New research shows that with the emergence of messaging apps as an alternative to the dark web, Telegram has become a center for cybercriminals seeking to buy, sell, and share stolen data and hacking tools.
A survey conducted by cyberintelligence organization Cyberint and the British Financial Times found that an expanding network of hackers shared data leaks on popular messaging platforms, sometimes in channels with tens of thousands of subscribers. Attracted by its ease of use and touch control.
In many cases, its content is similar to market content on the dark web, which is a set of hidden websites that are popular among hackers and accessed using specific anonymous software.
Cyberint’s cyber threat analyst Tal Samra said: “We have recently witnessed an increase in the use of Telegram by cybercriminals by more than 100%.”
“Its encrypted messaging service is becoming more and more popular among threat actors who engage in fraudulent activities and sell stolen data… because it is more convenient to use than the dark web.”
Telegram was launched in 2013 and allows users to broadcast messages to followers through “channels” or create public and private groups that others can easily access. Users can also send and receive large data files directly through the app, including text and zip files.
According to SensorTower’s data, the platform said it has more than 500 million active users, and the number of downloads exceeded 1 billion in August.
But its use by cybercriminal underworld may increase pressure on the Dubai-based platform Strengthen content review Because it plans future initial public offerings and explores the introduction of advertising in its services.
According to Cyberint, the number of mentions of “Email:pass” and “Combo” in Telegram—hacker’s terminology to indicate that lists of stolen emails and passwords are being shared—has increased fourfold in the past year. It reached nearly 3,400.
In a public Telegram channel called “combolist”, which has more than 47,000 subscribers, hackers sell or simply disseminate a large amount of leaked username and password data.
A post titled “Combo List Gaming HQ” provided 300,000 emails and passwords, claiming that these emails and passwords could be used to hack into video game platforms such as Minecraft, Origin or Uplay. Another alleged user of the service of the Russian Internet group Yandex provided 600,000 logins; the others were Google and Yahoo.
After being contacted by the Financial Times for comment, Telegram deleted the channel on Thursday.
However, the leak of email passwords is only a small part of the worrying activity on the Telegram market. The study found that other types of data for transactions include financial data, such as credit card information, passport copies and bank account credentials, and websites such as Netflix. Cyberint said that cybercriminals also use the app to share malware, exploits, and hacker guidelines.
At the same time, as hackers increasingly direct users to the platform as an easier-to-use alternative or parallel information center, links to Telegram groups or channels shared within dark web forums have increased from 172,035 in the previous year. This jumped to more than 1 million in 2021.
The research follows a Separate report earlier this year Provided by vpnMentor, the company discovered that the data dump circulated on Telegram came from previous hacking and data breaches by companies such as Facebook, marketing software provider Click.org, and dating site Meet Mindful.
“In general, most data breaches and hacking attacks seem to be shared on Telegram only after they are sold on the dark web — or hackers fail to find a buyer and decide to share information publicly and move on,” vpnMentor said.
Nevertheless, it still calls this trend “a serious escalation of the continuing surge in cybercrime” and points out that some users in these groups seem to be less tech-savvy than typical dark web users.
Telegram said it was unable to verify the findings of vpnMentor because the researchers did not share detailed information to determine which channels these alleged leaks came from.
Samra said that part of the reason why cybercriminals transitioned from the dark web to Telegram was that encryption provided anonymity – but he pointed out that many of these groups were also public.
He added that compared to dark web forums, Telegram is also easier to access, offers better features, and is generally less likely to be tracked by law enforcement agencies.
“In some cases, it’s easier to find buyers on Telegram than on forums because everything is smoother and faster. Access is easier… and data can be shared more publicly.”
Cyberint said that hackers are reluctant to use WhatsApp, not only for privacy reasons, but also because it displays the user’s number in group chats, which is different from Telegram. It added that the encrypted application Signal is still small and is often used for more general messaging between people who know each other rather than forum-style groups.
For a long time, Telegram has adopted a more lenient approach to content review than large social media applications such as Facebook and Twitter, and has been censored for allowing hate groups and conspiracy theories to prevail.In January, it Start to close Public extremism and white supremacist groups-this is the first time-after the Capitol riots, because they fear it will be used to promote violence.
Cyberint’s research—especially exposing searchable public cybercriminal groups—reported Telegram as CEO Pavel Durov stated that the company was preparing to sell ads on public Telegram channels. The content review policy and law enforcement raised further questions.
In addition, after the company raised more than US$1 billion in bonds in March through the issuance of bonds to investors including Mubadala Investment Company, a large sovereign wealth fund in the Gulf Emirate, and Abu Dhabi Catalyst Partners, the Mubadala joint venture, Ready to enter the open market. And Falcon Edge Capital, a $4 billion New York hedge fund.
Telegram said in a statement that it “has a policy to delete personal data shared without consent.” It added that every day, its “growing power of professional moderators” deletes more than 10,000 public communities that violate the terms of service based on user reports.