Telegram and Discord: The New Dark Web?
Cybercriminals use Telegram and Discord alongside .onion sites and underground forums. Public channels, private groups, direct messages, bots, and file hosting can support data sales, negotiations, and coordination.
The apps lower the access barrier and offer fast messaging, file sharing, and automation. Those same features complicate monitoring for security teams.
The Evolution of Cybercrime Infrastructure
For more than a decade, criminals have used Tor and .onion domains for marketplaces and forums. Those sites offered:
- Anonymity: Tor routing obscures IP addresses and location
- Persistence: Dedicated marketplaces and forums with established reputations
- Community: Vetted members, escrow services, dispute resolution
Dark web sites can disappear after a law-enforcement action or exit scam, and users need additional software to reach them. Investigations have also identified operators who relied on Tor for anonymity.
Enter Telegram and Discord
Mainstream messaging platforms offer cybercriminals several advantages:
- Lower access barrier: Users can install an app and create an account without a Tor browser
- Mobile-first: Conduct business from your phone anywhere in the world
- Built-in features: File sharing, bots, channels, and groups
- Encryption: End-to-end encryption in Telegram's "secret chats" and Discord DMs
- Legitimacy: Hiding among billions of legitimate users provides cover
- Resilience: Harder for law enforcement to take down entire platforms versus individual dark web sites
Telegram channels and Discord servers can appear in cybercrime investigations, but neither platform is itself a dark web service. Access, moderation, and source reliability vary by community.
What's Happening on Telegram
Security researchers have documented criminal activity in Telegram channels, groups, and bots.
Ransomware Operations
Ransomware groups increasingly use Telegram for:
- Victim negotiations: Instead of .onion payment sites, some groups now negotiate directly via Telegram
- Data leak announcements: Channels with thousands of subscribers share stolen data dumps
- Affiliate recruitment: Ransomware-as-a-Service operators recruit "affiliates" to deploy their malware
- Status updates: Groups announce new victims, feature additions, and operational changes
LockBit, BlackCat/ALPHV, and Play ransomware groups have all maintained active Telegram channels alongside or instead of traditional leak sites.
Data Marketplaces
Telegram channels function as data marketplaces where stolen information is bought and sold:
- Credential dumps: "Combolists" containing millions of username:password pairs
- Database leaks: Customer records from breached companies
- Initial access: Compromised VPN credentials, RDP access, corporate email accounts
- Financial data: Credit card numbers, bank account details, cryptocurrency wallets
- Personal information: Social security numbers, driver's licenses, passports
Sellers advertise their wares in public channels, then move to private chats for transactions. Payment is typically cryptocurrency, transferred directly between parties.
Hacking Services
Telegram hosts a gig economy for cybercrime:
- DDoS-for-hire: "Booter" services advertising attack capacity
- Phishing kits: Pre-built templates for credential harvesting
- Malware development: Custom RATs, stealers, and trojans
- Account takeover: Services to compromise specific social media or email accounts
- CAPTCHA solving: Human workers solving CAPTCHAs for bot operators
Automated Bots
Telegram's bot API enables automated criminal services:
- Leak check bots: Query if email addresses appear in breaches
- Carding bots: Validate stolen credit card numbers
- Doxing bots: Look up personal information from databases
- Phone number lookup: Find personal details associated with phone numbers
These bots let a buyer query stolen data or validate payment-card details without building a separate tool.
What's Happening on Discord
Discord, originally built for gaming communities, has seen similar abuse. While Telegram is more popular for data trading, Discord excels as a coordination platform:
Threat Actor Collaboration
- Private servers: Invite-only communities where threat actors share techniques and tools
- Real-time coordination: Voice channels for planning and executing attacks
- File sharing: Malware samples, stolen data, hacking tools distributed via Discord CDN
- Tutorials and training: Channels teaching exploitation techniques to newcomers
Social Engineering Operations
Discord's young user base makes it attractive for scams:
- Cryptocurrency scams: Fake investment opportunities, pump-and-dump schemes
- Account takeover: Compromising high-value gaming accounts, NFTs, cryptocurrency wallets
- Tech support scams: Impersonating platform staff to steal credentials
- Romance scams: Building relationships to extract money or information
Malware Distribution
Discord's content delivery network (CDN) is abused to host malware:
- Remote Access Trojans (RATs): Malware payloads disguised as legitimate files
- Information stealers: Tools designed to extract credentials and cryptocurrency wallets
- Phishing payloads: Files that lead to credential harvesting sites
Because Discord's CDN uses HTTPS and is frequently accessed by legitimate users, malware hosted there often bypasses security filters.
Why Criminals Use These Platforms
Several platform features explain their use alongside traditional dark web sites:
1. Law Enforcement Pressure
Law enforcement shut down marketplaces including AlphaBay, Hansa, and Silk Road. Closing an individual channel or server does not shut down an entire messaging platform.
2. Generational Shift
Younger threat actors grew up with mobile messaging apps. They're more comfortable with Telegram's interface than navigating dark web forums. The barrier to entry is lower.
3. Speed and Convenience
A forum transaction can involve private messages and escrow. Messaging apps support direct, near-real-time negotiation.
4. Platform Policies
Enforcement practices and cooperation with authorities vary by platform and jurisdiction. Criminal groups take advantage of channels or servers that remain available long enough to reach buyers.
5. Better Features
Criminal users repurpose ordinary platform features:
- Channel broadcasting can reach subscribed members quickly
- Bots automate previously manual processes
- File sharing is faster and more reliable
- Mobile apps enable 24/7 operations
The Security Team Challenge
This shift creates new challenges for security professionals:
Monitoring is More Complex
Dark web monitoring traditionally focused on .onion sites and known forums. Now you also need to monitor:
- Public Telegram channels (relatively easy)
- Private Telegram groups (requires infiltration)
- Discord servers (often invite-only)
- Encrypted direct messages (nearly impossible)
Volume is Higher
With lower barriers to entry, more threats surface on these platforms. Security teams face higher signal-to-noise ratios as amateur criminals mix with sophisticated actors.
Speed Demands Fast Response
A credential post in a large public channel can reach many subscribers quickly. Monitoring and triage intervals should reflect that distribution speed.
Review Matches From Collected Threat Sources
AdverseMonitor matches configured organization and domain terms against collected threat records and presents the available source evidence.
Scan Your Domain FreeWhat Organizations Should Do
1. Expand Your Monitoring Scope
Ask whether a monitoring service covers only .onion sites or also collects from relevant public messaging and paste sources. Useful source types include:
- Public Telegram channels known for data leaks
- Discord communities associated with your industry
- Paste sites where data is shared publicly
- Traditional dark web forums and marketplaces
2. Reduce Alert Latency
Set shorter alert intervals for high-priority terms. Define who reviews a domain match and how quickly that person should open the source evidence.
3. Monitor for Specific Indicators
- Your company name and common misspellings
- All corporate domains and subdomains
- Executive names (often targeted for whaling attacks)
- Product names and intellectual property
- Employee email addresses
4. Establish Response Procedures
Document the response to a relevant Telegram match:
- Verification: Confirm the threat is real and assess severity
- Containment: Force password resets, disable compromised accounts
- Investigation: Determine breach source and scope
- Documentation: Preserve evidence for potential legal action
- Notification: Inform affected parties per regulatory requirements
5. Educate Your Team
Security awareness training should address:
- Risks of using corporate credentials on personal devices
- Dangers of joining work-related Discord/Telegram groups with unverified members
- How information shared in "private" groups can leak
- Social engineering tactics specific to messaging platforms
How the Platforms Respond
The platforms use different moderation and law-enforcement processes.
Telegram's Position
Telegram has been criticized for harboring criminal activity. The platform's response:
- Removes "clearly illegal" content when flagged
- Doesn't proactively scan for criminal activity
- Limits cooperation with law enforcement
- Defends user privacy and free speech as primary values
Critics argue this hands-off approach enables crime. Supporters say it protects legitimate users in authoritarian regimes.
Discord's Efforts
Discord has been more responsive:
- Shuts down servers reported for illegal activity
- Uses automated tools to detect malware distribution
- Cooperates with law enforcement investigations
- Published transparency reports on takedown activities
Hundreds of millions of users generate more activity than moderators can review by hand.
Looking Ahead
Policy changes, regulation, and law-enforcement activity will affect where criminal groups operate next.
Regulatory Pressure
Governments are increasingly focused on encrypted platforms' role in crime. The EU's Digital Services Act and similar regulations may force platforms to take stronger action.
Platform Policies
If Telegram and Discord tighten enforcement, criminals may move to decentralized platforms or return to dark web forums.
Law Enforcement Adaptation
Police agencies are developing capabilities to monitor and infiltrate Telegram/Discord communities, potentially reducing their appeal to criminals.
Define the Monitoring Scope
Criminal groups choose channels that make it easy to find buyers, share files, and coordinate. Telegram and Discord provide some of those functions.
A source plan may include:
- Classic dark web (.onion sites, forums)
- Telegram channels and groups
- Discord servers and communities
- Paste sites and data dump platforms
- Social media where leaks are announced
Telegram and Discord sit on the public internet. Criminals may still use them for transactions also found on underground forums.
Record which source types matter to your organization, how the team collects them, and how analysts validate a match.