Security Experts:

Connect with us

Hi, what are you looking for?



Many Cybercriminals Prefer Skype for Communications: Study

Cybercriminals are increasingly interested in ensuring that their communications are encrypted, and the favorite tool of many appears to be Microsoft’s Skype, according to a new report from threat intelligence firm Flashpoint.

Cybercriminals are increasingly interested in ensuring that their communications are encrypted, and the favorite tool of many appears to be Microsoft’s Skype, according to a new report from threat intelligence firm Flashpoint.

Data collected by Flashpoint from deep and dark web cybercrime communities between 2012 and 2016 shows that ICQ, Skype, Jabber, PGP, AOL Instant Messenger, Telegram, WeChat, QQ, WhatsApp, and Kik have been the most widely used tools.

The company’s study is based on the number of mentions on Russian, Spanish, French, Arabic, Chinese, Persian (Farsi) and English language forums typically used by profit-driven cybercriminals. The study does not include Signal and Line due to the fact that these are common words in English and programming languages, but experts believe their usage by threat actors is insignificant.

An analysis of Russian underground websites showed that ICQ was the most popular back in 2012 and accounted for more than half of mentions. Skype and Jabber also accounted for 26% and 19% of mentions, respectively. By 2016, Skype became the most mentioned messaging tool, with Jabber and ICQ dropping to the second and third positions.

On Spanish-speaking forums, Skype was in the lead in 2012, but last year it dropped to second place. The most mentioned messaging platform in 2016 was ICQ, with more than half of mentions.

Researchers believe ICQ has become more popular among Spanish-speaking cybercrooks due to the influence of more sophisticated hackers from Russian communities. In fact, Russian actors are considered the most innovative and sophisticated, and they are often trendsetters.

As for French-speaking communities, PGP was the most referenced in 2012, with nearly 60% of the total mentions. While not actually a messaging service, Forcepoint decided to include it in its study due to its popularity.

PGP continued to be popular on the French underground, but Jabber took the lead in 2016. Experts believe cybercriminals had started using it alongside PGP.

Skype was the most popular on Arabic-language forums back in 2012. WhatsApp was the most referenced last year, but Skype still managed to remain one of the favorites.

The situation has been different in China, where cybercriminals prefer applications developed by local tech company Tencent. Its QQ and WeChat apps accounted for more than 90% of mentions, both in 2012 and last year.

Persian-language communities also don’t appear to be influenced by others as much. In 2012, Yahoo Messenger was the most popular, and the favorite in 2016 was Telegram, with nearly 90% of all mentions. It’s worth noting that Flashpoint’s analysis of the Iranian underground is more general and it does not focus on financially motivated cybercrime.

On English-language underground websites, Skype was and remains the most mentioned application. In fact, Skype appears to be the most popular overall, being included in the top five messengers in all language groups.

According to Flashpoint, its study also shows that cybercriminals are increasingly interested in encrypted communications, a trend that is likely due to recent revelations of NSA surveillance, the proliferation of secure chat apps, and the influence of more sophisticated actors.

“The results of this study underscore the interconnected, agile nature of the cybercriminal ecosystem. Regardless of their language, skills, location, or a liation, cybercriminal groups tend to share a strong desire to reap the benefits of cross-community collaboration, information sharing, and even mentorship,” Flashpoint said in its report.

“Such activities necessitate consistent access to reliable means of communication, which is why the digital communication tools examined within this study play such an integral role in facilitating cybercriminal behavior. In many instances, a cybercriminal’s livelihood may depend on his or her ability to communicate with peers while evading third-party detection. As such, the decision to utilize one communication tool over others is not taken lightly and often influenced by numerous contextual social, cultural, and geopolitical factors,” the company added.

Related: OPSEC in the Underground – A Look at Insider Trading

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.