The Telegram instant messaging service is increasingly used by cybercriminals, some experts have even equated its function in the criminal ecosystem to that of the main black marketplaces in use on the dark web, let’s try to understand the reasons.
Telegram offers its users the ability to use “channels,” tools designed to spread public messages to an unlimited audience of subscribers. Another nice feature of channels is that when you write something, the messages are published with the name of the channel and not displaying the name of the author. These channels are used by multiple communities of criminals and black hat hackers to sell, trade and buy multiple types of illegal services and products, such as payment card data, data breach archives, ransomware-as-a- services. service, and even access to compromised infrastructure and hacking tools. In short, we are faced with a well-stocked crime bazaar!
However, it must be said that to access a channel, a telephone number is still necessary, which although hidden from other users, is known to the platform managers and therefore accessible to the police in the event of an investigation. However, this does not represent a problem as it is not difficult for a criminal to retrieve a telephone number in the name of unsuspecting users, there is also a market for this type of products highly sought after by criminal organizations.
As a demonstration of the growing interest in Telegram by cybercriminals, I quote a research published recently by the security company vpnMentor which shows how some groups have taken to using the Telegram service for their illicit activities.
The company’s experts have joined several Telegram groups and channels focused on cybercrime and uncovered an intense activity aimed at marketing data within the network that sometimes involves thousands of individuals.
“First, there are the Telegram channels, where hackers post data dumps with brief explanations of what people can find inside. These channels are mostly passive, with minimal conversations between subscribers. Some channels have over 10,000 subscribers. ” experts explain. “Hacking groups are also popular, where hundreds of members actively discuss various aspects of cybercrime and how to exploit data breached archives shared within the community.”
In addition to the ease of use compared to a blackmarket on the dark web, Telegram has undoubted advantages for the criminal enterprise, for example it is not necessary to create and manage a website for the advertising and sale of products and services. Furthermore, a website could be attacked by other criminal gangs and law enforcement agencies, which is not possible when using a platform such as Telegram.
However, according to experts, the dark web is still the best place to find new archives resulting from data and code breaches to exploit unknown flaws (zero-day exploits). According to vpnMentor, most of the archives and exploits shared on Telegram have already been sold in major black marketplaces on darknets or when for some reason the sale has failed. We will therefore be able to define shared products and services on Telegram channels, as second-hand.
Another study conducted by Cyberint and commissioned by the Financial Times supports the contention that many cybercriminal activities benefit from the instant messaging app.
The study mentions among the positive aspects of using Telegram for criminal activities, the looser control exercised by the company over the contents, especially when compared to the moderation activities implemented by many social media platforms.
“We have recently seen a 100% increase in the use of Telegram by cybercriminals,” said Tal Samra, a cyber threat analyst at Cyberint. “Its encrypted messaging service is increasingly popular with threat actors who conduct fraudulent activities and sell stolen data … as it is more comfortable to use than the dark web.”
Experts observed a spike in the number of links to Telegram groups or channels shared in cybercrime and dark web hacking forums, according to the study, the number jumped from 172,035 in 2020 to over 1 million in 2021.
Cyberint researchers analyzed messages exchanged by channel members and observed a spike in the number of words commonly used in hacking communities, such as “Combo” and “Email: pass”.
These words refer to lots of stolen credentials and according to experts their number in chats has quadrupled in the last 12 months, reaching almost 3,400 instances, as it testifies to the intense activity within these channels.
Experts cited the case of a public Telegram channel called “combolist”, which had more than 47,000 subscribers, used by malicious actors to buy, sell and disclose stolen data archives (data dumps).
Other telegram channels analyzed in the course of the study are used to exchange financial data, including credit card data, credentials for accessing bank accounts and other online services, and copies of passports.
What does Telegram do to stem this worrying phenomenon?
Telegram has released a statement announcing that it has a “policy for the removal of personal data shared without consent”. He also added that he will focus more efforts on tackling abuses of his platform by employing a growing number of professional moderators. To date, more than 10,000 public communities have been removed following user reports of terms of service violations.
Unfortunately for the above reasons, the use of Telegram channels by cybercrime organizations will continue to increase. Through the use of instant messaging platforms, access to illegal products and services is simple and relatively safe and does not require specific knowledge. Only an important moderation action by the companies that manage these platforms could discourage their increasing use.