If you’ve been following the Telegram crackdown news, then you’ll know that Telegram entered 2026 under significant pressure. After years of being a largely permissive environment, the platform dramatically increased enforcement following the arrest of CEO Pavel Durov in late 2024 and the rollout of stricter moderation throughout 2025. Millions of channels were taken down, Telegram bans became frequent, automation was introduced, and transparency around enforcement reached an all time high. 

Yet despite these efforts, cyber criminal ecosystems on Telegram are not shrinking. These cyber criminal communities are adapting, and quickly. 

Based on new intelligence from Check Point Exposure Management, here are three of the latest developments in the realm of Telegram following Telegram’s crackdown in 2026. 

  1. Record-Breaking Moderation Has Not Reduced Criminal Presence

Telegram’s enforcement numbers are staggering. In 2025 alone, more than 43.5 million channels and groups were blocked. Moderation activity has continued to accelerate into early 2026, with daily takedowns rising from a historical baseline of roughly 10,000 to 30,000 to a sustained 80,000 to 140,000, punctuated by peaks exceeding 500,000 takedowns in a single day. 

On the surface, this suggests unprecedented progress. In practice, the impact is more nuanced. 

Check Point Exposure Management analysis shows that roughly 20 percent of blocked channels were linked to criminal activity that directly affects businesses, including carding operations, Fullz trading, and hacking services. Thousands of messages referencing blocked channels continue to circulate, especially via forwarded content that keeps criminal knowledge alive even after takedowns. 

The key issue is persistence. Channels disappear, but communities reform quickly. Backups are pre-created for many of the channels that are taken down, often even before the takedown happens, so that the community is ready. In fact, often, the audiences are preloaded, and operational continuity remains largely intact. Enforcement has increased friction, but it has not eradicated the use of Telegram by cyber criminals. 

For a deeper breakdown of how threat intelligence tracks this activity across platforms, see Check Point’s threat intelligence offering.

  1. Threat Actors Are Adapting Faster Than Platforms Can React

Rather than leaving Telegram, threat actors have evolved how they operate inside it. 

Several evasion techniques now appear consistently across underground communities. Many groups use “Request to Join” gating to block automated moderation bots. Others add disclaimers in channel bios, tagging Telegram leadership and claiming compliance even when engaging in illicit activity. Backup channels are created in advance, sometimes bundled together, allowing instant reconstitution after a takedown. 

Check Point data shows spikes in forwarded messages referencing blocked sources, especially during peak enforcement periods in February, March, and April 2025. Criminal content continues to circulate even when original sources are removed, extending the lifecycle of fraud data and operational guidance. 

This adaptation mirrors broader trends in cyber crime. Attackers no longer rely on a single asset or channel. They assume disruption and engineer redundancy. Telegram’s scale, usability, and discoverability still make it uniquely attractive for this approach. 

Understanding these behavioral patterns is critical for proactive defense. The ebook dives deeper into how these evasion methods are evolving and why they matter for enterprise security teams. 

  1. Telegram Remains the Dominant Criminal Communication Hub

If moderation were truly displacing criminal communities, migration would be obvious. It is not. 

Despite brief experimentation with alternatives, Telegram remains the platform of choice. Over the last three months alone, Check Point Exposure Management identified approximately 3 million Telegram invite links shared across underground environments. By comparison, Discord accounted for fewer than 6 percent of that volume, while Signal, SimpleX, and Matrix-based platforms barely registered. 

Even high-profile attempts to move failed. One notable threat group, AKULA temporarily relocated to SimpleX in early 2025 but returned to Telegram after followers did not migrate at scale. Some actors now use alternative apps for one-to-one communication, but Telegram continues to serve as the primary broadcast, recruitment, and marketplace layer. 

Network effects matter. Telegram’s massive user base of more than 800 million active users makes it difficult for competitors to replicate its reach. Enforcement has changed behavior, not allegiance. 

For SOC teams, this means Telegram remains a critical environment for exposure management, brand protection, and early threat detection. Ignoring it creates blind spots attackers will exploit. 

Is Telegram’s Crackdown Actually Real? 

Telegram’s crackdown is indeed real, sustained, and growing. But so is cyber criminal’s adaptability. Although, Takedown’s are still key, discovering the cyber criminal network surrounding that channel/account is becoming more and more important. 

Security teams that rely solely on platform enforcement will fall behind. Those that invest in continuous exposure management and intelligence-driven monitoring will discover the route of the operation and take down entire attack structures, not just single entities. 

For the full analysis, detailed statistics, and future outlook, read Telegram’s Crackdown and Criminal Resilience in 2026.  

You may also like