Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



Telegram Rivaling Tor as Home to Criminal ‘Forums’

Telegram Channels Offer Great Anonymity and Are Being Increasingly Used by Cybercriminals

Telegram Channels Offer Great Anonymity and Are Being Increasingly Used by Cybercriminals

Serious criminals are abandoning the upper levels of the dark web. The reasons appear to be the relative ease with which such criminal forums are penetrated by law enforcement agents and security researchers — and the recent shut-downs of major criminal forums Hansa Market and AlphaBay. 

Last month, Cybereason tested this idea, and concluded  that serious criminals have migrated to the deeper, closed forums of the dark web. Published yesterday, researchers from Check Point now postulate an alternative destination  for these criminals; that is, not to deep, dark, Tor-hidden forums, but to Telegram. 

Telegram is an encrypted instant messaging system first released in 2013. Like WhatsApp, it offers individual conversations and group chats — but what sets it apart is its security strength and end-to-end encryption. “As a result, some of its hosted chat groups have become a useful alternative to the secretive forums on the Dark Web,” say the Check Point security team.

Telegram groups are known as channels. It is these channels that are increasingly used by criminals. “Any threat actor with a shady offer or conversation to start, can enjoy private and end-to-end encrypted chats instead of the exposed threads that are seen in online forums.” The advantages are obvious. They are easier to operate, easier to join, and offer even greater anonymity.

Check Point gives three examples of how Telegram is used. Three channels were found in Russia known as Dark Job, Dark Work and Black Markets. Dark Jobs recruits staff for illegal jobs. The jobs are graded white (for little danger), grey (for greater illegality and difficulty), and black (for dangerous with legal risks). Anyone with the Telegram app can join this channel and can both post advertisements and apply for jobs with complete anonymity. The same principle applies to other channels, and some already have thousands of subscribers.

The simplicity of this criminal method is particularly worrying.

“This is especially worrying,” say the researchers, “considering the accessibility of the channels and the promises of high salaries made to those who might otherwise refrain or have no way to reach these markets.” In other words, the migration of criminals to Telegram might easily increase the general level of criminality in society.

Advertisement. Scroll to continue reading.

One area that particularly worries Check Point is the promotion of insider deals. It is easy to imagine a channel called ‘Insiders’. This could attract any authorized employee with a grudge or need for additional finances to sell inside access to corporate networks anonymously via Telegram. 

“Threat actors might take advantage of these employees in order to obtain insider information and sensitive data that is unavailable to the public,” warn the researchers. “This inside information could then be used for personal purposes or sold, or to conduct a cyber-attack from the inside of the company. This would thus eliminate the efficiency of some security solutions. After all, having someone “on the inside” is a very powerful tool. Just like in the real world, in the world of cybercrime it can often be not what you know but who you know.”

This is already happening on the Dark Job channel. One advertisement is looking for employees of Western Union or MoneyGram that have access to certain systems — and offering payment of $1000 per day.

The Dark Work channel seems to be more geared towards criminal projects than employments. One example reads, “Wanted for a dark project: Cryptor running on all systems from Windows XP to 10. Bypassing the top AV especially Avast and Defender.” The concern here is that a criminal entrepreneur could outsource an entire project without needing to know anything about technology, nor even his suppliers. 

The Dark Market is simply that — a marketplace for shady goods. Novice users, say the researchers, can find “messages promoting stealthy crypto-miners that will run without the victims’ knowledge in exchange for 600 rubles, or even infostealers that collect documents, screenshots and passwords in exchange for 1000 rubles.” This makes the Telegram channels very similar to the dark web marketplaces (such as the old Silk Road), but easier and more secure to use.

Government recognition of the increasing criminal use of Telegram is likely behind both the recent national bans, and the western demands for law enforcement encryption backdoors. In March, Russia’s Supreme Court ordered that Telegram must provide decryption keys to the country’s security services — which Telegram declined. In mid-April, Russia began blocking Telegram.

Iran also banned Telegram on April 30, 2018, but is so far having little success. As of May 7, Iran’s state-owned Telecommunications Infrastructure Company (TIC), which operates under President Hassan Rouhani’s Telecommunications Ministry, has yet to comply with a prosecutor’s order to block the Telegram messaging app. Radio Farda, a Persian language broadcaster at Radio Free Europe/Radio Liberty, reported today that many Iranians will use filtering software to avoid the ban. Of 9,485 respondents to a question, 9,024 replied they would “stay on Telegram using filtering circumvention software”. (This is not a scientific study and is biased towards Iranian citizens already listening to a foreign broadcaster.)

In western democracies, the growing use of Telegram amply illustrates law enforcement’s concern that criminals are going dark; and that law enforcement requires encryption backdoors to counter the threat. “Through the use of such tools, access to malware has never been easier, personal documents and certificates can be spread to unknown destinations and companies can be threatened by their own employees,” concludes Check Point.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights