Telegram is a free, end-to-end encrypted instant messaging app with over 550 million users worldwide. Telegram likes to portray itself as an alternative to Signal and WhatsApp.
On the surface it might look like Telegram is just another instant messaging app, but when you dig deep the reality couldn’t be more different.
What makes Telegram an ideal place for criminals
Unlike WhatsApp and Signal, Telegram allows users to hide their phone numbers from other users and communicate through use of just usernames.
It is easier to set up channels, group chat rooms, and secrets chats on Telegram instead of setting up a dark web market which requires setting up servers, website administration, and attracts a ton of scrutiny from law enforcement agencies.
A wide user base of 550 million users allows criminals to attract more customers to their illicit Telegram channels and group chats.
Telegram has a low barrier to access. To access hidden onion network sites users need to install the Tor browser and need to be somewhat tech savvy, but Telegram is just another app on the app store.
Lack of strict moderation in place makes Telegram an ideal place for cybercrime.
A look into different types of illegal activities
Telegram is a popular place for cybercriminals to sell and share stolen financial information, compromised bank accounts, fake identification documents, vaccine certificates, and hijacked streaming services accounts just to name a few.
In this blog, we look at different offerings of cybercriminals in various Telegram channels.
Sellers on Telegram offer a wide variety of data when it comes to financial fraud.
There are plenty of sellers offering carding (both physical and digital), stolen bank account credentials, hijacked accounts, or pre-KYC verified crypto exchange accounts. Different Telegram channels offer different services.
Data breaches originally leaked or sold on different forums end up in different Telegram channels. Some are shared freely; others are sold for a price. Different sellers offer data sorting or hash cracking services on leaked databases.
A wide variety of streaming services, VPNs, and other hijacked accounts continue to be posted freely or sold at lower prices on Telegram from Amazon Prime, Netflix, HBO, Spotify to NordVPN, ExpressVPN just to name a few.
Criminals usually hijack these accounts by leveraging the email and password combinations found in data breaches. Later these accounts are sold in bulk or even handed out for free.
Fake ID, Documents, Vaccination certificates
Last year, Telegram came under scrutiny and negative media coverage because of many active channels selling vaccine certificates. Only after that did Telegram start to crack down on these channels.
Still, many channels continue to offer forged vaccination certificates. Some sellers even claim to get a real vaccine certificate by bribing the health care workers.
Photoshopped drivers licenses, passports, social security cards, and birth certificates are some of the different services offered by sellers on different Telegram channels.
Tutorials & Bragging
Cybercriminals not only offer their criminal services but also offer tips and techniques for free or as a service. Some even like to brag about all the money they made from committing the fraud. Meanwhile others like to share & sell their methods for crimes.
Bragging about all the money these guys make in public channels also acts as a recruitment tool and attracts young novice criminals to join their operations.
Efforts for Taking Down Illegal Channels
Content posted in Telegram channels is not moderated strictly and a lot of illegal channels and group chats fly under the radar.
In 2021, Telegram said in a statement that it has an “ever growing force of professional moderators” removing 10,000 public communities every day for violating its TOS.
As a precaution, admins of criminal channels and group chats already have one or multiple backup channels in place. So if the main channel ever gets taken down, they can fall back to the backup channel. Telegram does not take down backup channels along with the main channels because until the main channel is taken down, criminals do not post anything illicit on the backup channels.
Cybercriminals have been increasingly more active on Telegram & Discord. These days, they use underground forums only as a means for advertising their Telegram & Discord channels, which they then use as their primary mode of communication and selling.
Thank you for reading this blog! This blog is published by Bolster Research Labs. We are also creators of https://checkphish.ai – a free URL scanner to detect phishing and scams sites in real time.
If you are interested in advanced research and uncovering of new scams or working with cutting edge AI, come work with us at the Bolster Research Labs. Check out open positions here
- Telegram emerges as new dark web for cyber criminals | Ars Technica
- Cybercrime is moving from the dark web to Telegram more and more, study finds – Tech (mashable.com)
- Is Telegram becoming the new alternative to the Dark Web? | TechRadar
- Telegram is a hotspot for the sale of stolen financial accounts (bleepingcomputer.com)
- Telegram has seen a sharp rise in cybercriminal activities, report says | Engadget