A new report from cybercrime intelligence firm KELA documents how Telegram, one of the leading privacy-first messaging apps, has become home to a “cybercrime ecosystem” comparable to dark web forums.
Criminals are meeting on Telegram to organize exchanges of stolen personal data, facilitate ransomware payments, and ship illegal goods; all functions that the dark web has been infamous for since “Silk Road” became something of a household name. The report notes that it is not so much that Telegram offers the best privacy options of the messaging services, but that it allows for building very large private groups and the use of bots along with simple account creation requirements that make it easy to hide user identities.
Telegram’s “cybercrime ecosystem” draws both thieves and hacktivists
The use of encrypted messaging apps by criminals is a very predictable development, and the report notes that a variety are used. But Telegram has become particularly popular as a cybercrime ecosystem for a variety of reasons.
The messaging app does have a history of cooperation with law enforcement, and since the code is not public it is not known exactly what level of privacy protection users are enjoying. Criminals are nevertheless attracted to it because it is easy to create new accounts without giving up any identifying information. They can easily juggle multiple accounts, signing up by using foreign phone numbers that don’t require possession of a SIM card or the use of a major carrier. Law enforcement may have some visibility into user activity, but actually identifying and tracking down a careful user is another story.
The platform also has a set of attractive features. One is the ability to create user groups and channels. Channels provide a means of one-way communication that can reach unlimited amounts of users. Groups allow for inter-user communication and can host up to 200,000 people; by comparison, Facebook Messenger groups max out at 512, and WhatsApp and Signal both cap out at around 1,000.
The open source API also allows users to create bots and third-party interfaces to fulfill all sorts of functions necessary to a cybercrime ecosystem, accompanied by the fact that the platform allows attachments of up to 2 GB in size with each message. It can also be accessed via a web browser, making it easier to cover tracks than if an internet-connected phone was required.
Finally, it has the largest overall user base of the “alternative” privacy-focused messaging apps; about 700 million users as of November 2022, compared to about 50 million for Signal. And this audience does not need any of the technical knowledge usually required of the dark web; the cybercrime ecosystem on Telegram is largely out in the open and can be found by simple keyword searches.
The activities that take place in this burgeoning cybercrime ecosystem are those that you generally see in dark web forums. Ransomware and data extortion gangs use channels to leak victim data, and to negotiate payments. People arrange the sale and shipment of illegal physical goods, such as drugs and weapons. Cyber thieves advertise stolen wares such as personal and banking information and corporate secrets. But hacktivists are also a significant force on the platform, using it to claim responsibility for attacks and publicize activities in a way that makes it difficult for investigators to track them down.
Favorable features feed Telegram cybercrime ecosystem
Several other encrypted messaging apps have their own little cybercrime ecosystems: the report cites Discord, Jabber, Tox and Wickr as the leading alternatives. But none of these has anywhere near the core userbase or the regular rollout of new features that Telegram has. Some of these alternatives are also only regionally popular, for example Jabber being used primarily by Russian hackers. None have an automatic translation tool as robust as the one Telegram offers.
The report indicates that the Telegram cybercrime ecosystem leans more toward selling individual personally identifiable information and login credentials than corporate secrets, but that high-level database information does appear there for sale from time to time. One example cited is the database of an unnamed insurance company with 120 million customers, being offered for $360,000. However, it is far from uncommon to find recirculation of corporate information that has already been leaked in prior data breaches.
There are even aggregator channels dedicated to collecting this sort of data, and costs are far from prohibitive. Channels full of stolen data and login credentials from numerous data breaches offer access for as little as $100 to $200 per week, or around $2,000 for permanent access.
Direct access to banking fraud services is also available: money mules, credit card skimming and services that make purchases using stolen card numbers. Ransomware gangs also ply their trade on the platform, though the report finds that other than Lapsus$ they are mostly smaller and lesser-known groups.
Hacktivists are attracted to the same feature set that the career criminals enjoy. The Russia-Ukraine war has been a flashpoint on the app, as were the Iran protests of 2022. The largest hacktivist groups on the platform focus on one side or the other of the Ukraine invasion, but Anonymous is among those ranks, as is the pro-Kurdish 1877 Team.