A sweeping enforcement campaign by Telegram has led to the removal of tens of millions of channels and groups, yet cybercriminal activity on the platform continues to expand, according to a new report by Check Point Software Technologies.
The cybersecurity firm disclosed that Telegram removed more than 43.5 million channels and groups in 2025 alone, underscoring the scale of its global crackdown on illicit activities. Daily removals reportedly climbed to as many as 140,000, with a single-day peak exceeding 500,000. However, according to the report, these aggressive measures have not significantly reduced the presence of cybercriminal communities on the platform.
Instead, the findings point to a shifting threat landscape where illicit actors are becoming more resilient. Cybercriminal groups, the report noted, now operate with a level of sophistication that allows them to recover quickly from disruptions. Many create backup channels ahead of enforcement actions, enabling them to rebuild networks almost immediately after they are taken down.
The situation carries particular relevance for Nigeria, where Telegram has grown into one of the most widely used messaging platforms, with an estimated eight million users. Its strong adoption across cryptocurrency trading, online betting, and digital commerce ecosystems has made it an attractive hub for fraudsters and other illicit operators seeking scale and anonymity.
Kingsley Oseghale, country manager for West Africa at Check Point, said the persistence of these networks highlights a widening gap between enforcement efforts and actual risk reduction.
He explained that rather than being dismantled, many of these ecosystems are reorganising and evolving, often staying ahead of platform-level interventions. This, he noted, creates a paradox in which enforcement actions are reaching record levels while the underlying threat continues to expand.
Further insights from the report show that cybercriminals are deploying increasingly advanced tactics to evade detection. These include limiting access to groups through “request-to-join” mechanisms, using deceptive disclaimers to appear legitimate, and operating multiple parallel channels to maintain continuity when one is shut down.
Such strategies reflect a shift in cybercrime operations. Attackers now design their systems with disruption in mind, embedding redundancy into their networks to ensure that enforcement actions do not significantly interrupt their activities.
Check Point also observed that even when channels are removed, the content often persists. The report identified spikes in forwarded messages linked to previously blocked sources, particularly during peak enforcement periods between February and April 2025. This trend suggests that fraudulent materials and operational playbooks continue to circulate long after their original sources have been taken down.
According to the firm, this ability to extend the lifecycle of harmful content further complicates efforts to curb cybercrime on large-scale messaging platforms. Telegram’s combination of scale, ease of use, and discoverability continues to make it a preferred environment for such operations.
In addition, the report highlighted the growing volume of access points into these networks. Over the past three months, Check Point’s exposure management systems tracked approximately three million Telegram invite links circulating within underground communities. This figure significantly outweighs activity on competing platforms, including Discord, which accounted for less than six percent of the volume, while alternatives such as Signal and SimpleX recorded minimal presence.
The findings reinforce concerns that while platform enforcement remains necessary, it may no longer be sufficient on its own. As cybercriminal networks become more structured and adaptive, attention is increasingly shifting toward identifying and dismantling the broader ecosystems that sustain them, rather than focusing solely on individual accounts or channels.
For markets like Nigeria, where digital platforms continue to play a growing role in financial transactions and online engagement, the report indicates the need for heightened awareness and more coordinated responses to emerging cyber threats.
Lower NGX trading cost and seek growth through competitiveness