Telegram emerges as the new dark web for cybercriminals
Telegram has exploded as a hub for cybercriminals looking to buy, sell and share stolen data and hacking tools, according to new research, as the messaging app emerges as an alternative to the dark web.
An investigation by cyber-espionage group Cyberint, working with the Financial Times, uncovered a growing network of hackers sharing data leaks on the popular messaging platform, sometimes on channels with dozens of people. thousands of subscribers, attracted by its ease of use and light moderation. .
In many cases, the content resembled that of marketplaces found on the dark web, a group of hidden websites popular with hackers and accessed using specific anonymization software.
“We have recently seen a more than 100% increase in the use of Telegram by cybercriminals,” said Tal Samra, Cyber Threat Analyst at Cyberint.
“Its encrypted messaging service is increasingly popular among threat actors carrying out fraudulent activity and selling stolen data. . . because it is more convenient to use than the dark web.
Launched in 2013, Telegram allows users to broadcast messages to an audience through “channels” or create public and private groups that others can easily access. Users can also send and receive large data files, including text and zip files, directly through the app.
The platform said it had more than 500 million active users and exceeded 1 billion downloads in August, according to data from SensorTower.
But its use by the cybercriminal underworld could increase pressure on the Dubai-based platform to step up its content moderation as it plans a future initial public offering and explores the introduction of advertising into its service.
According to Cyberint, the number of mentions in Telegram of “Email: pass” and “Combo” – hacker jargon used to indicate that lists of stolen emails and passwords are being shared – has quadrupled in the past year to reach nearly 3,400.
In a public Telegram channel called “combolist,” which had more than 47,000 subscribers, hackers simply sell or broadcast massive data dumps of hundreds of thousands of leaked usernames and passwords.
An article titled “Combo List Gaming HQ” offered 300,000 emails and passwords that he said were useful for hacking into video game platforms such as Minecraft, Origin or Uplay. Another claimed to have 600,000 connections for users of Russian Internet group Yandex services; others for Google and Yahoo.
Telegram deleted the channel on Thursday after being contacted by the Financial Times for comment.
Yet email password leaks are only a fraction of the worrying activity in the Telegram marketplace. Other types of data exchanged include financial data such as credit card information, copies of passports and credentials for bank accounts and sites such as Netflix, according to the research. Online criminals also share malware, exploits and hacking guides through the app, Cyberint said.
Meanwhile, links to Telegram groups or channels shared within forums on the dark web grew to over 1 million in 2021, up from 172,035 the year before, with hackers increasingly redirecting users. to the platform as an alternative or easier to use parallel information center.
The research follows a separate report earlier this year by vpnMentor, who found data dumps circulating on Telegram from previous hacks and data leaks from companies like Facebook, marketing software provider Click.org, and dating site Meet Mindful, among others.
“In general, it seems that most data leaks and hacks are only shared on Telegram after being sold on the dark web – or the hacker failed to find a buyer and decided to share information publicly and move on, ”vpnMentor said.
Nonetheless, he called the trend “a serious escalation in the continuing upsurge in cybercrime,” noting that some users in these groups appeared less tech savvy than a typical Dark Web user.
Telegram said it was unable to verify vpnMentor’s results because researchers had not shared details identifying the channels in which these alleged leaks were located.
Samra said the dark web cybercriminals’ transition to Telegram was happening in part because of the anonymity offered by the encryption – but noted that many of these groups were also public.
Telegram is also more accessible, offers better features, and is generally less likely to be tracked by law enforcement than dark web forums, he added.
“In some cases, it’s easier to find buyers on Telegram than on a forum because everything is smoother and faster. Access is easier. . . and data can be shared much more openly.
Hackers are less inclined to use WhatsApp both for privacy reasons and because it shows users’ numbers in group chats, unlike Telegram, Cyberint said. The Signal encrypted app remains smaller and tends to be used for more general messages between people who know each other rather than forum-style groups, he added.
Telegram has long taken a more lax approach to content moderation than larger social media apps like Facebook and Twitter, attracting close scrutiny for allowing hate groups and conspiracy theories to flourish. In January, it began shutting down extremist and white supremacist public groups – for the first time – following the Capitol riots, fearing it would be used to promote violence.
Cyberint’s research – especially the discovery of public groups of searchable cybercriminals – raises further questions about Telegram’s content moderation policies and enforcement at a time when chief executive Pavel Durov said the company was preparing to sell advertisements on public Telegram channels.
It also comes as the company prepares to head into public markets after raising more than $ 1 billion from the March bond sale to investors including Mubadala Investment Company, the major sovereign wealth fund of the Gulf Emirate, and Abu Dhabi Catalyst Partners, a joint venture between Mubadala and the $ 4 billion New York hedge fund Falcon Edge Capital.
Telegram said in a statement that it “has a policy of deleting personal data shared without consent.” He added that every day his “ever-growing force of professional moderators” removes more than 10,000 public communities for breach of terms of service as a result of user reports.