State of Telegram cybercrime 2026

Executive summary

Across 14 months of continuous collection, our analysts observed a measurable migration of cybercrime activity away from legacy forums and toward encrypted messaging —most notably Telegram. Channels are shorter-lived, faster to spin up, and far more resistant to traditional take-down efforts than v-Bulletin-era forums.

• Telegram-hosted credential markets grew an estimated 62% year over year by listing volume.
• Median channel lifespan dropped from 11 days to 4 days.
• The top 10 broker channels handled ~43% of observed broker traffic.
• Initial-access brokers shifted recruiting from forums to private invite-only channels.

Methodology

The dataset combines DarkWeb LLC's continuous Telegram crawler output, partner-shared logs, and on-demand operator interviews conducted under non-disclosure. We exclude any private or personally-identifiable content from public reporting and only report aggregate signals.

Coverage window: 2025-02-01 → 2026-04-01 · 11,400+ unique channels observed · 1.7B messages indexed.

The shift to encrypted channels

Three structural pressures pushed activity to Telegram: aggressive forum take-downs in late 2024, the demand for instant-broadcast capability among brokers, and operator preference for ephemeral channels that cost almost nothing to respawn after disruption.

Operators we tracked typically maintain a public "shop window" channel (often 5k–25k members) and one or more invite-only channels for active deals. Public channels function as proof of life and reputation; invite channels host the actual transactions.

Marketplaces & brokers

Combo-list and stealer-log dealers dominate by volume. Initial access brokers (IABs) make up a smaller share by listing count but a far larger share by transaction value —a single VPN or RDP listing for a Fortune 500 environment routinely clears $8k–$60k.

The ten most active broker channels we tracked accounted for roughly 43% of observed broker volume. Of those, six rotated handles at least once during the observation window —a strong indicator of active OPSEC discipline.

Fraud-as-a-service

"FaaS" channels package phishing kits, OTP-bot rentals, social engineering scripts, and anti-fraud bypass tooling into turnkey subscriptions. Pricing converged toward a familiar SaaS shape —a freemium tier, monthly plans, and a "premium" tier gated by reputation rather than cash.

Ransomware affiliate recruitment

Recruitment migrated almost entirely off forums during the observation window. Affiliate threads are now invite-only, with prospective affiliates vetted via reputation in adjacent broker channels and then onboarded through private 1:1 chats.

We observed a clear pattern: groups that lost public-facing infrastructure during 2025 take-downs still operated on Telegram within days, often using the same handle aliases under slightly modified spellings.

2026–2027 forecast

• Continued migration of low-trust commerce (combo lists, basic phishing) into Telegram.
• Growth in cross-channel "syndicate" structures connecting brokers, FaaS operators, and ransomware affiliates.
• Increased use of Telegram bots for automated listing, escrow, and reputation tracking.
• Continued fragmentation: dozens of mid-sized channels rather than a few large forums.

What defenders should do

1. Treat Telegram coverage as table stakes. Underground signals don't wait in forums anymore.
2. Prioritize identity exposure. Stealer logs and combo lists are the single largest source of breach precursors we observe.
3. Invest in fast triage. Channel half-lives are measured in days; alerts that take a week to investigate are alerts you missed.
4. Map third-party blast radius. Several of the highest-impact incidents we tracked began with credentials for a vendor or contractor, not the target itself.