Investigation
Telegram & the Dark Web: How a Messaging App Became a CSAM Distribution Hub
With over 950 million monthly active users, Telegram is one of the world's most popular messaging platforms. But behind its reputation for privacy and free speech lies a darker reality: the app has become one of the most significant vectors for the distribution of child sexual abuse material (CSAM) โ in some ways surpassing the dark web itself.
Published May 26, 2026 ยท GuardKids Investigations
950M+
Monthly Active Users
Source: Telegram, 2024
2,460
Unanswered Legal Requests
Source: French Gendarmerie, 2013โ2024
36.2M
NCMEC CyberTipline Reports (2023)
Source: NCMEC Annual Report
โฌ5M
Durov's Bail Amount
Source: French Judiciary, Aug 2024
The Platform Behind the Problem
Telegram was founded in 2013 by brothers Pavel and Nikolai Durov, who previously created the Russian social network VKontakte. The platform was built on a promise of privacy, speed, and freedom from government surveillance โ positioning itself as an alternative to WhatsApp and other mainstream messaging apps.
By 2024, Telegram had grown to over 950 million monthly active usersworldwide. The platform offers end-to-end encrypted "Secret Chats," channels that can broadcast to unlimited subscribers, groups of up to 200,000 members, and the ability to share files up to 2GB in size โ features that make it enormously useful for legitimate communication, but equally attractive for criminal activity.
Unlike platforms such as Meta, Google, or Apple โ which use automated scanning tools like PhotoDNA to detect and report known CSAM โ Telegram has historically done little to no proactive scanning of private messages or group chats. The platform's leadership has framed this as a principled commitment to user privacy. Critics โ including law enforcement agencies, child safety organizations, and the families of victims โ argue it amounts to willful negligence.
Why Telegram Is Different
Most major platforms participate in NCMEC's CyberTipline reporting system and deploy hash-matching technology to identify known CSAM before it spreads. Telegram, until late 2024, did neither at meaningful scale. Its combination of encrypted messaging, massive group sizes, anonymous accounts, and large file transfers created what child safety researchers call a "perfect storm" for predator networks.
Pavel Durov's Arrest
On August 24, 2024, Telegram CEO Pavel Durov was arrested upon landing at Le Bourget airport outside Paris, France. The arrest sent shockwaves through the tech world and ignited a global debate about platform liability, encryption, and child safety.
French authorities charged Durov with six offenses, including "complicity" in the distribution of child sexual abuse material, complicity in drug trafficking, and refusing to cooperate with legally authorized wiretap requests. The charges were the culmination of a years-long investigation by French prosecutors into Telegram's role in facilitating serious crime.
Durov was released on โฌ5 million bail with strict conditions: he must report to French police twice per week and is prohibited from leaving France. The case remains ongoing.
The French Gendarmerie's Evidence
Central to the prosecution was evidence compiled by the French Gendarmerie, which documented 2,460 cases between 2013 and 2024 in which legal requests sent to Telegram โ including requests related to child exploitation investigations โ went completely unanswered. This systematic non-cooperation formed the basis for the "complicity" charges, with prosecutors arguing that Telegram's refusal to assist law enforcement made the platform an active participant in the crimes committed on it.
Global Reaction
The arrest divided opinion. Free speech advocates and some tech leaders argued that holding a CEO personally responsible for user content sets a dangerous precedent. Child safety organizations, meanwhile, called the arrest long overdue. The National Center on Sexual Exploitation (NCOSE)had repeatedly listed Telegram on its "Dirty Dozen" list of companies facilitating sexual exploitation and praised the French action as a turning point in platform accountability.
Telegram's Moderation Failures
Telegram's approach to content moderation has been, by design, minimal. The platform has consistently positioned itself as a neutral infrastructure provider rather than a publisher or moderator of content. In practice, this has meant:
No Proactive CSAM Detection
Unlike Meta (which reported 30.6 million items to NCMEC in 2023) or Google (which reported 1.47 million), Telegram performed no meaningful proactive scanning of private messages or group chats for known CSAM. The platform relied almost exclusively on user reports โ a system that requires victims or bystanders to flag content that platforms with automated tools would catch instantly.
Systematic Non-Cooperation with Law Enforcement
The 2,460 unanswered legal requests documented by the French Gendarmerie were not anomalies. Law enforcement agencies around the world have reported similar experiences. Telegram's terms of service historically stated that it would only comply with court orders related to terrorism investigations โ explicitly excluding child exploitation, drug trafficking, and other serious crimes from its cooperation framework.
Anonymous Account Creation
Telegram allows users to create accounts with minimal verification. Combined with the ability to use the platform through VPNs and the option to hide phone numbers, this creates an environment where predators can operate with near-complete anonymity โ making it extremely difficult for law enforcement to identify and apprehend offenders even when content is discovered.
NCOSE's Criticism
The National Center on Sexual Exploitation (NCOSE)has been one of the most vocal critics of Telegram's moderation practices. The organization has repeatedly placed Telegram on its annual "Dirty Dozen" list โ a compilation of mainstream companies that facilitate sexual exploitation. NCOSE has specifically cited Telegram's failure to deploy CSAM detection tools, its refusal to cooperate with law enforcement, and the ease with which predator networks operate openly on the platform.
How CSAM Spreads on Telegram
Understanding how predators exploit Telegram's features is critical to understanding why the platform has become such a significant threat. CSAM distribution on Telegram operates through several interconnected mechanisms:
Private Groups and Channels
Predators create invite-only groups and channels dedicated to sharing CSAM. These groups can contain up to 200,000 members and are invisible to anyone without a direct invite link. New members are often vetted โ required to share illegal material as "proof" of their intentions before being granted access. This creates closed ecosystems that are extremely difficult for law enforcement to infiltrate.
The 764 Network
One of the most disturbing examples of predator activity on Telegram is the 764 network โ a loosely organized group of offenders who use the platform not only to share CSAM but to actively coerce and extort minors into producing new abuse material. The 764 network operates across multiple platforms but has used Telegram as a primary coordination and distribution hub. Members target vulnerable minors, groom them through direct messages, and use threats of exposure to compel victims into increasingly severe acts of self-harm and sexual abuse.
Bot-Driven Distribution
Telegram's open bot API has been exploited to create automated CSAM distribution systems. Bots can be programmed to accept requests, search archives, and deliver illegal content on demand โ functioning as automated storefronts that operate 24/7 with no human intervention required. When one bot is taken down, a replacement can be deployed within minutes.
Large File Transfers
Telegram's support for file transfers up to 2GB โ far larger than most messaging platforms โ makes it ideal for sharing high-resolution video content. Predators use this capability to distribute complete archives of abuse material that would need to be split across dozens of transfers on other platforms.
Telegram vs. the Dark Web
For years, the dark web โ accessed through the Tor browser and similar anonymization tools โ was considered the primary infrastructure for CSAM distribution. Hidden services hosted forums and marketplaces where offenders could trade material with relative anonymity. But researchers and law enforcement agencies have increasingly identified a shift: Telegram has in many ways replaced or supplemented dark web forums as the distribution platform of choice.
Dark Web Forums
- โข Requires Tor browser and technical knowledge
- โข Slow connection speeds limit file sharing
- โข Sites frequently seized by law enforcement
- โข Smaller, more isolated communities
- โข No mobile app โ desktop access only
- โข Difficult for newcomers to navigate
Telegram
- โข Available in every app store โ no special tools
- โข Fast connections, 2GB file transfers
- โข Groups of up to 200,000 members
- โข Automated bots for content distribution
- โข Mobile-first โ accessible anywhere
- โข Minimal moderation until late 2024
The shift from dark web to Telegram represents a dangerous lowering of the barrier to entryfor accessing CSAM. Material that once required technical sophistication to find is now accessible through a free app that anyone can download. This "mainstreaming" of distribution infrastructure has expanded the audience for CSAM and made it easier for casual offenders to escalate into active participation in abuse networks.
The Convergence Problem
Researchers have observed that many predator communities now operate across both Telegram and the dark web simultaneously. Dark web forums serve as "back channels" for organizing, while Telegram handles high-volume distribution. This hybrid model makes takedown efforts more complex โ removing a Telegram group doesn't eliminate the dark web infrastructure, and seizing a dark web site doesn't disrupt the Telegram channels.
The Numbers
The scale of online child exploitation is staggering, and the data from major reporting organizations paints a picture of a crisis that continues to grow.
36.2M
NCMEC CyberTipline Reports in 2023
Source: NCMEC Annual Report 2023
20.5M
NCMEC CyberTipline Reports in 2024
Source: NCMEC Annual Report 2024
424,047
IWF Reports in 2024
Source: Internet Watch Foundation
8%
Year-over-Year Increase (IWF)
Source: IWF Annual Report 2024
Understanding the NCMEC Numbers
The National Center for Missing & Exploited Children (NCMEC) operates the CyberTipline โ the centralized reporting system used by U.S. tech companies to report apparent CSAM. In 2023, the CyberTipline received 36.2 million reports โ the highest number in its history. The 2024 figure of 20.5 million reports reflects changes in reporting methodology and platform-specific detection rates, not necessarily a decrease in actual abuse.
The IWF's Growing Caseload
The Internet Watch Foundation (IWF), the UK-based organization that works globally to identify and remove CSAM, received 424,047 reports in 2024 โ an 8% increasefrom the previous year. Each report can contain multiple images or videos, meaning the actual volume of illegal material processed is many times higher than the report count suggests. The IWF's data consistently shows that the problem is growing, not shrinking โ despite increased enforcement efforts.
Telegram's Absence from the Data
One of the most telling statistics is what's missingfrom these reports. Major platforms like Meta, Google, and Microsoft account for the vast majority of CyberTipline reports because they actively scan for and report CSAM. Telegram's contribution to these reporting numbers has been disproportionately low relative to its user base โ not because less CSAM exists on the platform, but because Telegram historically did not look for it.
Post-Arrest Changes
Durov's arrest in August 2024 marked a turning point โ not just legally, but in Telegram's approach to content moderation. Under pressure from French authorities and growing international scrutiny, the platform began making changes that would have been unthinkable months earlier.
IWF Partnership (December 2024)
In December 2024, Telegram announced a partnership with the Internet Watch Foundation (IWF) to implement hash-matching technology for detecting known CSAM. This system compares images and videos shared on the platform against a database of confirmed CSAM, allowing automated detection without viewing actual content. It was the first time Telegram had adopted any form of proactive CSAM detection technology.
Updated Terms of Service
Telegram updated its terms of service and privacy policy following the arrest, expanding the categories of crime for which it would cooperate with law enforcement. The platform also began sharing user IP addresses and phone numbers with authorities in response to valid legal requests โ a dramatic reversal from its previous position of near-total non-cooperation.
Increased Moderation Activity
Reports from researchers monitoring Telegram indicate a noticeable increase in channel and group takedowns following the arrest. Several well-known CSAM distribution channels were removed, and Telegram appears to have expanded its moderation team. However, critics note that the scale of the problem far exceeds the platform's current moderation capacity.
Progress โ But Not Enough
While these changes represent meaningful progress, child safety advocates argue they remain insufficient. Hash-matching only catches previously identifiedmaterial โ it cannot detect new CSAM being created and shared for the first time. Telegram still lacks AI-powered detection tools capable of identifying new abuse content, and its end-to-end encrypted Secret Chats remain completely outside any scanning system. The question is whether Telegram's changes represent a genuine cultural shift or a temporary response to legal pressure.
What Needs to Change
Telegram's post-arrest reforms are a start, but meaningfully addressing the platform's role in CSAM distribution will require systemic changes โ from the platform itself, from regulators, and from the broader tech industry.
1. Comprehensive Scanning Technology
Hash-matching is a baseline, not a solution. Telegram needs to deploy AI-powered classifiers capable of detecting previously unseen CSAM, grooming behavior in text conversations, and patterns of predatory activity across groups and channels. Other major platforms have deployed these tools at scale โ there is no technical barrier to Telegram doing the same.
2. Mandatory Law Enforcement Cooperation
Platforms operating at Telegram's scale should be required by law to respond to legitimate legal requests within defined timeframes. The era of 2,460 unanswered requests spanning over a decade must end. International cooperation frameworks need to be strengthened so that a platform headquartered in one jurisdiction cannot simply ignore the legal systems of countries where its users are being harmed.
3. Transparency Reporting
Telegram should be required to publish regular transparency reports detailing the volume of CSAM detected and reported, the number of accounts suspended, response times to law enforcement requests, and the resources dedicated to trust and safety operations. Transparency creates accountability โ and accountability is precisely what has been missing.
4. Platform Liability Legislation
Durov's arrest in France demonstrated that personal liability for platform executives is possible under existing law. Legislators worldwide should examine whether their legal frameworks adequately hold platforms accountable when they knowingly fail to address child exploitation. The threat of meaningful consequences โ financial penalties, market restrictions, and yes, personal criminal liability โ is the most effective driver of change.
5. Support for Survivors
Every image and video of CSAM represents a real child who was harmed. As platforms improve detection and takedown capabilities, they must also invest in supporting the survivors whose abuse material continues to circulate. This includes expedited removal processes, notification systems, and financial contributions to survivor support organizations.
Reporting Resources
If you encounter child sexual abuse material online, or if you suspect a child is being exploited, please report it immediately. Your report could save a child.
NCMEC CyberTipline
Report online child exploitation to the National Center for Missing & Exploited Children.
report.cybertip.org โFBI Tips
Submit tips about suspected child exploitation to the Federal Bureau of Investigation.
tips.fbi.gov โCrisis Support โ 988 Suicide & Crisis Lifeline
If you or someone you know is in crisis, call or text 988 for free, confidential support 24/7.
988lifeline.org โ