Amid rising concerns about Telegram’s security, the Kaspersky Digital Footprint Intelligence team analysed shadow Telegram channels. Their findings reveal a troubling trend: cybercriminals are increasingly using Telegram as a platform for the underground market activities.
Cybercriminals actively operate channels and groups on Telegram dedicated to discussing fraud schemes, distributing leaked databases, and trading various criminal services, such as cashing out, forging documents, DDoS attacks as a service and more. According to Kaspersky’s Digital Footprint Intelligence data, the volume of such posts surged by 53% in May-June 2024 compared to the same period last year.
“The growing interest in Telegram from the cybercriminal community is driven by several key factors. Firstly, this messenger is very popular in general – its audience has reached 900 million monthly users, according to Pavel Durov. Secondly, it is marketed as the most secure and independent messenger that does not collect any user data, giving threat actors a sense of security and impunity. Moreover, finding or creating a community on Telegram is relatively easy, which, combined with other factors, allows various channels, including cybercriminal ones, to gather an audience quickly,” explains Alexey Bannikov, analyst at Kaspersky Digital Footprint Intelligence.
Cybercriminals operating on Telegram generally demonstrate less technical sophistication and expertise compared to those found on more restricted and specialised dark web forums. This is due to the low entry barrier into the Telegram shadow community – someone with malicious purposes simply needs to create an account and subscribe to the criminal sources they can find as they are already part of this criminal community. Furthermore, Telegram lacks a reputation system similar to those found on the dark web forums. Consequently, there are many scammers in Telegram’s cybercriminal space who tend to deceive their fellow community members.
“There is another trend: Telegram has emerged as a platform where various hacktivists make statements and express their views. Due to its extensive user base and rapid content distribution through Telegram channels, hacktivists find the platform a convenient tool to incite DDoS attacks and other disruptive methods against targeted infrastructures. Additionally, they can release stolen data from attacked organisations into the public domain using shadow channels”, notes Alexey Bannikov.
