The telegram messaging app has exploded in cybercriminal popularity over the past few months. Hordes of dark web users have been flocking to the app as a newly-emerging platform for buying, selling, and sharing stolen data and hacking tools.
Launched 8 years ago, Telegram supports messaging broadcast among users through special groups referred to as “channels”. The users can also choose to establish public and private channels that can be accessed simply by interested persons.
Another important Telegram selling point is their support for users sending and receiving large data files directly on the app, including both text and ZIP files. The platform has since grown to a massive 500 million + user base after hitting 1 billion downloads in August 2021.
Cybersecurity investigations are now pointing to the unprecedented trend of various dark web users treating Telegram as the new alternative to dark web platforms, which are threatened by uncertainties stemming from hacker-led DDoS attacks and law enforcement seizures.
A recent investigation by cyber intelligence firm Cyberint, in collaboration with the Financial Times, noted the rise in the number of hacker networks sharing data leaks across Telegram channels with users reaching the tens of thousands.
Quite obviously, the ease-of-use as well as minimal moderation of Telegram groups appear to rank among the many reasons for people turning to Telegram as “the new dark web”. Experts also reveal the similarity in content being shared across anonymized dark web sites and Telegram channels.
Consequently, as noted in Cyberint’s cyber threat analyst Tal Samra’s comments to the Financial Times article, it turns out that experts have been seeing a 100 percent + rise in Telegram usage by cybercriminals.
Black Markets & Illicit Content on Telegram
A quick search on Telegram reveals a host of channels with dark web-facing descriptions concerning their offerings and user subscription base.
One channel called “White House Black Market”, with 200K subscribers, prides itself as the go-to marketplace for meth, fake money, guns, passports, fake driver license, weed, cloned cards, cocaine, pills, PayPal fraud, and national identification cards.
The Telegram-based market also provides the guarantee for safe delivery of goods and customer satisfaction (See below).
Another Telegram channel called “AlphabaY ChanneL” offers cybercriminal wares, including carding tutorials and tech equipment such as laptops, TVs and PS4 units.
Looking back, the Telegram app has played host to child sex abuse criminals that would traditionally inhabit dark web platforms. The widely-publicized nth room scandal is one such case involving the sharing of illicit content over Telegram.
The nth room scandal was brought to light by Korean law enforcement who identified various child sex abuse victims that were linked to pay-to-view telegram chat rooms. The case was so bizarre that it involved cases of middle school girls performing unnatural sexual acts and self-harm. The illicit material would then be published with the victims’ names and addresses. Quite shockingly, one nth room report emerged about a user that went as far as live streaming himself abusing a girl after luring her to a motel room.
Additional facts to the case pointed to specific reports noting the involvement of 260,000 users across 56 Telegram chat rooms who made crypto payments of up to $1,000 in exchange of the illicit material.
Combolists refer to text files bearing lists of usernames and passwords in a consistent format. They are typically used by cybercriminals as a machine-readable mechanisms that can serve as input in tools meant for breaching online accounts by automating user authentication processes.
Combolists are commonly used in credential stuffing attacks where threat actors may take over entire websites through user account checking software such as SentryMBA. As such, a combolist would help a hacker to automatically check for accounts that are valid for a specific website.
On validation, the breached accounts are then be subjected to a full takeover leading to a full-fledged fraud campaign.
Cybersecurity researchers have effectively noted a significantly high number of mentions on the Telegram app of “Email:pass” and “Combo” – the terms are used by threat actors to refer to stolen email and passwords that are being shared between different users.
In fact, there was one public Telegram channel called “Combolist” that boasted a massive 47K subscriber base where hackers could sell and share large data dumps containing usernames and passwords belonging to hundreds of thousands users.
It later appears that the particular telegram channel metamorphosed into a recently-created combolist channel called “Combolist.combulist”, after Telegram pulled down the chat group following a number of complaints from the cybersecurity community to the company behind the messaging app (See below).
Point to note, combolists are only a small fraction of the data that’s getting leaked through Telegram channels. Financial data such as credit card information, and site credentials have all become the staple of Telegram-based cybercriminal actors. Some Telegram channels have also served as meeting points between potential customers and cybercriminals peddling malicious software, hacking tools and cyber guides.
The public health and economic effects of the COVID-19 pandemic were followed by cases involving misinformation and fake medicines by criminals seeking to cash in from the global crisis.
In misinformation-driven panic created an opportunity for shadow economic actors to sell fake drugs and spread myths about coronavirus. Vendors using dark web marketplaces scrambled to create hundreds of thousands of listings for COVID-related products, including vaccines, personal protective equipment, and purported remedies.
Similarly, COVID-19 misinformation also cropped up on Telegram as evidenced by groups and channels that promoted a parallel coronavirus response narrative to that of authentic authorities.
An example is the rise in anti-vaccination channels that claim the “corrupt motive” by governments looking to help pharmaceutical companies gain massive profits while “depopulating” the planet.
One such example is the Telegram channel called “SARS-COV-2 Data Dump Chat” that’s been openly sharing content to undermine the legitimacy of global coronavirus vaccination campaigns – the persons behind the channel posts go as far as using doctor quotes to promote the misinformation as factual (See screenshot).
Further research points to the fact that links to Telegram groups are increasingly being shared within underground forums in the dark web – analytical evidence shows that such cases have risen to more than 1 million in 2021, an increase from 2020’s 172,035 reported cases.
These findings suggest that hackers are finding it increasingly convenient to use Telegram as a communication channel in comparison to the dark web markets that are filled by numerous barriers meant to keep off DDoS attackers and undercover law enforcement agents.
Importantly, a cybersecurity research conducted by vpnMentor revealed the existence of large volumes of data within Telegram channels that had been obtained through data breaches against notable organizations like Facebook, marketing software firms such Click.org and the dating platform Meet Mindful.
General assumptions have made some reference to the fact that a majority of recent data leaks and cyber-attacks are typically shared on Telegram once they have been sold successfully on the dark web. In addition, the decision by some hackers to dump large files on Telegram may either follow unsuccessful extortionist attempts meted against threat actors’ victims or man that a hacker failed to find a buyer on the dark web (they choose to leak the data publicly and move on)