Messaging platforms like Telegram provide a way for cybercriminals to host, distribute, and execute various functions that ultimately allow them to steal credentials or other information from unsuspecting users. Yet that isn’t the only way in which cybercriminals have leveraged Telegram for their operations.
Given research done into why Telegram has been growing in use among cybercriminals, Intel 471 analyzed what makes the messaging service an efficient alternative to popular underground forums, especially when it comes to the market for compromised access and data. Researchers found that a combination of simplicity and security found in Telegram has provided a perfect communications hub for attackers: cybercriminals can message others individually or in groups, as well as receive or send large data files. Telegram also offers actors the ability to create bespoke channels for specific interests that are not typically active on cyber underground forums. This enables threat actors to conduct criminal operations by forming and joining groups and channels that align with their interests and goals.
Criminals need easy comms
Of the cybercriminal groups Intel 471 has observed, Telegram is considered the preferred method of anonymous communication as opposed to in-forum messaging services monitored by administrators. Telegram provides actors with near real-time encrypted communication if both parties are online simultaneously, whereas in-forum messaging requires waiting for unencrypted mail notifications. This lag time, along with other security risks associated with forum communications, regularly encourage actors to provide other contact details in forum advertisements, such as email addresses and Telegram IDs.
Additionally, threat actors conveniently can remain in the Telegram application for multiple levels of communication. For instance, a Telegram user can use the same handle to access both individual private messages and group and channel communications, a feature that most messaging platforms have that’s not been integrated to forum communications. The messaging service also allows threat actors to bypass the need for a web host or domain service that potentially would leave them vulnerable to distributed denial-of-service (DDoS) attacks. The actor responsible for the X-Files malware we covered in our previous blog uses Telegram in this manner, on top of using the platform to launch and operate the malware itself.
How different regions are using Telegram
Where threat actors live and the language they speak can significantly influence the decision to use underground forums or Telegram-like services. For example, Chinese threat actors likely leverage Telegram to evade attention from law enforcement since most Chinese cybercrime forums and domestic IM platforms, such as WeChat or QQ, are monitored by regional authorities. However, there are some reasons Asia-based threat actors are hesitant to join Telegram: A new application called Session Manager is increasing in popularity since it does not require personal information to register for an account. Additionally, WeChat and QQ remain popular communication platforms for China-based threat actors since they have ways to send payments inside the platform, a feature Telegram lacks.
We also observed actors gradually abandon Arabic and Persian-language forums over the last few years, mainly in favor of Telegram channels and groups. Threat actors possibly left language-specific forums after recognizing other messaging and underground forums were more popular. They likely assumed Telegram would provide a larger base of followers that would help boost their services’ capabilities. It also is possible actors in countries with strict internet usage policies, such as Iran, realized Telegram could offer additional operational security (OPSEC) protection and therefore decrease the likelihood of being doxxed.
Aside from financially-motivated cybercriminals, hacktivists are also moving to Telegram. Groups that previously were noted to use Facebook and Twitter to advertise defacements and other activity recently were observed using Telegram as their primary communication application. The hacktivist group Jerusalem Electronic Army had a presence on Facebook, but now mostly posts on Telegram. Similarly, the 1877 Team, a hacktivist group believed to be operating in Iraq, has a Facebook and Twitter presence but primarily operates on Telegram. We observed several older groups that used Facebook are inactive and new groups have emerged via Telegram. While Facebook and Twitter now have policies to disable group accounts that promote illicit activity, Telegram does not, which makes it a stable choice for actors to post any content without the risk of being banned.
The new cybercrime marketplace
While Telegram does not have a direct payment option built into the platform, its simple structure makes it a go-to option for cybercriminals seeking a basic yet effective method to manage and engage in illicit business. Several actors and groups use Telegram to mobilize their operations, offering malware logs, compromised accounts and stolen data.
In March 2022, an actor that specializes in selling compromised bank accounts via a Telegram-based channel alongside the same offerings they had posted on the WWH-Club forum. The actor promoted several other services on Telegram, including a short message service (SMS) spam offering and compromised payment card data with cardholder records.
In May 2022, another actor launched a compromised payment card data shop and promoted it on the actor’s dedicated Telegram channel, which had more than 3,300 members at the time of this report. The Telegram channel was created about a year and a half before the shop was launched, allowing the actor to promote additional products, services or goods available at the time.
Another India-based actor was an administrator of multiple Telegram channels with thousands of followers at the time of this report. Marketplaces the actor operated included the provision of compromised credit cards, escrow and cashout services and video tutorials. The actor also used Telegram groups for backups of operations.
Not a total exodus
Even with the rise in Telegram’s use, threat actors will continue to remain connected to underground forums. The already-established forums still provide additional features that allow actors to build reputations via built-in scoring systems – a popular feature among cybercriminals that Telegram currently lacks. Additionally, while in the past Telegram has taken a laissez-faire approach to privacy policies and has refused to cooperate with law enforcement, the company changed course in 2022, reinforcing its policy on removing personal data that is shared on the platform without consent It is possible additional oversight, content moderation and amended platform policies could result in cybercriminals seeking alternative messaging platforms in the future.
Yet, as cybercriminals find themselves making more money by using the service, we expect Telegram to remain a key communication tool among threat actors.