Launched in 2013, the Telegram messaging platform now has around 1 billion users worldwide.
Users value Telegram because it’s fast, reliable, and easy to use. However, its anonymity, secrecy, and light-touch content moderation have also made it the go-to platform for cybercriminals, including fraud rings, hackers, and scammers.
“For as long as we’ve been in the cybersecurity industry, criminal activity has been focused on underground forums,” says the Cybercheck senior analyst Stuart Holder. “Whereas in recent years, we’ve seen a shift in how criminals promote and sell to the faster-paced and more efficient Telegram.”
Telegram channels come and go rapidly. As soon as one is shut down, another is created to replace it. This poses a challenge for credential monitoring services.
“New channels pop up constantly, and it’s imperative that we’re on top of their arrivals,” says Stuart Holder. “The larger channels are data-rich and contain a lot of information, so some monitoring services just focus on those. However, at Cybercheck, we spread our work over thousands of channels to ensure we’re receiving credentials from every angle. This gives us our competitive edge. It means we can provide rapid, comprehensive alerting to help organizations stop threats before they spread and prevent attacks before they happen.”
Why do cybercriminals use Telegram?
Telegram itself isn’t an illegal or criminal platform – it’s legitimate and works well. However, it offers key features that make it ideal for criminal activity.
Anonymity
Telegram offers users easy anonymity. You can create an account using just a phone number, and there’s no requirement to provide your real name. The number you use can be virtual or prepaid, and you can hide it from the other members of a group.
Secret chats and end-to-end encryption
Although normal Telegram chats don’t have end-to-end encryption, users can create secret chats that do. Messages in secret chats can self-destruct. These features make it easy for criminals to cover their tracks.
Large groups
Telegram channels and groups can be massive, with hundreds of thousands of members. This makes it easy to run scams, sell stolen data, or coordinate large-scale criminal activity.
Rapid sharing of content
Telegram is fast and reliable, with easy uploads and rapid downloads. Criminals can easily broadcast and share information, tools, or stolen data instantly to thousands of people.
They can create a channel, publish breached data, then immediately close or quit the channel and create another.
Light-touch moderation
Telegram’s policing of harmful or offensive content is less stringent than platforms such as Facebook or Instagram. Telegram is slower to respond to content reports and undertakes fewer automated takedowns. This light-touch, laissez-faire approach allows criminals to operate undisturbed.
Easy creation of illegal marketplaces
Telegram channels can function as illegal marketplaces. The platform makes it easy to create bots that can automatically sell data and illicit services, and manage payments and subscriptions
Global reach
Telegram is free and works worldwide, though some countries have blocked it. It also works well on low bandwidth and with VPNs.
Inside Telegram’s fraud ecosystem
Cybercriminals value Telegram as an alternative to the slower and more complex dark web. This is changing the way cybercriminals advertise their services and monetize stolen data.
Data leaks and stolen credentials
After large breaches, Telegram channels are often the first conduit for distributing stolen credentials, corporate data, and personal information. Entire databases can be posted publicly or sold to the highest bidder.
Some specialized groups go beyond simply trading. They actively recruit insiders, offering them cash or cryptocurrency in exchange for confidential data or access to their systems.
Malware distribution and automated attacks
Telegram’s easy file-sharing simplifies the delivery of malware. Ransomware, trojans, and other malicious packages circulate widely, disguised as trustworthy file types or updates. Users can be lured into downloads that can quickly compromise their organizations.
Bot-driven cybercrime tools are available via subscription-based models. For example, malware-as-a-service (MaaS) or fraud-as-a-service (FaaS).
The MaaS and FaaS models are boosting cybercrime by lowering barriers to entry and eliminating the need for technical skills and knowledge. This is widening the pool of potential attackers.
Criminal networks and collaboration
Group chats on Telegram promote active collaboration. Criminals share strategies, techniques, and newly discovered vulnerabilities to exploit. Groups recruit new members and provide training and mentoring. This is changing the character of cybercrime, as independent actors come together to form sophisticated, organized teams.
How to protect your business using proactive threat intelligence
Telegram channels are now the go-to platform for cybercriminals to advertise illicit services and stolen data. This is transforming the landscape of cybercrime and presenting new challenges for cybersecurity teams.
As cyber threats evolve at an unprecedented speed, threat intelligence solutions, such as Cybercheck, provide an early warning system.
Our analysts infiltrate and monitor the criminal platforms, forums, and channels where stolen data is exchanged, including Telegram. If cybercriminals are trading information about you or your organization, our credential monitoring solution detects it and alerts you. That means you can change your passwords, block your cards, and shut out attackers before they strike.
