Telegram is now a fight for the future. On one side: platform moderators and automated bots are working extra hard to get rid of illegal content (online scams) and to stop the activities of cybercriminals. On the other side, attackers are constantly trying to create new ways to avoid detection.
The platform has made progress. Millions of malicious channels and groups are shut down every year. Automated detection has improved.
But cybercriminals are not leaving Telegram. They are adapting. And one of their most effective adaptation strategies revolves around a simple, legitimate feature: Request to Join.
Let me show you how this loophole works and why traditional moderation bots are struggling to keep up.
The 'Request to Join' Feature: A Legitimate Tool with a Dark Side
The creators of the feature "Request to Join" had good intentions when they created it. It allows the admins of private groups to have a say in who joins their group. This is especially helpful for corporate teams, gated communities, etc... if they need to control who is allowed to join.
Some cybercriminals have been using this feature in new and malicious ways to circumvent moderation.
How the Attackers are Using Requested To Join Against Moderation
When a Telegram Group/Channel is public, there are automated moderation bots that can scan the Group/Channel. These bots can sniff out illegal content, spam or malicious links and then report it back to Telegram to take action against them.
But when a group is set to "private" with Request to Join enabled, automated bots cannot see inside. The content is hidden behind an approval gate. Moderators would need to manually join the group, which they cannot do at scale.
The result: Criminal groups operate in plain sight, visible to their members but invisible to moderation bots. They approve new members manually, screening out researchers, journalists, and automated enforcement tools.
This is not a bug. It is a feature. And attackers have learned exactly how to exploit it.
How Cybercriminals Exploit the Loophole
Let me walk you through the exact tactics that security researchers have documented.
Tactic 1: Request to Join
The attacker creates a private Telegram channel or group, and enables "Request to Join" so anyone wanting access must request it.
Why does this work against bots:
1. Automated moderation bots cannot bypass the approval gate.
2. The group's content doesn't show in public searches/automated scans.
3. Only approved members see what is inside
Real-world impact: Security researchers have found that a significant percentage of blocked channels are linked to carding operations, personal data trading, and hacking services. Many of these groups use Request to Join to evade initial detection.
Tactic 2: Misleading Channel Description
The attacker creates the illusion of legitimacy by putting phony disclaimers in their channel's bio. As an example, a subscriber channel bio might falsely state that they comply with platform terms and conditions. The result is that the channel will appear to exist on the same page as other channels; this gives the attacker a potentially reduced amount of automated visibility.
Why it works: Automated moderation systems scanning channel metadata may flag these channels as lower risk. The disclaimer buys the attacker time to operate.
Tactic 3: Pre-emptive Backup Channels
This is the most sophisticated tactic.
Before a channel is banned, attackers create backup channels, sometimes dozens of them. They pre-populate these backups with members, content, and administration structures.
When a channel is banned: The attacker redirects members to the backup channel within hours. The operation continues almost seamlessly.
The scale: Security researchers have observed spikes in forwarded messages referencing blocked sources during high enforcement periods. This extends the lifespan of criminal content significantly, even after original sources are removed.
Tactic 4: API Abuse and Bot Automation
Attackers use Telegram's own API against it.
Publicly available tools automate large-scale Telegram account actions: spamming, mass reporting, poll voting, and join/leave operations.
How it works:
1. Hackers can either create new accounts, buy Telegram accounts, or take over existing Telegram accounts.
2. Using these accounts to send automated join requests on behalf of each of the accounts.
3. Once they have gained access to a private group, they scrape member lists, message history, and shared files.
4. The stolen information can then either be sold or used in future attacks.
Tactic 5: Staging Content Outside the Group
Less visible attackers do not store any of the malicious content in Telegram at all.
Only the following items are located within Telegram:
1. A welcome message
2. A link to an outside site (e.g. forum, dark web market, another messaging app)
3. Instructions for retrieving "the real content."
Why it works: Since nothing within the Telegram group contains any violations, moderation bots do not see anything illegal. The crime is happening elsewhere.
Why Traditional Moderation Bots Fail
Moderation bots are designed to scan public content. They look for keywords, file hashes, and known malicious patterns.
What bots cannot do:
|
Limitation |
Why It Matters |
|
Join private groups |
Request to Join requires manual approval |
|
Analyze intent |
A link to an external site could be legitimate or malicious |
|
Predict backups |
Bots cannot know which backup channel will activate next |
|
Detect staging |
Content hosted outside Telegram is invisible |
Attackers understand these limitations. They design their operations specifically to stay under the detection threshold.
The Backup Channel Economy
A thriving underground economy has developed around backup channels.
How it works:
1. A primary channel operates until it is banned
2. The attacker maintains a list of 5-20 backup channels
3. Members are encouraged to join all backups or to check a "status channel" for the current active link
4. When a ban happens, the attacker updates a pinned message or a simple webpage with the new active channel
The result: Enforcement actions become a game of whack-a-mole. Shut down one channel. Three more appear. The operation of a criminal enterprise is still running with little or no interruption.
Reports from security researchers indicate that some forms of criminal marketplaces on Telegram are functioning well after operating for years and enduring several enforcement actions due to the aggressive nature of their backup channels.
Implications for Security Operations
You are likely tracking for threats on Telegram to your organization. For example, you may be using Telegram to track data leaks, brand impersonations, or credential fraud. However, the loophole with the Request to Join feature creates an untracked area on Telegram.
Some of the threats that can be hidden using a Request to Join loophole are:
1. Buffered Credentials – A database of usernames and passwords that is shared in private groups.
2. Corporate Data Leaks – Internal documents, source code, customer data, etc. being shared by cybercriminals.
3. Brand Impersonations – Fake customer support channels that are used to scam your users.
4. Phishing Infrastructure – Links to fake login pages that are shared in private communities.
The reason that traditional monitoring of Telegram fails:
Most threat intelligence platforms only search public Telegram channels or groups, but do not have access to private groups with the Request to Join feature enabled, leaving your organization potentially completely blind to where there is possible criminal activity(ies) related to your organization, employees, or your brand.
How to Detect and Respond
You cannot join every private Telegram group. But you can take other actions.
For Security Teams
1. Watching for outside mentions of Telegram groups
Criminals promote their private Telegram channels in a wide variety of locations: dark web forums, Discord, WhatsApp, and all social media sites. Be sure to monitor the outside locations for any conversations about your brand/industry and any Telegram invite links.
2. Monitor backup channels.
If you can identify a malicious channel, look for related channels as well. Attackers typically use naming patterns to help them identify their backup channels (e.g., "BrandShop1," "BrandShop2," "BrandShop3").
3. Create honeypot accounts.
Creating low activity, anonymous Telegram accounts to obtain access to restricted private group chats is necessary. Additionally, it is helpful to create realistic activity history for these accounts, so there is little chance that they will stand out during the manual approval process.
4. Create an official report.
Before submitting a violation report for a channel(s) that are in violation of the TOS (terms of service) and restrictions on the use of the platform, you need to include the following:
1. Channel Username and link.
2. Screenshots of the content that is in violation of the TOS.
3. A description of How the Request to Join feature is being abused.
4. Any other identifying information about the backup channel.
Detailed reports are more likely to result in enforcement action than automated flagging.
For Telegram Group Admins (Protecting Your Own Groups)
If you run a legitimate Telegram community, the same loophole can be used against you by attackers, spammers, or raiders.
Protective measures:
1. Use an approval question by requiring applicants to answer one. Automated bots usually don't succeed in answering any questions.
2. Enable slow mode by restricting the frequency with which members may post.
3. Utilize a verification bot to verify that new members are real and not made-up by using a bot such as @GroupHelpBot to check all new members against spam databases.
4. Periodically review your members and delete those who have not been active or appear to be fake accounts.
The Cat-and-Mouse Game Continues
The Request to Join loophole is not a vulnerability. It is a design choice. Private groups have legitimate uses.
But cybercriminals have mastered the art of looking legitimate while operating illegitimately. For every moderation improvement, attackers find a workaround. Backup channels multiply. Gated groups stay hidden. External hosting evades scanning.
This is not a problem with a single solution. It is an ongoing conflict. Security teams must adapt continuously, just as attackers do.
Conclusion: Visibility Is the First Step
You cannot stop what you cannot see.
The Telegram Request to Join loophole creates a blind spot in automated moderation. Attackers hide behind approval gates. They build backup networks. They host content elsewhere.
Your organization's threat intelligence program must account for these blind spots.
Monitor external channels where criminals advertise their private Telegram groups. Use honeypot accounts where appropriate. Report violations with detailed evidence. And never assume that because you cannot see a threat, it does not exist.
The attackers are in those private groups right now. The question is whether you will find them before they find you.
FAQ Section
1. What is the Request to Join loophole on Telegram?
The Request to Join loophole on Telegram allows cybercriminals to conceal their activity from automatic moderation bots when they use Request to Join on their private groups; The attackers will approve their friends only, eliminating any attempts by law enforcement agencies or researchers to investigate them.
2. How cybercriminals use backup channels on Telegram?
Attackers set up multi backup channels that were pre-populated with both members and content, prior to having the channel banned. Once they receive notification from the Telegram platform that one of their primary channels is being shut down, they are able to direct their membership base to the next active backup channel capable of getting them back into their respective criminal operations, this allows them to keep their criminal enterprise operating though constant attempts to shut them down with law enforcement.
3. Can moderation bots detect private Telegram groups?
No. Standard automated moderation bots cannot scan private groups with Request to Join enabled. The content is hidden behind the approval gate. This is why cybercriminals prefer private groups for illegal activities.
4. What is a Typical Cybercrime Activity for a Telegram group?
Carding (trading of stolen credit card numbers/common password) plenty of data available from leaked company's database, hacker services, impersonating business brands and also could provide links to the actual crime activity.
5. How can Security Teams Monitor Security Levels of Private Groups on Telegram?
Monitoring other social media outside of telegram where you might find members of the illegal market mentioning they are members of a private group, access with honeypot accounts to find out more about the subject matter, look for patterns of backup channel name, and if you find a violation, file a comprehensive reporting for enforcement.