Telegram Marketplaces: Evolving Threats in 2025

Over the past decade, Telegram transitioned from a secure messaging application, into a global digital ecosystem. Originally launched in 2015 as a privacy-centric option to mainstream messaging apps, Telegram represents a double edge sword for the future of 2025. On one hand, millions of users are legitimately using Telegram, on the other hand it has become a focal point for cybercriminals between 2015 -2025 to operate shops, forums, and organize crime.

Telegram’s unique combination of anonymity, encrypted channels, unlimited file sharing, and automation through bots has made it an irresistible alternative to the typical darkweb forums. What were once isolated corners of the internet, cybercriminals now exploit Telegram’s mainstream presence to become more accessible while reaching a larger, more global audience, faster.

2025 is the tipping point. After taking down global forums, and the remaining remnants of familiar cybercriminal communities, a large portion of criminal activity has shifted to Telegram. This migration has escalated Telegram, principally, to a Telegram-first ecosystem for cybercriminals. As Telegram grows, underground groups are multiplying rapidly. For organizations, and defenders the shift to a Telegram-first cybereconony represents a new risky frontier for the business of cyberspace.

The Threat Landscape in 2025

The underground cybercrime environment has always been fluid. When criminal forums go offline, the criminals do not simply vanish, but they regroup, reconfigure, and adjust their tactics. This is again the case with the events of the beginning of 2025.

The closure of high-profile and widely-known global cybercrime forums undoubtedly created a vacuum in the ecosystem. It only took a few weeks after the closures for Telegram to fill that vacuum, and we see that happen nearly instantly. As such, thousands of new channels emerged dedicated solely to fraud, data leaks, and malware.

Unlike forums, Telegram provided certain benefits, including:

Speed: Instant access to files and updates

Automation: Bots capable of managing requests, distributing data, and even managing subscriptions 24-7

Accessibility: A platform that anyone can download and join without any sort of special tool

Scalability: They could create groups and channels that had tens of thousands of members, and they could grow overnight

Consequently, we now have a radically different threat environment in which information moves faster, criminal tools are more readily available, and the nature of the activity makes it more difficult to track or shut down the activity itself.

threat.watch platform banner with the slogan See. Score. Secure. — threat.watch by Brandefense enables organizations to identify, score, and secure their external cyber risks in real time.

Industry-Specific Consequences

The move to Telegram has created compounded risks across a range of different industries:

Financial services:

Stolen credit card information is commonplace in the Telegram marketplace. Organized fraud rings rely on these groups to provide raw material necessary to carry out carding operations and other financial schemes on large scales.

Healthcare:

Leaked patient records and data from compromised medical devices are appearing more frequently, supporting ransomware groups and extortion scams targeting hospitals and health clinics.

Retail & e-commerce

Attackers are using large combolists to launch credential stuffing campaigns, taking over customer accounts and abusing stored payment credentials.

Critical infrastructure

Compromised devices and systems are being marketed on Telegram, creating risk for organizations in energy, transportation and manufacturing.

These industries are not simply targets of opportunity – they are targeted because they present opportunities for attackers to directly monetize access to these organizations. Within minutes, organizations can establish a marketplace to sell hacked data and access (such as Telegram), and in seconds, transfer both to a partner to sell access and data, thus, shortening the time to attack.

Utilization of Telegram Bots in C2 and Phishing Automation

The single greatest change witnessed was the weaponization of Telegram Bots. Intended to offer users convenience, we have shifted their intention to be used as command and control (C2) servers. Who employs the Bots to send commands to malware, control infected devices, and harvest stolen content without needing their own infrastructure.

Simultaneously, phishing campaigns have been leveraging the automation of Telegram. Attackers have now built phishing kits that simply forward compromised credentials to Telegram bots rather than having to build and pay for custom servers.

The result is straight forward, free, and simple:

A victim enters logon information on the phished page.

The information is seamlessly transferred to the Telegram bot.

Within seconds, the attacker receives the compromised information, organized and ready to use.

This automation has contributed greatly to the increase in phishing activity in 2025 and ultimately reduced the barrier for entry for such activity while enabling even small actors to run campaigns at scale. By outsourcing infrastructure to Telegram, cyber criminals are reducing the cost of the operation while increasing their reach.

Activity Scale

As in the case of situations, evidence regarding activity scales is available from the Telegram automation scripts:

861,382 total files identified in the monitored groups

363,596 combolist files (42 percent of the total), highlighting the prevalence of leaked credentials to conduct crime

98,324 botnet files and 71,740 compromised device files, giving actors immediate control of the compromised devices

36,211 sensitive files, which could include company documents, IDs scans, or classified materials

6,487 credit card dumps, representing direct financial risk, even though they were a smaller percentage of the total files included in the dataset

11,016 combolist cited content, and 3,480 botnet scripts that were published in a more ready form without effort”

These statistics reflect not only the volume of activity but the variety of content – from everyday account credentials to live instructions for conducting new botnets: all appear present on Telegram in the form of commodification of crime.

Organizational Implications

These disclosures pose a range of immediate and concerning realities for defenders, including:

Credentials remain the most exploited attack vector. With combolists representing approximately 50% of this data, account takeovers are inexpensive and scalable.

Automation lowers the bar for attackers. Free Telegram bots make phishing campaigns and managing malware available to a low-tech audience.

Industries are being hit with bespoke threats. We are observing financial services, healthcare, retail, and infrastructure being exploited via Telegram marketplaces.

Telegram is the new primary domain of activity. The move away from forums to Telegram is a deep trend, not just the shift of an actor, it is a structural shift in how unsecured actors execute cybercrime.

Conclusion

The closing of prominent cybercrime forums in 2025 changed the face of the underground ecosystem. Telegram is now the go-to hub for cybercriminal activity by offering marketplaces, and even automation, and operational infrastructure on a single platform.

Telegram has become the distribution node and command platform for modern cybercrime. Bots on Telegram are now acting as distributors of the market, phishing data collectors and malware C2 servers. This emphasizes how ingrained Telegram has become in criminal workflows.

The takeaway for SOC analysts, incident responders, and threat researchers is that Telegram is officially no longer simply just a messaging platform to follow, it is the epicenter of cybercrime as of 2025. Leading with proactive monitoring, rapid response of leaked credentials, and ongoing intelligence sharing is necessary to combat this emerging threat.