The security industry is treating this like news: criminal networks are migrating from Tor to Telegram. Reports in 2025 and 2026 have documented the shift in detail — stolen credentials sold in public channels, malware-as-a-service bots, initial access brokers posting screenshots of compromised Azure and AWS environments, cryptocurrency laundering operations processing billions through Telegram-based guarantee markets.
We started tracking this migration in 2023. By then, the pattern was already unmistakable in the data flowing through our BlackWebINT collection infrastructure. The question was never whether criminal operations would move to Telegram. It was why it took so long for the broader industry to acknowledge what was happening in plain sight.
Why Tor Was Never Built for Criminal Commerce
To understand the migration, you need to understand what Tor actually requires of its users — and why that friction eventually pushed criminal operations toward easier infrastructure.
Running a marketplace on Tor is genuinely difficult. You need to configure hidden services, maintain .onion infrastructure, handle the latency penalties of multi-hop routing, and deal with constant availability challenges. Pages load slowly. Image-heavy content is impractical. Users need specialized browsers and a baseline of technical knowledge just to access the service. For marketplace operators, the hosting environment is hostile: servers need to be hardened against deanonymization attacks, uptime is unpredictable, and if law enforcement seizes your infrastructure, rebuilding takes weeks.
For customers of these services, the friction is even worse. Installing the Tor Browser is a prerequisite. Navigation is unintuitive. Marketplaces go offline frequently — sometimes because of DDoS attacks from competitors, sometimes because of infrastructure failures, sometimes because of law enforcement takedowns. Finding a working marketplace URL is itself a challenge, since .onion addresses are not indexed by standard search engines and link directories are frequently outdated.
Tor was designed as an anonymity network for legitimate privacy use cases. Criminal operators adapted it for commerce, but the infrastructure was never optimized for the kind of high-volume, high-velocity trade that underground markets demand. That mismatch created an opening.
The OPSEC Tradeoff That Criminals Accepted
Tor provides strong anonymity guarantees — in theory. Traffic is routed through multiple relays, each of which only knows the previous and next hop, so no single node sees both the origin and the destination. This is a meaningful privacy property.
But Tor's anonymity model has a well-known weakness: exit nodes and relay operators. Anyone can run a Tor relay. And law enforcement agencies, intelligence services, and security researchers do exactly that. A significant percentage of Tor exit nodes are operated by entities whose interests are not aligned with the users routing traffic through them. Academic research has repeatedly demonstrated that adversaries controlling a sufficient number of relays can perform traffic correlation attacks, timing analysis, and in some cases full deanonymization of Tor users.
Law enforcement has exploited this aggressively. Operations like the FBI's takedown of Silk Road, the multinational Operation Bayonet that seized AlphaBay and Hansa simultaneously, and the ongoing Operation SpecTor have shown that Tor does not provide the impenetrable shield that many of its criminal users assumed. In several cases, law enforcement operated Tor hidden services themselves for extended periods, collecting intelligence on users who believed they were anonymous.
Criminals noticed. The more sophisticated operators began to question the security model: If law enforcement agencies are running Tor nodes, are we really anonymous? The answer, increasingly, was no — at least not for operators who maintained persistent infrastructure and high-volume traffic patterns that made them vulnerable to correlation analysis.
Telegram offered a different tradeoff. It does not provide the same network-layer anonymity as Tor. Standard Telegram messages are encrypted in transit but not end-to-end encrypted by default (only "Secret Chats" provide E2E). The platform holds metadata. Phone numbers are required for registration, though burner numbers and virtual phone services partially mitigate this. From a pure anonymity standpoint, Telegram is objectively weaker than Tor.
But criminals made a rational calculation: Telegram's operational advantages outweigh its anonymity disadvantages. And for the majority of criminal operations, that calculation has proven correct.
Why Telegram Wins on Operations
The advantages are significant and compound each other:
Zero infrastructure overhead. On Tor, you operate servers, manage hidden services, handle DDoS mitigation, and maintain uptime. On Telegram, you create a channel. The platform handles everything: hosting, availability, content delivery, media embedding, user management. Setting up a criminal marketplace on Tor takes weeks of technical work. On Telegram, it takes minutes.
Built-in audience of nearly a billion users. Tor requires users to install specialized software. Telegram is already on their phones. The barrier to reaching a buyer drops from "install Tor Browser, find a working .onion link, create an account, learn to use PGP" to "click an invite link." This is not a marginal improvement. It is a fundamental change in the economics of criminal distribution.
Channels scale to 200,000 members. Tor marketplace forums rarely exceeded tens of thousands of registered users, and active users were a fraction of that. Telegram channels can reach six-figure audiences. Criminal groups operate networks of interconnected channels with combined reach in the millions.
Bots automate everything. Telegram's bot API allows criminal operators to automate transactions: querying stolen credential databases, processing cryptocurrency payments, delivering digital goods, managing subscriptions. These bots function as automated storefronts, operating 24/7 without human intervention. This level of automation was possible on Tor but required significantly more development effort.
Resilience through redundancy. When a Tor marketplace is seized, it is gone. Infrastructure, user accounts, reputation systems, and escrow funds — all lost. When a Telegram channel is banned, the operator creates a new one and redirects followers through backup channels, other social platforms, or paste sites. Criminal groups like IndoHaxSec maintain networks of redundant channels specifically for this purpose. The overhead of rebuilding is trivial compared to Tor.
Multimedia-native communication. Criminal operators post screenshots of compromised systems as proof of access. They share video demonstrations of malware capabilities. They run live countdown timers threatening data leaks. They embed payment QR codes directly in messages. Tor's bandwidth constraints made media-rich operations impractical. Telegram handles them natively.
What Moved to Telegram
The migration has been comprehensive. Nearly every category of criminal commerce that existed on Tor darknet markets is now replicated — and in many cases expanded — on Telegram:
- Initial access brokerage. Channels where operators sell VPN credentials, RDP access, and cloud portal sessions (Azure, AWS, GCP) to compromised corporate environments. Sellers post screenshots as proof. Prices range from $50 for small businesses to $10,000+ for enterprise targets.
- Stolen data markets. Bulk credential dumps, stolen credit card databases, personal identity packages (fullz), and browser session cookies. Some channels offer searchable databases via Telegram bots — users send a query and receive matching records automatically.
- Malware-as-a-service. Subscription-based access to infostealers, ransomware builders, phishing kits, and botnet rental. Operators provide customer support, update channels for new versions, and even offer refunds for non-functional tools.
- Financial crime infrastructure. Cryptocurrency mixing services, unlicensed exchanges, money mule recruitment, and laundering operations. Chinese-language Telegram guarantee markets like Xinbi and Huione processed tens of billions in crypto fraud transactions before regulatory intervention.
- DDoS-for-hire and hacktivism. Groups like NoName057 and Cyber Fattah use Telegram to coordinate distributed denial-of-service campaigns, recruit participants, and publicize successful attacks. The platform serves as both command-and-control and public relations.
- Extortion and data leak operations. Ransomware groups and data brokers use public Telegram channels to pressure victims. They post countdown timers, sample files from stolen data, and status updates on ongoing negotiations. The public nature of Telegram amplifies the reputational pressure on targets.
The Intelligence Implications
For intelligence and law enforcement agencies, this migration is a double-edged development.
The challenge is obvious: criminal activity that was concentrated in a relatively small number of Tor marketplaces is now dispersed across thousands of Telegram channels in dozens of languages. The volume of content to monitor has increased by orders of magnitude. Channels appear, disappear, and reconstitute constantly. The pace of operations is faster. The geographic and linguistic diversity is greater.
But there is a significant upside that is often overlooked: Telegram is far more collectable than Tor.
Tor was designed to resist collection. Its architecture makes monitoring difficult by design. Scraping .onion sites requires operating within the Tor network. Content changes frequently and is not indexed. Marketplace access often requires accounts with established reputation.
Telegram channels, by contrast, are accessible. Many are public or semi-public. Content is delivered in real time via APIs. Messages include structured metadata. Media is embedded directly. User interactions — forwards, replies, reactions — reveal network connections between channels and operators. For intelligence platforms with the right collection infrastructure, Telegram is a vastly richer intelligence environment than Tor ever was.
This is where our BlackWebINT platform operates. Automated collection across Telegram channels, forums, and groups in 50+ languages, with entity extraction, network mapping, and real-time alerting. The same criminal operators who moved to Telegram for operational convenience also moved into an environment where their communications, relationships, and operational patterns are far more visible to agencies with the right tools.
The Enforcement Squeeze
The regulatory environment is tightening. Following the arrest of Telegram's founder in France in 2024 on charges related to the platform facilitating criminal activity, Telegram significantly increased its cooperation with law enforcement. The company disclosed data on over 2,000 users in response to U.S. government requests in 2024 alone — a dramatic increase from the 14 requests fulfilled previously. The U.S. Treasury designated Cambodia's Huione Group, linked to a major Telegram-based laundering market, as a primary money laundering concern.
This creates a narrowing window. Criminal operators chose Telegram for its convenience, but that convenience depended partly on the platform's previous reluctance to cooperate with authorities. As cooperation increases, the operational security assumptions underlying the migration erode. Some operators will move to the next platform — possibly decentralized alternatives like Session, SimpleX, or Matrix-based systems. Others will be caught by the same metadata and cooperation mechanisms they underestimated.
What This Means for Your Agency
If your intelligence collection is still focused primarily on Tor and traditional dark web sources, your coverage has a growing blind spot. The underground economy has not disappeared — it has moved to a platform with nearly a billion users and a public API.
Monitoring Telegram at scale requires different tooling than Tor collection. The volume is higher. The content is more diverse linguistically. The channel ecosystem is fluid, with new channels appearing daily and operators actively migrating between accounts. Effective monitoring requires automated collection, multilingual NLP, entity resolution across channels, and network analysis that maps relationships between operators, channels, and criminal groups.
The criminals moved to Telegram because it was easier. For intelligence agencies with the right infrastructure, that same decision made them easier to find.