privacy than other platforms. Telegram allows users to create accounts with anonymous phone numbers, offers limited encryption methods to protect private communications, and spreads its infrastructure across data centers and servers owned by an array of shell companies in multiple jurisdictions – making it more difficult for countries to subpoena user data. In addition to direct communication between individual users, it also facilitates groups and channels, which function similarly to chat rooms and microblogging profiles on other social media sites.3

Since its launch, Telegram has become one of the most widely used apps of its kind, attracting billions of users worldwide.4 Some of its earliest non-Russian users were based in nations with heavy censorship laws and included pro-democracy activists organizing under repressive governments. But Telegram’s privacy features and reluctance to moderate content have also attracted nefarious actors, including repressive regimes, terrorist groups, violent extremist movements, and cybercriminals.5

In 2024, French authorities arrested Pavel Durov and alleged that Telegram’s inaction against illegal content and failure to cooperate with legal investigations amounted to complicity in a host of severe crimes occurring on the platform.6 (Russia also launched its own criminal investigation into Durov for “abetting terrorist activities” in February 2026.)7 After his arrest, Durov announced that Telegram would make greater efforts to comply with valid legal requests and take proactive action against illicit user activity – a significant departure from its longtime “hands-off” philosophy.8

Shortcomings of Policy Changes and Takedowns Meant to Address Cybercrimal Activity

In his first public post after his 2024 arrest, Durov said the criminal charges brought against him were “misguided,” but acknowledged that criminal abuse was occurring on Telegram and said the company was taking down “millions of posts and channels every day” while continuing to work through the “growing pains” of illicit activity on its platform.9 In the weeks after Durov’s arrest, Telegram introduced new reporting mechanisms for users to flag illegal activity and updated its privacy policy, stating that it would disclose users’ phone numbers and IP addresses when it received valid court orders.10 The company also stepped up its enforcement actions against illicit content.11

But cybersecurity professionals have found that Telegram’s policy changes and takedowns have not meaningfully deterred or addressed cybercriminal activities taking place on its platform; some reports suggest the issue may have actually worsened since the crackdowns began.12 Users engaged in cybercriminal activities have reportedly rejoined the platform with new accounts and adopted new tactics for evading enforcement actions in lieu of migrating to other platforms.13

Telegram remains uniquely appealing to would-be cybercriminals today, offering unmatched features that allow for users to start and scale-up their operations with ease and speed. Unlike dark web forums, which can require special software or privileged access, the platform is simple to join. It also allows users to deploy administrative bots in their groups and channels that can facilitate financial transactions, aggregate messages, and interact with members on their behalf. Additionally, its message-forwarding mechanic allows for channel creators and group members to distribute messages far and fast, and for previously-forwarded messages to continue circulating even if a network’s “hub” is taken down.14

Methodology

Open Measures’ datasets include archives for thousands of Telegram groups and channels, including many that appear to engage in cybercriminal activities. Our researchers sought to examine how the channels we collect data for have adapted to Telegrams’s policy changes and takedowns targeting illicit user activity.

To identify a range of potentially relevant posts, we created a broad search query that included cybercrime-related keywords drawn from our prior research and published reports that name known threat actors, marketplaces, and criminal services:

“fullz” OR “fulls” OR “combolist” OR “stealer logs” OR “CVV” OR “CVVs” OR “credential stuffing” OR “LummaC2” OR “Lumma” OR “RedLine” OR “Redline Stealer” OR “Raccoon Stealer” OR “stealer” OR “ransomware affiliate” OR “affiliate program” OR “malware” OR “exploit” OR “payload” OR “dropper” OR “romance scam” OR “investment scam” OR “ghost-tapping” OR “NFC relay” OR “romance scam” OR “investment scam” OR “ghost-tapping” OR “NFC relay” OR “deepfake” OR “face swap” OR “voice clone” OR “BidenCash” OR “Omega Cloud” OR “Observer Cloud” OR “Moon Cloud”

Researchers used built-in tools on the Open Measures platform to analyze the posts that matched our search query and identify trends.

Analysis

Our researchers performed three separate searches with our Timeline tool to visualize the number of Telegram posts in our datasets matching our search query in 2024, 2025, and 2026.

Among channels we collected, daily activity levels remained consistent throughout 2024 – including the months after Durov’s arrest in August – and much of 2025, though we saw a dramatic increase beginning in October 2025. That surge was followed by another series of spikes between November 2025 and January 2026, with elevated activity sustained thereafter.

As illustrated by Telegram’s own data (included below), the platform has steadily increased its overall moderation efforts since May 2024, with average daily account takedowns in 2026 approximately four times the daily average in May 2024. These efforts have been accompanied by periodic enforcement spikes through early 2025 and into early 2026 (with a sustained decline in moderation and no major spikes after Feb. 20, 2026).

Telegram’s self-reported moderation data mirrors our own findings: as the volume of posts matching our query in late 2025 and early 2026 increased, so did Telegram’s reported takedowns. Likewise, Telegram’s declining moderation in mid-February 2026 onward also aligns with the declining volume of query-matching posts our researchers observed.

Though Durov’s arrest in France served as a catalyst for Telegram’s increased moderation, the platform has sustained its efforts in response to increased suspected illicit activity for several years. Though the recent decrease in both posts matching our query and Telegram’s account takedowns might suggest the platform has attempted to address its cybercrime problem, the average volume of posts matching our query remains higher today than in years prior, suggesting cybercriminals are finding ways to adapt to Telegram’s policy changes and increased takedowns.

Trends By Search Period

Activity matching our search queries was led by different sets of groups and channels included in our datasets in 2024, 2025, and 2026. Notably, the names of the dominant groups and channels we observed hosting cybercriminal activities in each period were often misleading, presumably as a strategy to avoid moderation and attract unsuspecting users. Our researchers also observed that groups and channels most active in 2024 and 2025 seemed to use names with similar themes; in 2026, the groups and channels whose posts matched our queries changed, as did their naming conventions.

2024: Cybercrime-themed Spam in Politically-styled Telegram Groups

Throughout 2024, many of the most active groups and channels in our datasets that we observed engaging in likely cybercriminal activities (e.g., spammed advertisements for fraudulent documents and stolen user credentials) were styled after US political themes, most notably “ThePatriotPartyofOH,” “FreeWestVirginia,” and “PatriotPartyOregon.” Volume during this period was moderate, with “ThePatriotPartyofOH” leading with more than 3,000 hits.

2025: Increased Activity and Proliferation of Politically-styled Groups

Throughout 2025, our researchers saw the volume of posts in our datasets matching their search query significantly increase. The previously identified “FreeWestVirginia” channel shared approximately 16,000 posts matching our query (a roughly 30-fold increase from the period before). We also saw approximately triple the number of positive hits in posts shared by the “ThePatriotPartyofOH” channel.

The most active groups in this period that explicitly advertised cybercriminal services included additional channels and groups with “Patriot Party” names or political themes (e.g., “PatriotPartyNewHampshire,” “FreeSouthDakota”). As we observed in the 2024 search period, many posts we identified in other channels were apparent advertisements for cybercriminal services.

2026: Increased Activity, Proliferation of Financially-styled Groups

In 2026, despite Telegram’s reported takedowns of millions of accounts in late 2025, the volume of posts in our datasets matching our query was still dramatically higher than prior years. Researchers identified roughly four times as many posts matching their search query that were shared in 2026 than were shared 2025.

Rather than groups and channels with American political themes, the groups we identified as advertising cybercriminal services were often named after finance and OTC (“over-the-counter”) investing terms, like “otc_investorhub” and “chat_nft.” We also identified a cluster of similar groups styled around employment in Ukraine, like “truework_stkyiv.” The channel that shared the highest number of posts matching our query, “ChekerCCsLive,” was named in reference to “checking” if a stolen credit card or “CC” number is still “live” and usable.

Fraud Services and Scam Recruitment Posts

Our researchers observed that posts in “OTC” channels frequently featured advertisements for apparent financial fraud and money laundering services. Posts shared in the “WTSotc” channel, which shared hundreds of thousands of posts matching our search query prior to its removal, often followed one of several distinct spam formats. The posts we reviewed included offers to provide fraudulent documents, account logins, and money laundering services, and attempts to solicit peer-to-peer crypto transactions with other users.

In Ukrainian-employment-themed groups we identified, such as “truework_stkyiv,” our researchers encountered an array of posts advertising remote work opportunities using language consistent with online “pig-butchering” schemes and romance scams.15

Persistence of ‘Patriot Party’ Channels

While most cybercriminal channels and groups from earlier periods appeared to have been taken down or ceased their activity in recent years, many of the politically-named groups we identified – namely “PatriotPartyRI,” “FreeSouthDakota,” “PatriotPartyNewHampshire,” “PatriotPartyOregon,” and “FreeWestVirginia” – had survived Telegram’s increased moderation efforts and remained active at the time of writing.

Based on activity patterns in our datasets and manual verification, only the “ThePatriotPartyofOH” and “FreeNorthDakota” had been taken down (likely around October 2024 and May 2025, respectively). Other than “otc_investorhub,” all the active groups we identified in 2026 remained active as well.

Conclusion

While Telegram has demonstrated significant efforts to crackdown on cybercrime, it remains a fixture of the cybercriminal economy as illicit actors continue to adapt to its policies to avoid moderation. Despite a slight decline in recent months, the volume of posts on Telegram likely related to cybercriminal activities remains much higher than it was just two years ago.

Telegram’s moderation efforts appear to have done little to reduce overall cybercriminal on the platform – and as our research suggests, the problem is likely to persist as a result of the platform’s infrastructure, which remains unchanged.

Identify online harms with the Open Measures platform.

Organizations use Open Measures every day to track trends related to networks of influence, coordinated harassment campaigns, and state- backed info ops. Click here to book a demo.