Telegram has become a hub for cybercriminals looking to buy, sell and share stolen data and hacking tools, new research shows, as the messaging app emerges as an alternative to the dark web.
An investigation by cyber intelligence group Cyberint, in conjunction with the Financial Times, found a growing network of hackers sharing data leaks on the popular messaging platform, sometimes on channels with tens of thousands of subscribers, drawn by their ease of use and moderation to the touch. .
In many cases, the content resembled that of the marketplaces found on the dark web, a group of hidden websites that are popular with hackers and accessed using specific anonymization software.
“We have recently witnessed a more than 100 percent increase in the use of Telegram by cybercriminals,” said Tal Samra, Cyberint’s cyber threat analyst.
“Their encrypted messaging service is increasingly popular with threat actors who conduct fraudulent activities and sell stolen data … as it is more convenient to use than the dark web.”
Launched in 2013, Telegram allows users to broadcast messages to their followers through “channels” or create public and private groups that can be easily accessed by others. Users can also send and receive large data files, including text and zip files, directly through the app.
The platform said it has more than 500 million active users and surpassed 1 billion downloads in August, according to data from SensorTower.
But its use by cybercriminals could increase pressure on the Dubai-based platform to reinforce your content moderation as you plan a future initial public offering and explore introducing advertising to your service.
According to Cyberint, the number of mentions on Telegram of “Email: password” and “Combo” (hacker language used to indicate that lists of stolen emails and passwords are being shared) have quadrupled over the past year to almost 3,400.
On a public Telegram channel called “combolist,” which had more than 47,000 subscribers, hackers sell or simply circulate large volumes of data on hundreds of thousands of leaked usernames and passwords.
A post titled “Combo List Gaming HQ” offered 300,000 emails and passwords that it claimed were useful for hacking video game platforms such as Minecraft, Origin or Uplay. Another claimed to have 600,000 logins for users of the services of the Russian internet group Yandex; others for Google and Yahoo.
Telegram removed the channel on Thursday after the Financial Times contacted it for comment.
However, email password leaks account for only a fraction of the worrisome activity in the Telegram marketplace. Other types of data traded include financial data such as credit card information, copies of passports and credentials from bank accounts and sites like Netflix, according to the research. Online criminals also share malicious software, exploits, and hacking guides through the app, Cyberint said.
Meanwhile, links to Telegram groups or channels shared within forums on the dark web rose to more than 1 million in 2021, from 172,035 the previous year, as hackers increasingly direct users to the platform as a more user-friendly alternative or parallel information center. .
The investigation follows a separate report earlier this year by vpnMentor, which found data dumps circulating on Telegram from past hacks and data leaks from companies like Facebook, marketing software provider Click.org, and dating site Meet Mindful, among others.
“In general, it seems that most data breaches and hackers are only shared on Telegram after being sold on the dark web, or the hacker couldn’t find a buyer and decided to share the information publicly and move on.” said vpnMentor.
Still, he called the trend “a serious escalation in the continuing rise in cybercrime,” noting that some users in these groups seemed less tech-savvy than a typical dark web user.
Telegram said it was unable to verify vpnMentor’s findings because investigators had not shared details identifying which channels these alleged leaks were on.
Samra said that the transition of cybercriminals from the dark web to Telegram was occurring in part due to the anonymity that encryption provides, but noted that many of these groups were also public.
Telegram is also more accessible, provides better functionality, and is generally less likely to be tracked by police compared to dark web forums, he added.
“In some cases, it is easier to find buyers on Telegram than on a forum because everything is more fluid and faster. Access is easier … and data can be shared much more openly. “
Hackers are less inclined to use WhatsApp both for privacy reasons and because it displays user numbers in group chats, unlike Telegram, Cyberint said. The encrypted Signal app is still smaller and tends to be used for more general messages between people who know each other rather than forum-style groups, he added.
Telegram has long taken a looser approach to content moderation than larger social media apps like Facebook and Twitter, drawing scrutiny for allowing hate groups and conspiracy theories to flourish. In january started to close Public extremist and white supremacist groups – for the first time – in the wake of the Capitol riots amid concerns that it is being used to promote violence.
Cyberint’s investigation, particularly the discovery of public cybercriminal search groups, raises more questions about Telegram’s content moderation policies and their enforcement at a time when CEO Pavel Durov has said the company is preparing to sell ads on public Telegram channels.
It also comes as the company prepares to head to public markets after raising more than $ 1 billion through the sale of bonds in March to investors, including Mubadala Investment Company, the large sovereign wealth fund of the Gulf emirate, and Abu Dhabi Catalyst Partners, a joint venture between Mubadala. and the $ 4 billion New York hedge fund Falcon Edge Capital.
Telegram said in a statement that it “has a policy to delete personal data shared without consent.” He added that each day, his “growing force of professional moderators” removes more than 10,000 public communities for violations of the terms of service following user reports.