Are Telegram's New Policies Spooking Cybercriminals? | Intel 471 Skip to content

Are Telegram's New Policies Spooking Cybercriminals?

Oct 01, 2024
Background

In a significant policy change, Telegram co-founder and CEO Pavel Durov indicated Sept. 23, 2024, his company would improve moderation to remove illegal activity and turn over certain kinds of user data to authorities. First, Telegram will now disclose the IP addresses and phone numbers of users when presented with valid legal requests. Second, Durov claims that a dedicated team of moderators and artificial intelligence (AI) have been used to remove unsafe or illegal content. Telegram also launched a bot to report problematic content, @SearchReport.

Fig1
Telegram CEO Pavel Durov announced Sept. 23, 2024, the service will respond to valid legal requests and has removed illegal content.

The changes come after France indicted Durov Aug. 28, 2024, on charges including complicity in running an online platform that allows illegal activity, possession of child sexual abuse material, the sale of drugs and malicious hacking tools, fraud and money laundering. Durov was also charged with refusing to turn over data lawfully requested by authorities. The last charge is key. Politico EU reported an arrest warrant was issued for Durov and his brother, Nikolai, by France March 25, 2024. The warrant was issued after Telegram did not answer a request to identify a user sought by French cybercrime investigators related to a child sexual abuse investigation. Durov remains free on bail in France but cannot leave the country.

Intelligence agencies and law enforcement have sought for Telegram to cooperate with requests for user information related to terrorism, national security and criminal investigations. A previous version of Telegram’s FAQs page on its website declares that “to this day, we have disclosed zero bytes of data to third parties, including governments.” That line language is still present in the FAQ, however, a line has been added to refer to Durov’s recent announcement.

Russian Access, Ukraine Dumps Telegram

Other recent open source reporting indicates that while Durov’s Telegram did not respond to Western law enforcement requests, Russia — Durov’s birth country — may have secured access as far back as 2018. In April 2018, Russia’s communication regulator, Roskomnadzor, attempted to ban Telegram after it refused a court order to provide the Russian Federal Security Service (FSB) with data it sought related to a terrorist attack in St. Petersburg. The FSB claimed the attacker and accomplices organized the attack using Telegram. It was reported that Telegram agreed to provide IP addresses and phone numbers by August 2018 — the same data Telegram has now committed to supplying with valid legal requests — to the FSB. Roskomnadzor lifted the ban in June 2020 after Durov reportedly committed to combating extremism and terrorism on that platform. Russia has an expansive surveillance regime known as the Operative Investigative Activities (SORM) system, which is authorized to intercept most forms of communication, including social media such as Telegram, for state purposes.

In March 2022, a Russian official appeared to confirm the ongoing cooperation with Telegram that Western countries couldn’t secure. Oleg Matveichev, who was the deputy head of the Committee on Information Policy, Information Technology and Communications of Russia, said: "Durov found a compromise with the FSB...Telegram has installed equipment so that it can monitor all dangerous subjects." Former U.S. National Security Agency (NSA) Director of Cybersecurity Rob Joyce quoted the “all dangerous subjects” portion of that statement in the Risky Business podcast Sept. 25, 2024. Joyce said “it is very clear” that Durov had reached a compromise with the FSB for access to Telegram, as Durov has been able to come and go from Russia since 2014. Joyce said: “The idea that he (Durov) could come and go while defying Russia is inconceivable.” Telegram’s press page claims Durov left Russia in 2014 “after losing control of his previous company for refusing to hand over the data of Ukrainian protesters to security agencies.” The previous company referred to is VK, or VKontakte, which Durov founded in 2006.

In a related development, Ukraine’s National Coordination Centre for Cybersecurity (NCCC) largely banned the use of Telegram Sept. 19, 2024, by Ukrainian defense, security and critical infrastructure sectors. It does allow for limited use of Telegram for official purposes, as Ukraine uses Telegram to distribute public safety information, such as impending Russian attacks. The Security Service of Ukraine (SBU) and General Staff of the Armed Forces of Ukraine said “Telegram is actively used by the enemy for cyberattacks, spreading phishing and malware, establishing the geolocation of users, adjusting missile strikes, etc.” The NCCC’s news release said: “The Chief of the Defence Intelligence of Ukraine Kyrylo Budanov provided substantiated evidence that Russian special services have access to personal correspondence of Telegram users, even deleted messages, as well as their personal data.”

Underground Reaction

After Durov’s arrest and indictment, some in the underground expressed concern about the operational security (OPSEC) risks of continuing to use Telegram. The reaction to Telegram’s announcement that it would turn over IP addresses and phone numbers raised the urgency of those discussions.

Nearly every top-tier forum began a thread where actors discussed the merits of alternative platforms and the majority of participants signaled an intent to jump ship from Telegram. On the Exploit forum, users advocated for platforms such as Jabber, Tox and Matrix, while participants on the Cracked forum and various Telegram channels showed a preference for Signal and Session. Some actors went a step further, altering their forum signatures to include Signal as an alternate communication method. The Bl00dy ransomware gang declared it is “quitting Telegram” as a result of Durov’s decision as seen in the image below.

Fig2

Several hacktivist groups, such as Moroccan Cyber Aliens and RipperSec, followed suit, stating they intend on migrating their operations to Signal. Concurrently, the hacktivist group Ghosts of Palestine disclosed it was evaluating alternative platforms and is committed to issuing instructions for joining its new communication channels once a suitable option is identified.

Alternative Platforms

Following the community’s discussion of alternative communication platforms, we conducted a detailed comparison of several options including Jabber, Tox, Matrix, Signal and Session to evaluate their potential as replacements for Telegram. This analysis compares each platform against a set of features favored by threat actors, offering a comprehensive overview of their capabilities and limitations.

Other mentioned alternatives in the underground over the last week included Keybase, ICQ, Threema and SimpleX.

Fig3
A comparison of different messaging platform features.

Based on our evaluation, while Signal and Session are the closest to Telegram in terms of features and are increasingly discussed on underground forums, they still lack certain functionalities compared to Telegram — particularly those favored by cybercriminals. Firstly, neither Signal nor Session supports the extensive bot functionality found in Telegram. This functionality is a critical tool for cybercriminals and enables them to automate tasks, manage large group interactions and orchestrate the operationalization of malware. Additionally, the group capabilities on Signal and Session are significantly more limited, allowing only for smaller group sizes compared to Telegram’s ability to accommodate thousands of users. This is a significant drawback for actors managing large networks, such as hacktivist groups. Finally, Telegram’s robust application programming interface (API) allows developers to build custom tools and integrate various services, enhancing the platform’s utility and flexibility. In contrast, Signal and Session lack such APIs, adhering to a strict privacy-first approach.

From a decentralized perspective, Tox, Jabber and Matrix — although less frequently discussed than the aforementioned alternatives — have also gained momentum in discussions among threat actors. Tox is a peer-to-peer platform widely used by adversaries for individual communications on underground forums; however, a possible remote code execution (RCE) vulnerability in the qTox client application in May 2023 caused widespread distrust on the platform. Jabber is a credible platform utilized by adversaries operating on Russian-language forums such as Exploit and XSS for one-on-one interactions, but offers mostly simple chat capabilities. Matrix is an open source platform designed with a focus on privacy that resembles the Discord platform architecture, however, it still lacks many of Discord’s advanced features and may drive away users who seek such capabilities. Overall, while these platforms are effective for standard peer-to-peer communications, they currently lack the advanced functionalities required to replace Telegram as a collaboration location for groups to operate.

Assessment

Telegram’s lack of cooperation with Western law enforcement and loose moderation have been an attractive feature for cybercriminals. Illegal cybercriminal activity flourished on the service, including the sale of access credentials, personal data and stolen credit cards and the sale of services such as bulk short message service (SMS) spam, one-time password (OTP) bots and subscriber identity module (SIM) swapping. From a cyber threat intelligence (CTI) collection perspective, Telegram has been a rich source for threat actor activity as well as insight into the types of in-demand goods and services. To get a sense of the scale, Intel 471 has tracked more than 5,700 Telegram channels (not all of these channels are still active) that have a tangent to cybercriminal activity and adds new ones daily. Monitoring these channels can provide real-time insight into how threat actors are targeting organizations.

Considering all the factors mentioned, it appears that while some threat actors may express an intent to transition to alternative platforms, the majority are likely to continue using Telegram. Telegram’s expansive global user base still provides extensive reach, which is crucial for cybercriminal activities such as disseminating information, recruiting associates or selling illicit goods and services. Migrating to a platform with a smaller user base would significantly diminish the potential audience and reach, adversely affecting activities that rely on widespread dissemination. Additionally, Telegram offers a comprehensive suite of features unmatched by any alternative platform currently available.

However, individuals who use Telegram primarily for communication purposes rather than for specialized cybercriminal activities might consider alternatives such as Signal and Session. These platforms are known for their strong emphasis on privacy and security, which makes them attractive options for those concerned with recent policy changes on Telegram. While the policy changes might deter new actors, they are unlikely to sway experienced cybercriminals, who typically employ robust OPSEC measures.

Telegram’s changes elevate its OPSEC risks to more or less the same level as other platforms. Those risks can be countered with use of burner or virtual phone numbers, unregistered SIM cards and IP address-masking techniques through virtual private networks (VPNs), proxies or via the Tor network. The near-term OPSEC risks are probably low given Telegram will be developing processes to handle the flood of law enforcement requests it will inevitably receive. Those first requests will most likely focus on the worst threat actors, like child sexual abuse material, which is what pushed France to charge Durov. Taking all of this into account, we assess with moderate confidence that Telegram will continue to be the preferred platform for threat actors, as no current alternative offers the same blend of advantages that Telegram does. Regular users concerned with privacy, however, may find Signal, Session and other platforms to be viable alternatives.

UPDATE: On Oct. 2, 2024, Durov clarified that his initial post about divulging IP addresses and phone numbers in response to valid legal requests were a new policy change for Telegram. He wrote on his own channel that Telegram has provided IP addresses and phone numbers in response to legal requests "in most countries" since 2018, including Brazil, India and within Europe. Open-source reporting based on Telegram's Transparency Reports bot indicates this has also been occurring with the U.S. Durov wrote that Telegram has now "streamlined and unified" its privacy policy and will strive to "comply with relevant local laws."