Telegram has won over users worldwide, and cybercriminals are no exception. While the average user chooses a messaging app based on convenience, user experience and stability (and perhaps, cool stickers), cybercriminals evaluate platforms through a different lens.
When it comes to anonymity, privacy and application independence β essential criteria for a shadow messaging app β Telegram is not as strong as its direct competitors.
It lacks default end-to-end (E2E) encryption for chats.
It has a centralized infrastructure: users cannot set up their own servers for communication.
Its server-side code is closed: users cannot verify what it does.
This architecture requires a high degree of trust in the platform, but experienced cybercriminals prefer not to rely on third parties when it comes to protecting their operations and, more importantly, their personal safety.
That said, Telegram today is widely viewed and used not only as a communication tool (messaging service), but also as a full-fledged dark-market business platform β thanks to several features that underground communities actively exploit.
Is this research, we examine Telegram through the eyes of cybercriminals, evaluate its technical capabilities for running underground operations, and analyze the lifecycle of a Telegram channel from creation to digital death. For this purpose, we analyzed more than 800 blocked Telegram channels, which existed between 2021 and 2024.
Key findings
The median lifespan of a shadow Telegram channel increased from five months in 2021β2022 to nine months in 2023β2024.
The frequency of blocking cybercrime channels has been growing since October 2024.
Cybercriminals have been migrating to other messaging services due to frequent blocks by Telegram.
In 2022, we published our research examining how IT specialists look for work on the dark web. Since then, the job market has shifted, along with the expectations and requirements placed on professionals. However, recruitment and headhunting on the dark web remain active.
So, what does this job market look like today? This report examines how employment and recruitment function on the dark web, drawing on 2,225 job-related posts collected from shadow forums between January 2023 and June 2025. Our analysis shows that the dark web continues to serve as a parallel labor market with its own norms, recruitment practices andΒ salary expectations, while also reflecting broader global economic shifts. Notably, job seekers increasingly describe prior work experience within the shadow economy, suggesting that for many, this environment is familiar and long-standing.
The majority of job seekers do not specify a professional field, with 69% expressing willingness to take any available work. At the same time, a wide range of roles are represented, particularly in IT. Developers, penetration testers and money launderers remain the most in-demand specialists, with reverse engineers commanding the highest average salaries. We also observe a significant presence of teenagers in the market, many seeking small, fast earnings and often already familiar with fraudulent schemes.
While the shadow market contrasts with legal employment in areas such as contract formality and hiring speed, there are clear parallels between the two. Both markets increasingly prioritize practical skills over formal education, conduct background checks and show synchronized fluctuations in supply and demand.
Looking ahead, we expect the average age and qualifications of dark web job seekers to rise, driven in part by global layoffs. Ultimately, the dark web job market is not isolated β it evolves alongside the legitimate labor market, influenced by the same global economic forces.
What do hacktivist campaigns look like in 2025? To answer this question, we analyzed more than 11,000 posts produced by over 120 hacktivist groups circulating across both the surface web and the dark web, with a particular focus on groups targeting MENA countries. The primary goal of our research is to highlight patterns in hacktivist operations, including attack methods, public warnings, and stated intent. The analysis is undertaken exclusively from a cybersecurity perspective and anchored in the principle of neutrality.
Hacktivists are politically motivated threat actors who typically value visibility over sophistication. Their tactics are designed for maximum visibility, reach, and ease of execution, rather than stealth or technical complexity. The term βhacktivistβ may refer to either the administrator of a community who initiates the attack or an ordinary subscriber who simply participates in the campaign.
Key findings
While it may be assumed that most operations unfold on hidden forums, in fact, most hacktivist planning and mobilization happens in the open. Telegram has become the command center for todayβs hacktivist groups, hosting the highest density of attack planning and calls to action. The second place is occupied by X (ex-Twitter).
Distribution of social media references in posts published in 2025
Although we focused on hacktivists operating in MENA, the targeting of the groups under review is global, extending well beyond the region. There are victims throughout Europe and Middle East, as well as Argentina, the United States, Indonesia, India, Vietnam, Thailand, Cambodia, TΓΌrkiye, and others.
Hashtags as the connective tissue of hacktivist operations
One notable feature of hacktivist posts and messages on dark web sites is the frequent use of hashtags (#words). Used in their posts constantly, hashtags often serve as political slogans, amplifying messages, coordinating activity or claiming credit for attacks. The most common themes are political statements and hacktivist groups names, though hashtags sometimes reference geographical locations, such as specific countries or cities.
Hashtags also map alliances and momentum. We have identified 2063 unique tags in 2025: 1484 appearing for the first time, and many tied directly to specific groups or joint campaigns. Most tags are short-lived, lasting about two months, with βpopularβ ones persisting longer when amplified by alliances; channel bans contribute to attrition.
Operationally, reports of completed attacks dominate hashtagged content (58%), and within those, DDoS is the workhorse (61%). Spikes in threatening rhetoric do not by themselves predict more attacks, but timing matters: when threats are published, they typically refer to actions in the near term, i.e. the same week or month, making early warning from open-channel monitoring materially useful.
The full version of the report details the following findings:
How long it typically takes for an attack to be reported after an initial threat post
How hashtags are used to coordinate attacks or claim credit
Patterns across campaigns and regions
The types of cyberattacks being promoted or celebrated
Practical takeaways and recommendations
For defenders and corporate leaders, we recommend the following:
Prioritize scalable DDoS mitigation and proactive security measures.
Treat public threats as short-horizon indicators rather than long-range forecasts.
Invest in continuous monitoring across Telegram and related ecosystems to discover alliance announcements, threat posts, and cross-posted βproofβ rapidly.
Even organizations outside geopolitical conflict zones should assume exposure: hacktivist campaigns seek reach and spectacle, not narrow geography, and hashtags remain a practical lens for separating noise from signals that demand action.
To download the full report, please fill in the form below.
Login
