This study presents the first large-scale analysis of 339 cybercrime channels on Telegram—serving 23.8 million users—revealing systematic dissemination of stolen credentials, malware, phishing links, and hacking tools via giveaway-based lures, alongside resilient anti-takedown mechanisms and a high-risk ecosystem (28.1% of shared links are phishing; 38% of executables contain malicious payloads). Method: We propose DarkGram, the first BERT-based automated framework for malicious post detection on Telegram, integrating NLP classification, dynamic URL and binary analysis, and social graph modeling. Contribution/Results: Applied to over 53,000 posts, DarkGram achieved 96% detection accuracy and directly contributed to the takedown of 196 illicit channels. We publicly release both a curated dataset and the DarkGram framework to enable real-time detection and cross-organizational threat intelligence sharing.

We present the first large-scale analysis of 339 cybercriminal activity channels (CACs). Followed by over 23.8 million users, these channels share a wide array of malicious and unethical content with their subscribers, including compromised credentials, pirated software and media, social media manipulation tools, and blackhat hacking resources such as malware, exploit kits, and social engineering scams. To evaluate these channels, we developed DarkGram, a BERT-based framework that automatically identifies malicious posts from the CACs with an accuracy of 96%. Using DarkGram, we conducted a quantitative analysis of 53,605 posts shared on these channels between February and May 2024, revealing key characteristics of the content. While much of this content is distributed for free, channel administrators frequently employ strategies such as promotions and giveaways to engage users and boost the sales of premium cybercriminal content. Interestingly, these channels sometimes pose significant risks to their own subscribers. Notably, 28.1% of the links shared in these channels contained phishing attacks, and 38% of executable files were bundled with malware. Analyzing how subscribers consume and positively react to the shared content paints a dangerous picture of the perpetuation of cybercriminal content at scale. We also found that the CACs can evade scrutiny or platform takedowns by quickly migrating to new channels with minimal subscriber loss, highlighting the resilience of this ecosystem. To counteract this, we utilized DarkGram to detect emerging channels and reported malicious content to Telegram and affected organizations. This resulted in the takedown of 196 channels over three months. Our findings underscore the urgent need for coordinated efforts to combat the growing threats posed by these channels. To aid this effort, we open-source our dataset and the DarkGram framework.