A new report from Israel-based cybercrime intelligence company KELA reveals how Telegram, one of the leading privacy-first messaging apps, has become home to a “cybercrime ecosystem” comparable to dark web forums.
It is largely used by individuals for legitimate messaging and purchases — including digital equipment, consumer loans, apparel, and shoes – who appreciate that it’s free and supposedly encrypted.
Criminals are meeting on Telegram to organize exchanges of stolen personal data, facilitate ransomware payments, and ship illegal goods. The report notes that it is not so much that Telegram offers the best privacy options of the messaging services, but that it allows for building very large private groups and the use of bots along with simple account creation requirements that make it easy to hide user identities.
Telegram’s “cybercrime ecosystem” lures both thieves and hacktivists
The use of encrypted messaging apps by criminals is a very predictable development, and the report notes that a variety is used. But Telegram has become particularly popular as a cybercrime ecosystem for many reasons.
This app does have a history of cooperation with law enforcement, and since the code is not public it is not known exactly what level of privacy protection users are enjoying.
Nevertheless, it is easy for criminals to create new accounts without giving up any identifying information. They can easily fiddle with multiple accounts, signing up by using foreign phone numbers that don’t require possession of a SIM card. Law enforcement may have some visibility into user activity, but actually identifying and tracking down a careful user is another story.
The platform also has a set of attractive features. One is the ability to create user groups and channels. Channels provide a means of one-way communication that can reach unlimited amounts of users. Groups allow for inter-user communication and can host up to 200,000 people. For instance, Facebook Messenger groups max out at 512, and WhatsApp and Signal both cap out at around 1,000.
The open-source API also allows users to create bots and third-party interfaces to fulfill all sorts of functions necessary to a cybercrime ecosystem. Besides, the platform allows attachments of up to 2 GB in size with each message.
Finally, it has the largest overall user base of the “alternative” privacy-focused messaging apps; about 700 million users as of November 2022, compared to about 50 million for Signal. And this audience does not need any of the technical knowledge usually required of the dark web. The Telegram ecosystem is largely out in the open and can be found by simple keyword searches.
The residents of this cybercrime ecosystem are those that you generally see in dark web forums. Ransomware and data extortion gangs use channels to leak victim data and to negotiate payments. People arrange the sale and shipment of illegal physical goods, such as drugs and weapons. Cyber thieves advertise stolen wares such as personal and banking information and corporate secrets. But hacktivists are also a significant force on the platform, using it to claim responsibility for attacks and announce activities in a way that makes it difficult for investigators to track them down.
Favorable features for cybercrime ecosystem
Other encrypted messaging apps have their own little cybercrime ecosystems. The report cites Discord, Jabber, Tox, and Wickr as the leading alternatives. But none of these has anywhere near the core user base or the regular rollout of new features that Telegram has. Some of these alternatives are also only regionally popular, for example, Jabber being used primarily by Russian hackers. None have an automatic translation tool as robust as the one Telegram offers.
The report indicates that the Telegram cybercrime ecosystem tends more to sell individual personally identifiable information and login credentials than corporate secrets. However, that high-level database information does appear there for sale from time to time. One example cited is the database of an unnamed insurance company with 120 million customers, being offered for $360,000. However, it is far from uncommon to find recirculation of corporate information that has already been leaked in prior data breaches.
There are even aggregator channels dedicated to collecting this sort of data. Channels full of stolen data and login credentials from numerous data breaches offer access for as little as $100 to $200 per week or around $2,000 for permanent access.
Direct access to banking fraud services is also available: money mules, credit card skimming, and services that make purchases using stolen card numbers. Ransomware gangs also ply their trade on the platform, though the report finds that other than Lapsus$ they are mostly smaller and lesser-known groups.
Hacktivists are attracted to the same feature set that career criminals enjoy. The russia-Ukraine war has been a flashpoint on the app, as were the Iran protests of 2022. The largest hacktivist groups on the platform focus on one side or the other of the Ukraine invasion, but Anonymous is among those ranks, as is the pro-Kurdish 1877 Team.
Though Telegram is facing pressure from certain governments to step up its moderation and censorship efforts, the report projects that it will remain a popular cybercrime ecosystem in 2023 and beyond.
Among the groups using the platform are:
— the Lapsus$ data extortion gang. As of December 2022, it had over 55,800 subscribers. However, the group has been quiet since March 2022, when several alleged members were arrested in England;
— the pro-Russian Killnet group. Its main Telegram channel is followed by more than 90,000 users, says the report, and its campaigns are joined by many other influential hacking groups, including XakNet and NoName057;
— the Eternity Project, a malware-as-a-service operation, which uses Telegram bots to sell stolen information to actors who bought access to the service and to provide them with an opportunity to build the binary. The stealer doesn’t have an administrator panel to manage the malware and attacks — everything is done via Telegram;
— “CHECKS GRUB SHOP” is a popular group for selling credit card information, counterfeit and stolen valid cheques, packages of full personal identification of individuals (known as fullz) and stolen bank logs;
KELA recommends infosec teams the following steps:
— use threat intelligence monitoring solutions to continuously monitor for potential threats on Telegram and take proactive measures to prevent them;
— regularly train and educate employees on how to identify and respond to cyber threats on Telegram;
— implement technical controls, such as firewalls and intrusion prevention systems, to prevent cybercriminals from accessing sensitive data;
— increase collaboration and information sharing with law enforcement agencies and other organizations to improve the ability to detect and disrupt cybercrime on the platform;
— conduct regular audits and assessments to identify any vulnerabilities or areas for improvement in the organization’s defenses against cyber threats on Telegram.