Where To Next? Alternatives For Telegram

While a lot of Telegram supporters remained steadfast after Pavel’s arrest, others saw this as a signal to bail on the platform. They were afraid of surveillance by law enforcement agencies. The future of Telegram appears uncertain after Durov’s arrest and release and the evolving policies issued by the platform, arguably due in part to pressure from law enforcement. We covered this in a previous Dark Web Pulse. Some threat groups and hacktivists announced their plans to leave the platform. However many still rely on it for their regular and secure communication.

The main alternative platforms being considered are:

• Signal
• Tox
• Discord
• Matrix

Scattering to different platforms would fragment the way threat groups communicate and make it harder for cybersecurity professionals to track them. Each such platform has different levels of accessibility and encryption protocols. Moving away from a single, centralized platform like Telegram into a variety of alternative options therefore makes the monitoring of coordinated cybercrime activities by authorities even more difficult.

Discord and X

There have been various discussions on the forums regarding the use of Discord as a workable alternative, although such migration remains to be anything more than speculation.

The Russian government’s actions against rival platforms like Discord and X have several implications for threat actors using Telegram:

• Increased legitimacy and attractiveness: By blocking or restricting competing platforms, the Russian government effectively reduces the number of alternative spaces for threat actors to operate. This can make Telegram appear as a more viable and less risky option.
• Potential for government support or tolerance: The Russian government’s actions might suggest support for Telegram, leading threat actors to believe their activities will face less scrutiny.
• Shielding from international pressure: By limiting the reach of international platforms, the Russian government may create a more insulated environment for Telegram, making it more difficult for foreign governments or organizations to monitor and disrupt threat actor activities.
• Increased reliance on Telegram: As alternative platforms become less accessible or reliable, threat actors may become more heavily reliant on Telegram for communication, coordination, and the dissemination of malicious content.

Tox

The nature of platforms such as Tox—fully decentralized—means there is no single point of control or moderation. Tox is fully decentralized, requiring users to know specific IDs to chat. Group chats can only be joined through invites, as there are no group invitation links. While there are a lot of mentions of Tox IDs on the dark web, they usually refer to personal users looking for a more secure way of one-on-one communication.

Signal

Signal is known for its high level of privacy, such as end-to-end encryption, and that makes it attractive to users who might be concerned about privacy. Tox and Jabber are also being explored by these groups for their decentralized nature, making tracking harder for law enforcement. Although less private by default, Discord is another consideration due to its ease of setup and how ubiquitous it has become.

As far as the number of users is concerned, initial reports indicate a rise in Signal usage, particularly among the more privacy-conscious groups, although hard numbers about the extent of the increase remain unconfirmed.

Signal is a private messaging app used for safe messaging. While it is considered highly secure and reliable, Signal groups are not completely private because every user can see the other’s phone number. This makes it hard for a signal user to hide their identity while discussing illicit activities.

In order to find Signal groups, our analyst used the External.link filter on Lunar to look up links in the specific invite format of signal.group in the past two years. Only ninety-two unique links were extracted from the past two years. None of those links contained illicit content. Signal does not work well for illicit group chats, and most likely will not become a communication platform for threat actors.

Matrix

Matrix is an open, decentralized, chat protocol that must be used in conjunction with a client, such as Element. Matrix is known to be able to bridge to other platforms like Slack and Discord. Users can also encrypt the chat so that new users can’t read messages that were sent prior to the new user joining.

In order to find Matrix/Element groups, our cyber analyst used the External.link filter on Lunar to look up links in the specific invite format of matrix.to/element.io in the past two years. The number of posts with Matrix/Element links has increased since August 2024, reaching a peak of more than 500 mentions in October. However, only 108 unique links have been extracted from the data for the past two years. About 5% of the chats contained illicit content.

What’s next? Monitoring Telegram to mitigate risk

Although there are split feelings regarding the arrest and the pressure on Pavel by the authorities, the vast majority of the users are still on the platform and there is a lot of trust from the end-users as for now.

So far, there is no record of a drastic change in user numbers on Telegram. To track the long term effect of Durov’s arrest on Telegram users, we analyzed the number of times Pavel Durov or #FreeDurov was mentioned from May to November 2024. You can see that users quickly started and then stopped talking about Durov as users lost interest after his release. There is some chatter around Durov around the time that he changed Telegram’s privacy policy – in September 2024 – but not a lot.

Even with the potential migration to alternative platforms, Telegram remains central to the cyber threat landscape due to its combination of privacy features, ease of access, and decentralized structure. For cybersecurity teams, the challenge of tracking threat actors across a fragmented digital environment only heightens the importance of platforms like Lunar, which enable comprehensive monitoring across encrypted channels. Proactive and consistent monitoring of Telegram specifically is essential for capturing emerging TTPs and generating actionable threat intelligence. While some cybercriminals may explore other secure platforms like Signal, Tox, and Discord, Telegram’s resilience and broad adoption by threat groups mean it will continue to play a critical role in threat actor communications. Staying attuned to this activity is vital for effectively managing risk in a rapidly evolving cyber landscape.