Telegram hosts a dynamic and fragmented ecosystem of cybercriminal communities that has become a key source of threat intelligence. Yet, discovering and collecting data from these spaces remains difficult due to invite-only access, ephemeral activity, and high noise levels. This work introduces TeleHUNT, an automated framework for systematically discovering and mapping cybercriminal communities on Telegram. TeleHUNT evaluates 28 discovery configurations that combine advertisement types (links, handles, forwards), seed origins (Open Web vs. Dark Web), and contextual or temporal filters to assess efficiency, accessibility, and saturation across multiple operational settings.
Over a 15-day run, TeleHUNT collected more than 43,000 Telegram advertisements linked to 3,468 distinct communities across six cybercrime market segments. Link-based strategies achieved the broadest reach (≈2,000 communities) but generated higher noise (50–70%), while forward- and handle-based approaches offered near-perfect precision (~99%) at the cost of early saturation. Open Web seeds uncovered all six market segments and sustained diversity, whereas Dark Web seeds reached saturation faster. Accessibility analysis confirmed that invite links remain the dominant gateway to private or vetted groups, while forwarded messages obscure provenance. Together, these results provide the first reproducible evaluation of
Telegram cybercrime discovery efficiency, offering actionable guidance for CTI teams seeking goal-driven, scalable intelligence collection.
Roy Ricaldi is a Doctoral Researcher in Cybercriminal Ecosystems at the Threat Analysis Group of Eindhoven University of Technology. His research focuses on the evolution of, and shifts within, the cybercriminal ecosystem, examining emerging technical threats and how organized cybercrime operates as a complex, professionalized economy. Roy investigates the organization, motivation, capabilities, and interactions of offenders, to better understand modern cybercrime and enhance deterrence and disruption efforts.
Emmanuele Zambon is an Assistant Professor in the Threat Analysis Group at Eindhoven University of Technology in the Netherlands. His research focuses on intrusion detection engineering, security operations, and the security of critical infrastructure environments. Emmanuele is the CTO of the Eindhoven Security Hub SOC at TU/e. He co-founded and served as CTO of SecurityMatters, now part of Forescout Technologies, a spin-off company that developed a platform for network monitoring, asset inventory, and intrusion detection for industrial networks deployed worldwide.
Luca Allodi is an Associate Professor at Eindhoven University of Technology, the Netherlands, where he leads the Threat Analysis research group. His research investigates the interplay between attacker operations and defensive strategies and technology, with a focus on Cyber Threat Intelligence, Security Operations, Intrusion Detection, and Social Engineering. He is the Scientific Director and is one of the founders of ESH-SOC at TU/e, a professional Security Operations Center that translates cutting-edge research into operational security practices. He founded and leads CTILab at JADS, a research center and laboratory specializing in tailored Cyber Threat Intelligence data and services. He earned his PhD from the University of Trento, Italy, with a thesis on vulnerability risk evaluation and management.
