Cybercriminals need easy ways to communicate, connect, and plan, whether they’re trading stolen credentials, rallying hacktivists, or mounting a targeted attack. Instant messaging platforms meet this need and are now an essential tool for cybercriminals. Since Intel 471 consistently follows threat actors wherever they go, we recently added Signal group chats to our messaging platform intelligence collection to ensure customers have the fastest insights into emerging threats across the highly guarded cybercrime forums and messaging groups we actively participate in. This is one more example of Intel 471’s constant expansion of cybercriminal source coverage, adding to our already comprehensive set of covered sources.
Cybercriminals began gravitating towards messaging apps throughout 2021 and 2022 following a handful of data breaches and leaks impacting well-known cybercrime forums that we reported in early 2021. The leaks revealed users’ private messages, contact names, and email addresses, likely driving some forum users to seek alternatives.
Discord and Telegram shaped up to be the most popular platforms for cybercriminals. Telegram offered near real-time encrypted communication between individuals, groups chats up to 200,000 users, and channels to broadcast to an unlimited number of viewers. Both platforms also contained developer functionality that enabled actors to automate parts of their malware operations and store stolen data.
Why add Signal to Intel 471 source collections now?
Compared to Telegram, Signal today is not a significant hub for cybercrime, but our collection of relevant Signal chat groups has steadily increased since we added our initial batch of groups. One reason for Telegram’s popularity with cybercriminals was its lack of cooperation with law enforcement. Telegram claimed on its website that it had not disclosed any user data to a third party or government.
However, the arrest of Telegram CEO Pavel Durov by French authorities on August 28 altered the messaging landscape for cybercriminals. Shortly after his arrest, Durov updated Telegram’s privacy policy and FAQ to state that it can disclose user IP addresses and phone numbers when presented with valid legal requests. (Durov later clarified that Telegram had in fact satisfied legal requests for this user data in most countries since 2018). Nonetheless, the apparent policy shift caused alarm among cybercrime communities using Telegram and prompted some to consider alternatives. On the Exploit forum, users advocated for platforms such as Jabber, Tox and Matrix, while participants on the Cracked forum and various Telegram channels showed a preference for Signal and Session.
After observing these discussions, we conducted a detailed comparison of these alternatives to evaluate each platform’s potential as replacements for Telegram. We concluded that the community's interest in Signal was high. Signal is known for its strong emphasis on privacy and security, which makes it attractive for those concerned with Telegram’s policy changes and who primarily need an alternative platform for communication.
The value of monitoring of messaging groups: speed, insight, alerts
From a cyber threat intelligence perspective, monitoring Telegram channels continues to be a rich source for threat actor activity and insights into demand for various cybercrime goods and services. Intel 471 tracks new channels if there is a tangent to cybercriminal activity. Our collection from more than 6,600 Telegram channels continues to grow, though not all of these channels are still active.
The continuous coverage of messaging platform channels and groups enables customers to set up watchers against specific groups across Telegram, Discord, underground forums, and now Signal chat groups too, that create alerts for developing events customers need to observe. Monitoring these channels can provide early indicators of emerging threats, real-time insight into threat actor targeting, and a chance to mitigate potential impacts from the sale of compromised credentials, stolen data and payment cards, weaponized vulnerabilities and more.
We expect the value of monitoring Signal chat groups to increase over time as we identify more groups to monitor and as customers’ threat intelligence and security teams request more chat groups to be added for collection, providing new windows for real-time insights into how threat actors are targeting and infiltrating organizations.
For similar reasons, we recently expanded our collection sources with the data leak blogs collection enhancement in response to threat actors switching from encrypting victims’ data to exfiltrating and leaking data. Our coverage of data leak blogs enable customers to take preventative action and mitigate the impact of data extortion attacks faster. Customers can set up watchers to receive alerts, see when files are taken down, and track adversary operations in near real-time.
The future: Messaging platforms, underground forums and breaches
This year’s most high profile breach event impacted multiple companies’ using Snowflake’s data warehousing platform. The breaches reinforced the need to maintain broad visibility and real-time collection across underground cybercrime forums and instant messaging groups — the places where threat actors bought and sold malware logs containing credentials for Snowflake accounts that had been stolen from computers previously infected with infostealer malware.
The shift to Telegram and Discord didn’t spell the end of cybercriminals staying connected on underground forums. Primarily, these messaging apps offered them another option for communication with some advantages and drawbacks. Telegram offered threat actors a more resilient platform for communication than was available with a web host or domain service. Some threat actors use Telegram as a backup for their underground online operations or mirror their services across both. Yet well-established forums provide actors with something Telegram lacks: vendor reputation scores that foster trust between buyers and sellers. Similarly, Signal lacks Telegram’s application protocol interfaces that have allowed infostealer developers to use Telegram messaging capabilities to automate the exfiltration of stolen data. For now, Signal chat groups meet the needs of threat actors who primarily need a private and secure alternative for communicating, coordinating, and planning their next attacks.
