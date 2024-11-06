Although these changes are arguably a step in the right direction for law enforcement, they’re also driving a migration of cyber criminal activity to other platforms, such as Signal or Session. One cyber crime syndicate, known as the Bl00dy ransomware gang, publicly declared they were quitting Telegram as a direct result of the company’s policy shift. Many hacktivist groups have also followed suit, as have legitimate users who rely on Telegram for freedom of speech in oppressive regimes.

Unfortunately, one could also view such policy shifts as a mere displacement of illegal activity, with cyber crime becoming fragmented across an ever-wider range of platforms. Potentially, this may make it more difficult for law enforcement and cybersecurity analysts to track and disrupt threat actors. For example, red teams may have a harder time gaining access to these underground communities to identify and mitigate threats before they can cause real damage.

Telegram has long been a rich source of threat intelligence, with many public-facing channels being used to organize cyber criminal activity. While private chats have, for the most part, been completely off-limits to threat analysts and law enforcement alike, stricter moderation policies have also been applied to public channels, potentially making it easier to expose criminals. However, while few would argue that that’s a bad thing in principle, it does come with a caveat: Criminals might simply move elsewhere instead.

Perhaps even more concerning is the increased possibility of driving both cyber criminals and hacktivists into the arms of state-sponsored cyber crime and cyber espionage. This also opens up the likelihood of threat actors using end-to-end encrypted and decentralized platforms that have even less oversight than Telegram ever did. This could complicate efforts for red teams tasked with simulating attacks or monitoring these communities, thus reducing their abilities to detect threats early.

None of the above necessarily means that there will be a mass exodus of cyber criminal activity from Telegram. After all, with around 900 million monthly users, according to Telegram’s own data, the platform still has the massive audience that large-scale cyber criminal operations, like Malware-as-a-Service, need to expand their reach.

Also, new users can still sign up anonymously using a number purchased from the Fragment blockchain, in which case Telegram’s promise to comply with a request from law enforcement for a user’s phone number becomes irrelevant. That said, Telegram will still be able to share IP addresses, which could still potentially be used to track a user’s activity.