This simplicity is exactly what made Telegram so widely adopted among threat actors. But at the same time, it created a structural weakness that is now becoming increasingly visible.

Research by Maor Dayan highlights a critical issue for malicious groups: once a bot token is exposed, control over that channel can effectively be taken by whoever gets to it first. And such leaks are far from rare. Tokens are regularly found in malware samples, in publicly available or leaked phishing kits, and through indexing services like FOFA or urlscan.

At that point, the scenario becomes predictable. A researcher connects to the API, gains access to incoming messages from infected systems or phishing victims, and can either simply read the data or completely break the logic of the channel. In some cases, they can even redirect the data flow.

“Once a bot token is exposed, the entire pipeline becomes controllable by anyone who gets to it first.”

The key point here is that these are no longer isolated incidents. Such actions can now be carried out at scale and with very high speed. In practice, this means that attacker infrastructure can be disrupted within seconds after exposure, fundamentally shifting the balance.

For threat actors, this leads to a loss of trust in their own tooling. A channel that was once considered reliable can, at any moment, stop being under their control. Data may be intercepted, and operations can fail midway.

“Disruption can happen in milliseconds, at scale.”

We are already seeing signs of adaptation. Tokens are being rotated more frequently, bot lifespans are getting shorter, and less data is being stored. However, this looks more like patching the problem rather than solving it, since the underlying model — relying on a public service for C2 — remains inherently vulnerable.

The logical next step is moving away from Telegram altogether, and this transition is likely to happen quickly. Instead of simple bot-based setups, more traditional approaches will return: dedicated C2 servers, frequently rotating domains, the use of CDNs as a proxy layer (e.g., Cloudflare), and more advanced obfuscation techniques. At the same time, decentralized approaches and distributed communication channels may become more common.

This shift has direct implications for the threat intelligence market. A significant portion of modern solutions is effectively built on the ability to “observe” threat actors through their own mistakes — particularly via exposed Telegram channels, misconfigured panels, or accessible data storage.

“This model depends on attackers continuing to make OPSEC mistakes.”

That assumption is now starting to break down. As threat actors move toward more controlled and less exposed infrastructure, the volume of interceptable data will inevitably decrease. As a result, services that rely on these sources may face a significant loss of visibility.

What does this mean for incident response teams? It marks a return to more demanding work. There will be fewer quick wins based on intercepted data and more reliance on in-depth analysis. Malware reverse engineering, infrastructure tracking, network activity analysis, and proactive threat hunting are becoming critical again.

In essence, we are witnessing the end of a short period when a large portion of intelligence could be obtained relatively easily. Going forward, that model will be far less effective — and approaches to intelligence collection will need to evolve accordingly.