Telegram Becomes the New Dark Web, Here’s What Cybercriminals are Selling

Cybercrime trade on Telegram is exploding as cybercriminals take to the popular instant messaging app to buy, sell, and share stolen data and hacking tools. New research highlights that threat actors consider Telegram as their new channel of choice to conduct their evil businesses.


What’s going on?

  • A joint study by Cyberint and Financial Times found that there has been a 100% rise in Telegram usage by cybercriminals.
  • A large number of hackers are using the messaging platform to share leaked data in groups or channels with more than thousands of subscribers.
  • Interestingly, the list of stolen emails and passwords that go by the terms ‘Email:pass’ and ‘Combo’ has risen fourfold over the past year.
  • In one incident, a channel named ‘Combolist’ with more than 47,000 subscribers was shut down after it was found to be a marketplace for stolen financial data, personal documents, malware, hacking guides, and online account credentials.
  • Among the other data traded on the Telegram channel include copies of passports, exploits, and credit card information.


What’s the reason?

The reason for the increased use of the platform among threat actors is attributed to a number of operational benefits:

  • Unlike the dark web, Telegram is a legitimate and easy-to-use service that isn’t blocked by antivirus engines or network management tools.
  • Attackers can remain anonymous as the registration process requires only a phone number.
  • In some cases, it’s easier to find buyers on Telegram which makes it more convenient for cybercriminals.
  • Moreover, the unique communication features of Telegram enables attackers to exfiltrate data from victim’s PCs or transfer malicious files to infected machines.


Other malicious use of Telegram

In the past months, researchers raised alarms to warn about the misuse of Telegram by cybercriminals to evade detection.

  • CheckPoint said it tracked more than 130 cyberattacks in the first quarter of 2021 that distributed the ToxicEye trojan through Telegram.
  • Post-infection, the RAT enables attackers to take full control over a victim’s machine and engage in a range of other nefarious activities.
  • Besides malware infection, threat actors had flocked to the messaging app to sell fake COVID-19 vaccine cards.


What does this imply?

Although Telegram has taken steps to shut these dangerous groups, there are some that are still operating and action against them is yet to be taken. The fact that Telegram is gaining traction among cybercriminals indicates a serious escalation in cybercrime. With over 500 million active users, Telegram should ensure that it does not become the future attack surface for illegal hacking, online fraud, and other criminal activities.


September 22, 2021, Published on Cyware Social

Recent Posts