Is Telegram the new Dark Web market?

The dark web has long served as a haven for cybercriminals seeking to engage in illicit activities. From trading stolen information to orchestrating cyber attacks, its clandestine forums have facilitated a range of nefarious endeavors. However, a shift is underway as the allure of traditional dark web forums begins to wane. Enter Telegram, the messaging app that is swiftly rising to prominence as a new frontier of the dark web.

What’s going on?

Telegram stands out as a messaging app renowned for its robust privacy and encryption features. Designed to transcend platforms seamlessly, it synchronizes messages across all registered devices, ensuring users stay connected wherever they go. Beyond facilitating private one-on-one conversations, Telegram offers an array of options, including subscribing to channels for curated content or participating in group discussions on various topics.

For cybercriminals navigating the digital underworld, anonymity is paramount. Dark web forums, though shrouded in secrecy, harbor concerns regarding surveillance by administrators, potentially exposing identities. In contrast, Telegram groups operate without traditional oversight, offering a cloak of anonymity coveted by threat actors. The ability to conceal phone numbers further bolsters anonymity, attracting those seeking discretion.

Telegram's default end-to-end encryption shields messages from prying eyes, mitigating the risk of interception and snooping. While dark web forums provide encryption options, their implementation often requires additional tools like Pretty Good Privacy (PGP), introducing complexities. Telegram streamlines this process, offering a convenient and secure platform for clandestine communication.

Unlike traditional methods that necessitate domain registration, Telegram channels offer a loophole, circumventing vulnerabilities to distributed denial of service (DDoS) attacks. By leveraging Telegram's infrastructure, cybercriminals fortify their operations, ensuring continuity as long as the platform remains operational.

Cybercrime on Telegram

Now that we've delved into the motivations behind threat actors' increasing reliance on Telegram, let's examine some real-world cases that underscore the dangers of this emerging dark web market.

PlayBook sports data leak. A recent investigation by online privacy advocate vpnMentor uncovered a concerning data leak originating from the sports betting tips website PlayBook Sports. Personal information belonging to over 100,000 US citizens, including email addresses, home addresses, and full names, was exposed, posing significant privacy risks for the affected individuals.

Combolist. In a public Telegram channel named Combolist, over 45,000 subscribers eagerly engaged in purchasing and downloading data dumps containing compromised username and password credentials. Following a report by the Financial Times, the channel was swiftly removed from Telegram. Notably, separate posts within the channel offered access to vast troves of login credentials for video game platforms and popular web services like Yahoo and Yandex, raising concerns about widespread data exploitation.

Sale of remote access tools and info stealers. Numerous Telegram channels and groups serve as hubs for the sale of remote access tools and info stealers, catering to cybercriminals seeking illicit access to user devices. Notably, SpyMax and Mobihok are popular choices for obtaining remote access to Android devices, while info stealers like RedLine and Oski Stealer discreetly pilfer sensitive information for a fee.

Exploitation of vulnerabilities. Telegram channels and groups are rife with discussions and exchanges of exploits targeting various cybersecurity vulnerabilities. Among the most prevalent exploits are those targeting a remote code execution vulnerability in Microsoft Remote Procedure Call (RPC) and the infamous Spring4Shell exploit affecting the widely-used Java Spring framework.

Threats on Telegram

Infected devices. Shops like Genesis and Russian Markets, known for facilitating the trade of infected devices, have found a new avenue for their operations on Telegram channels. Here, threat actors exploit the platform's anonymity and reach to distribute stealer logs containing valuable data such as browser fingerprints and sensitive information. These logs, often shared freely or through subscription-based models, pose significant risks to individuals' digital privacy and security. By gaining access to personal information, threat actors can potentially infer victims' geographic locations and compromise their online identities.

Stolen credentials. The dark web harbors a vast repository of stolen credentials, ranging from login credentials to financial information. Illicit Telegram channels serve as conduits for the distribution of these stolen credentials, allowing threat actors to profit from their illicit activities. Whether offered for free or sold through automated mechanisms, these credentials pose severe risks to individuals and organizations alike.

OTP bots. One-time password (OTP) bots represent a sophisticated tool employed by threat actors to exploit victims' security vulnerabilities. These bots operate on Telegram channels, where they attempt to collect 2FA codes from unsuspecting victims at scale. Despite being primarily used for personal financial fraud, the method can be adapted for corporate attacks, as demonstrated in past incidents involving companies like Cisco and Uber. By leveraging stolen corporate logins and soliciting one-time passwords, threat actors can bypass 2FA controls and gain unauthorized access to sensitive systems and data.

Telegram vs. Dark Web

As Telegram emerges as a contender in the realm of cybercrime, questions arise about its potential to render the dark web redundant. While Telegram offers a convenient platform for illicit activities, underground dark web forums are unlikely to fade into obscurity anytime soon. Here's why:

• Dark web forums boast features that set them apart from Telegram, such as built-in scoring systems that enable cybercriminals to establish reputations. These forums provide a structured environment for illicit transactions and discussions, fostering a sense of community among users. Despite Telegram's rise, these unique attributes continue to attract cybercriminals seeking a reliable platform for their operations.
• Telegram's initial hands-off approach and reluctance to cooperate with law enforcement have undergone changes, evidenced by the removal of several illicit channels and groups. While this signifies a step towards combating illicit activities, it also raises questions about Telegram's future as a haven for cybercriminals. The platform's evolving policies may impact its appeal among threat actors, potentially driving them back to traditional dark web forums.
• Cybercriminals are known for their adaptability, often diversifying their operations across multiple platforms to evade detection. While Telegram offers convenience and accessibility, underground dark web forums remain integral to cybercrime ecosystems. Expect cybercriminals to maintain a presence on both messaging apps and traditional forums, diversifying their activities to minimize risks and maximize profits.

Complexities of regulating Telegram

The emergence of Telegram as a conduit for dark web dealings has presented regulators and law enforcement with a formidable challenge. The app's commitment to user privacy, coupled with its global reach, complicates efforts to monitor and curb illegal activities effectively. Law enforcement agencies are adapting by deploying digital traps within Telegram to catch perpetrators in the act, but the task remains daunting.

Despite Telegram's efforts to shut down public groups involved in illegal activities, private encrypted chats remain a gray area where illicit transactions thrive. While this secrecy protects user privacy, it also provides a safe haven for those with malicious intent, posing a significant challenge to policing efforts.

Telegram's global footprint further complicates matters, necessitating international cooperation amidst diverse legal frameworks. Tackling these issues requires collaborative efforts among countries, navigating complex laws and regulations to address illicit activities effectively.

In response to mounting concerns, Telegram has taken steps to uphold its core values of privacy and freedom of speech while combatting illegal activities. The company targets and removes content that violates its rules, aiming to strike a balance between fostering communication and preventing misuse of its platform.

However, Telegram remains steadfast in its commitment to protecting user privacy and maintaining end-to-end encryption. This stance places the company at the forefront of broader discussions about the role of digital platforms in society and the challenges they face in balancing innovation with responsibility.

Conclusion

In the ever-shifting landscape of cyberspace, the emergence of platforms like Telegram as hubs for illicit activities signals a significant paradigm shift. As traditional dark web marketplaces lose ground, Telegram offers a new frontier for illegal trade, challenging conventional notions of digital privacy and accountability.