Pierluigi Paganini
September 27, 2021
Many experts believe that the popular Telegram app is an efficient alternative to dark web marketplaces, its channels are used by hacking communities and cybercriminals to buy and sell stolen data, accesses to compromised infrastructure, and hacking tools.
Researchers from vpnMentor recently published a report that sheds the light on the use of Telegram in the cybercrime ecosystem. vpnMentor researchers joined several cybercrime-focused Telegram groups and discovered a vast network of more 1,000s individuals sharing data leaks and dumps and discussing how to exploit them in illegal activities.
“First, there are Telegram channels, where hackers post data dumps with brief explanations about what people can find inside. These channels are more passive, with minimal conversation happening in them. Some channels have 10,000s of followers.” reported the experts. “The other method hackers are using is dedicated hacking groups, where hundreds of members actively discuss various aspects of cybercrime and how to exploit data dumps shared.”
The researchers explained that it is quite easy to access Telegram channels, users only need a mobile phone number, which is supposedly hidden from all other users, but visible to Telegram and SMS verification. However, law enforcement agencies could request the phone number of a Telegram user, or hackers could break in and steal it.
Another advantage is creating Telegram channels and groups also saves crooks from registering with a web host or domain service, in fact the latter could be hacked by other threat actors or targeted by a DDoS.
Summarizing, Telegram is probably more accessible than the dark web.
vpnMentor explained that most data leaks and exploits are only shared on Telegram after being sold on the dark web or when the sale failed for some reasons.
Another study conducted by Cyberint for a Financial Times gathered evidence of the intense cybercriminal activities that leverage the instant messaging app. The app is easy to use and its channels, which can be public and private, allow communications between tens of thousands of users. Telegram is also chose by crooks because it has a lax approach to content moderation than other social media platforms.
Telegram channels are becoming a sort of marketplaces, threat actors and wannabe hackers use them to buy and sell malware, exploits and hacking tools.
“We have recently been witnessing a 100 per cent-plus rise in Telegram usage by cybercriminals,” explained Tal Samra, cyber threat analyst at Cyberint. “Its encrypted messaging service is increasingly popular among threat actors conducting fraudulent activity and selling stolen data… as it is more convenient to use than the dark web.”
Experts observed a spike in the number of links to Telegram groups or channels shared in darkweb cybercrime and hacking forums, according to the study the number passed from 172,035 in 2020 to more than 1 million in 2021.
Cyberint experts analyzed the messages exchanged by members of the channels and observed a spike in the number of words commonly used in the hacker slang, such as “Combo” and “Email:pass.”
Words used to refer lots of stolen credentials and other illegal products fourfold over the 12 months, reaching nearly 3,400.
The experts cited the case of a public Telegram channel called “combolist,” which had more than 47,000 subscribers,, used by threat actors to buy, sell and leak data dumps.
Other telegram channels analyzed by the experts are used to trade financial data, including credit card data, login credentials for bank accounts and other online services, and copies of passports.
Which is the reply of Telegram?
Telegram issued a statement to announce that it “has a policy for removing personal data shared without consent.” It also added that a growing force of professional moderators removes more than 10,000 public communities for terms of service violations following user reports.
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, cybercrime)
[adrotate banner=”5″]
[adrotate banner=”13″]
