Dark Web Threat Intelligence Series Part One: Cyberthreats on Telegram


Telegram is a free, end-to-end encrypted instant messaging app with over 550 million users worldwide. Telegram likes to portray itself as an alternative to Signal and WhatsApp.

On the surface it might look like Telegram is just another instant messaging app, but when you dig deep the reality couldn’t be more different.

What makes Telegram an ideal place for criminals

Unlike WhatsApp and Signal, Telegram allows users to hide their phone numbers from other users and communicate through use of just usernames.

It is easier to set up channels, group chat rooms, and secrets chats on Telegram instead of setting up a dark web market which requires setting up servers, website administration, and attracts a ton of scrutiny from law enforcement agencies.

A wide user base of 550 million users allows criminals to attract more customers to their illicit Telegram channels and group chats.

Telegram has a low barrier to access. To access hidden onion network sites users need to install the Tor browser and need to be somewhat tech savvy, but Telegram is just another app on the app store.

Lack of strict moderation in place makes Telegram an ideal place for cybercrime.

A look into different types of illegal activities

Telegram is a popular place for cybercriminals to sell and share stolen financial information, compromised bank accounts, fake identification documents, vaccine certificates, and hijacked streaming services accounts just to name a few.

In this blog, we look at different offerings of cybercriminals in various Telegram channels.

Financial Fraud

Sellers on Telegram offer a wide variety of data when it comes to financial fraud.

There are plenty of sellers offering carding (both physical and digital), stolen bank account credentials, hijacked accounts, or pre-KYC verified crypto exchange accounts. Different Telegram channels offer different services.

Data Breaches

Data breaches originally leaked or sold on different forums end up in different Telegram channels. Some are shared freely; others are sold for a price. Different sellers offer data sorting or hash cracking services on leaked databases.

Hijacked Accounts

A wide variety of streaming services, VPNs, and other hijacked accounts continue to be posted freely or sold at lower prices on Telegram from Amazon Prime, Netflix, HBO, Spotify to NordVPN, ExpressVPN just to name a few.

Criminals usually hijack these accounts by leveraging the email and password combinations found in data breaches. Later these accounts are sold in bulk or even handed out for free.

Fake ID, Documents, Vaccination certificates

Last year, Telegram came under scrutiny and negative media coverage because of many active channels selling vaccine certificates. Only after that did Telegram start to crack down on these channels.

Still, many channels continue to offer forged vaccination certificates. Some sellers even claim to get a real vaccine certificate by bribing the health care workers.

Photoshopped drivers licenses, passports, social security cards, and birth certificates are some of the different services offered by sellers on different Telegram channels.

Telegram Seller showing cloned cards and fake vaccination certificates

Tutorials & Bragging

Cybercriminals not only offer their criminal services but also offer tips and techniques for free or as a service. Some even like to brag about all the money they made from committing the fraud. Meanwhile others like to share & sell their methods for crimes.

Bragging about all the money these guys make in public channels also acts as a recruitment tool and attracts young novice criminals to join their operations.

Another telegram user showing off his card cloning, check fraud equipment

Efforts for Taking Down Illegal Channels

Content posted in Telegram channels is not moderated strictly and a lot of illegal channels and group chats fly under the radar.

In 2021, Telegram said in a statement that it has an “ever growing force of professional moderators” removing 10,000 public communities every day for violating its TOS.

As a precaution, admins of criminal channels and group chats already have one or multiple backup channels in place. So if the main channel ever gets taken down, they can fall back to the backup channel. Telegram does not take down backup channels along with the main channels because until the main channel is taken down, criminals do not post anything illicit on the backup channels.

Cybercriminals have been increasingly more active on Telegram & Discord. These days, they use underground forums only as a means for advertising their Telegram & Discord channels, which they then use as their primary mode of communication and selling.

About Us

Thank you for reading this blog! This blog is published by Bolster Research Labs. We are also creators of https://checkphish.ai – a free URL scanner to detect phishing and scams sites in real time.

If you are interested in advanced research and uncovering of new scams or working with cutting edge AI, come work with us at the Bolster Research Labs. Check out open positions here