Telegram Didn't Kill the Dark Web. It Became Its Most Dangerous Wing.

Research disclosure: This article is based on passive observation

intelligence from the AS-CTI-2026 series (TLP:WHITE). No participation
in illicit activity was performed or implied. All assessments are
analytical and probabilistic in nature.

There's a take circulating in security circles that Telegram "replaced" the dark web. It's wrong and the people saying it are missing something more important.

Telegram didn't replace the dark web. It became the dark web's retail layer. A high-volume, low-barrier, fully/semi automated surface for the portion of criminal activity that no longer needs the anonymity guarantees of Tor-based infrastructure. And that distinction matters enormously, because the result is a two-tier criminal ecosystem that is structurally more dangerous than either layer alone.

Why the Dark Web Isn't Going Anywhere

Let's establish what the dark web actually offers that Telegram structurally cannot.

Tor routing provides genuine multi-hop anonymization of traffic at the network layer. Monero the dominant payment rail on serious dark web markets provides transaction unlinkability that Bitcoin fundamentally cannot replicate. Vetted forum communities have decade-long reputation systems built on PGP-signed communications and escrow structures that require real operational security to participate in. Market administrators on dark web forums can verify vendor history, mediate disputes, and enforce norms in ways that Telegram's bot-operated channels have no equivalent for.

For high-value operations initial access to enterprise networks, nation-state adjacent tooling, serious infrastructure procurement, intelligence brokerage the dark web remains the appropriate infrastructure. The anonymity requirements are non-negotiable. The vetting requirements are non-negotiable. Telegram cannot offer either.

The dark web is not a legacy system being deprecated. It is the sophisticated tier of a bifurcated criminal infrastructure, and it will remain so as long as Tor, Monero, and PGP exist.

What Telegram Actually Displaced

What Telegram did displace and this is the part that matters is the volume layer of dark web criminal activity. The commodity transactions. The mass-market operations. The criminal services that were previously accessible only to people willing to navigate Tor, manage a PGP key, and operate with dark web market discipline.

Between 2020 and 2022, dark web market vendors began proactively migrating their customer bases to Telegram. Not because it was more secure. Because it was more scalable. A Telegram link requires no technical threshold from the customer. No Tor. No PGP. No captcha. The vendor gains access to a vastly larger addressable market — anyone with a smartphone and a referral link — at the cost of reduced anonymity that, for commodity transactions, they judged acceptable.

By 2023-2024, Telegram had effectively displaced dark web markets for entire categories of transaction: drug distribution to end consumers, commodity malware sales, financial fraud product distribution. Not because it's better infrastructure it isn't but because the operational requirements of those categories don't demand what the dark web provides. A customer buying cannabis doesn't need Tor. A threat actor buying a commodity infostealer doesn't need Monero. Telegram is good enough, and good enough at scale beats excellent in a niche.

The Automation Engine

The Telegram criminal layer has one property that distinguishes it sharply from dark web market equivalents: near-total automation.

Vendor-operated bot systems likely handle over 90% of criminal transactions on the platform product browsing, payment processing, order confirmation, and delivery coordination — with minimal human intervention during normal operations. This isn't dark web market architecture with a better interface. This is an e-commerce stack built for volume.

The standard transaction flow for drug distribution the dominant criminal category on the platform runs entirely without human contact: a customer pays a $5–10 entry fee to join a channel, browses products through a bot interface, receives a cryptocurrency payment address, completes payment, and receives GPS coordinates for a dead drop pickup location. Average transaction value: approximately $100. Zero human contact between vendor and buyer at any stage.

For comparison, dark web market transactions involve escrow systems, dispute resolution, PGP-encrypted communications, and vendor reputation management — all of which require human oversight. The dark web prioritizes security and trust mechanisms. Telegram prioritizes throughput. They are optimizing for different things, serving different operational profiles.

The MITRE Footprint of the Telegram Layer

For security practitioners, the observed ATT&CK mapping of Telegram criminal activity covers the commodity-to-mid-tier range of the threat spectrum:

• T1566 (Phishing) — credential theft kits sold as criminal service; phishing infrastructure distributed at scale
• T1588.001 (Obtain Capabilities: Malware) — commodity stealers (RedLine, Lumma) via automated bot channels
• T1657 (Financial Theft) — compromised financial accounts (fullz, payment processors accounts) as primary product category
• T1078 (Valid Accounts) — stolen credentials sold directly; account takeover services via bot interface
• T1567 (Exfiltration Over Web Service) — Telegram used as C2 and exfiltration channel by multiple malware families
• T1583 (Acquire Infrastructure) — bulletproof hosting, RDP access as infrastructure services
• T1090 (Proxy) — residential proxy services for operational anonymization
• T1119 (Automated Collection) — bot systems automate the complete transaction lifecycle

Notice what's largely absent from this list: the sophisticated, targeted, high-value operations APT tooling, zero-day brokerage, critical infrastructure access. Those remain on dark web forums where the vetting, anonymity, and trust infrastructure exists to support them. Telegram is the volume layer. The dark web handles the apex tier.

A Structural Intelligence Gap

One of the most analytically significant observations from longitudinal monitoring of Telegram criminal channels is the payment infrastructure failure.

Bitcoin dominates criminal transactions on Telegram a significant operational security error. Unlike Monero-based dark web market transactions, Bitcoin payments create permanent, traceable blockchain records linking transaction patterns to identifiable KYC exchange accounts. The gap between what operators know they should use (privacy coins) and what they actually deploy (Bitcoin, because it reduces customer friction) is directly and consistently observable across channel types.

This OPSEC failure is an intelligence collection opportunity that law enforcement financial investigation units are not fully exploiting particularly given that the dark web's Monero-dominant payment layer is significantly harder to trace. The two-tier ecosystem has, perhaps unintentionally, sorted criminal operators by their sophistication and their exposure to blockchain forensics.

The Durov Arrest Was Noise

When Pavel Durov was arrested in France in August 2024, the criminal ecosystem on his platform registered zero observable operational impact. Channels stayed live. Bot systems kept processing orders. Transaction flows continued uninterrupted.

This outcome was predictable. Criminal infrastructure on Telegram was never dependent on founder oversight or moderation policy decisions. It had grown into a self-sustaining automated ecosystem. Any enforcement action at the platform level would need to be sustained, coordinated, and targeted at the bot infrastructure itself not at executives to have operational impact.

The arrest also illustrates the limits of thinking about this problem as a Telegram problem. Telegram is the current substrate. If enforcement pressure forced a meaningful migration, the same criminal ecosystem would reconstitute on a different platform likely one with weaker existing law enforcement relationships. The infrastructure is the actors and their automation, not the application.

What the Two-Tier Architecture Means for Defenders

Understanding that we're dealing with a bifurcated ecosystem not a single criminal infrastructure has direct implications for how defenders should orient.

Dark web monitoring and Telegram monitoring are not interchangeable.** They cover different operational tiers of the same threat landscape. A security team monitoring only dark web forums will miss the commodity credential market, the automation infrastructure for account takeover, and the malware distribution channels that operate primarily on Telegram. A team monitoring only Telegram misses the sophisticated, high-value operations that remain dark web-native.

The barrier to entry for criminal services has collapsed at the Telegram tier.** What previously required dark web operational security accessing commodity malware, purchasing stolen credentials, procuring account takeover services now requires a Telegram link and a small cryptocurrency payment. Threat actors who would have been filtered out by dark web friction now have functional access to a criminal services marketplace. The overall volume of threats is structurally higher as a result.

The two tiers communicate. Dark web forums reference Telegram channels. Telegram operators advertise on dark web marketplaces. Intelligence that lives only in one tier is incomplete intelligence. The ecosystem is integrated, even if the operational profiles of each tier are distinct.

The Real Threat Model

The dark web is not being replaced. It is being complemented by a vastly more accessible, vastly more automated parallel layer that handles the criminal activity that no longer requires its guarantees.

Together, the two tiers cover the full spectrum: the dark web handles sophisticated, high-anonymity, high-value operations; Telegram handles commodity, volume-driven, automated operations accessible to anyone. The combined surface is broader than either alone and the Telegram layer specifically represents a threat category that most organizational security frameworks were not designed to address, because it didn't exist at this scale five years ago.

We are not watching Telegram displace the dark web. We are watching a criminal infrastructure that has successfully specialized, with each tier handling the work it is best suited for. That is a more mature, more resilient threat landscape than the one we were modeling before.

This analysis is informed by the AS-CTI-2026-005 report "Telegram as Criminal Infrastructure: Ecosystem, Actors, and Emerging Threats," produced through longitudinal direct community observation. Part of the 30-report AS-CTI-2026 series by Aether Intel — Lead Analyst A-01. TLP:WHITE.

What tier of this ecosystem is your organization currently monitoring? Most threat intel programs I've seen cover one or the other, rarely both with equivalent depth.