Dark Web Cybercriminals Are Migrating to Telegram

Close Up of Telegram App Icon

Popular criminal marketplaces on the dark web have seen far less activity or have been disappearing altogether since 2019, and hackers and cybercriminals are shifting to an anonymous messaging app that anyone can download from Google Play or the Apple App Store.

Pushed by law enforcement crackdowns, customers’ loss of trust, and competitors hacking each other, criminal outfits are increasingly advertising, communicating, and distributing their content on Telegram, according to a study from cybersecurity firm Positive Technologies.

Between early 2019 through early 2022, researchers analyzed 323 public Telegram channels and groups, totaling around 1 million subscribers — both cybercrime-oriented circles as well as “legitimate IT communities that can potentially be abused by cybercriminals.”

Researchers sifted through more than 120,000 messages, posts, and communications that indicated criminals actively discussed malicious software, stolen user data, and various cybercrime services in Russian and English.

Cybercrime Communications and Services Move to Telegram

Cybercriminals moving to Telegram from dark web marketplaces was most notable in 2020 and 2021, the study by Positive Technologies said last Friday. This migration coincided with vulnerabilities in dark web forum engines like vBulletin, XenForo, and IPB.

The hacking of several major forums in 2021 also played a part which naturally “damaged the credibility of the forums and caused the transition to Telegram.”

Sprawling dark web realms like RaidForums and DarkMarket were battered by law enforcement in 2022, while other forums, like Carding Mafia, BHF, Nulled, and Maza were hacked by competitors. The activity started “leading cybercriminals and their customers to fear their identity and location could be revealed and their connections to illegal websites exposed.”

“Messaging apps are easy to use, provide a fair degree of anonymity and have a simple registration process, making them a viable medium for cybercriminals to expand their market and reach new customers,” the study said.

Cybercriminal communications on Telegram suggested that 73% of channels and groups have existed for less than two years, indicating both a short lifespan and the recent transition to the messaging service.

Malware, Exploits, User Data, Criminal Services

Telegram communications were saturated with talk about malware distribution, vulnerabilities, and exploits, stolen personal user data, corporate hacking, criminal services like cash-out and DDoS, and spam (phishing scams) propagated through SMS, email, and messaging apps.

52 percent of messages accounted for stolen user data, followed by cybercrime services and malware. Vulnerabilities and exploits and hacking corporate networks made up only a small fraction of all messages, the study said.

When discussing malware, the most popular were remote access trojans (RATs) at 30 percent, info stealers at 18 percent, and botnets at 16 percent, respectively. These were followed by obfuscation tools, miners, and ransomware. Finally, keyloggers, rootkits, and other malware were the least discussed. The functions and distribution of malware covered a significant portion of other communications.

Though ransomware is among the most popular forms of cyberattack, it had a small role in Telegram discussions because ransomware is still operated through “partner channels, on specialized dark web forums and websites, or in closed groups,” the study said. Like ransomware, demand for development services and cooperation initiatives was also low because establishing that level of trust on Telegram is difficult when users can change their usernames and cheat others.

“That is why 31% of purchase-related messages mention an escrow agent — a person trusted by both parties who acts as an intermediary in the transaction.”

Prices for Obfuscation Tools, RATs, Stealers Revealed

Researchers also rounded up pricing information on various illicit products and services from the criminal underworld, though costs were wide-ranging. The study found that special tools to hide malware code cost anywhere between $20 to $100, while botnets or botnet guides can go for up to $750. Meanwhile, cryptocurrency miners were advertised plentifully with sophisticated offerings able to bypass antivirus systems and admin privileges going for $1,000.

A quarter of all messages account for Android RAT programs SpyMax, SpyNote, and Mobihok, respectively, with prices ranging from $10 to $500, the study said.

The most popular information-swiping malware available via Telegram was the RedLine stealer, while others — including SpiderMan, Anubis, Oski Stealer, and Loki Stealer — can be had for between $10 and $3,500, depending on the features.

In March 2022, hackers disguised the Redline stealer as a cheat in a YouTube video to compromise Valorant players. It was also used in a sophisticated Discord hack campaign that same month.

Software Vulnerability and Exploit Discussions

Software vulnerability and exploit messages were mainly about zero-day vulnerabilities, which accounted for 29 percent of messages and posts, followed by common vulnerabilities and exposures, remote code execution (RCE), and local privilege escalation (LPE). “RCE and LPE are the most dangerous vulnerabilities and the most popular among attackers,” the study said. The global Log4j event in December last year was a severe zero-day RCE.

Meanwhile, discussions on exploits of operating systems on Telegram focused mostly on Windows at 42 percent, followed by Linux and Android while iOS and macOS were discussed much less, the study said. “An RCE exploit for a website can cost up to $4,500, while one buyer offered to pay $30,000 for a zero-day LPE for Windows.”

The study noted that malware targeting Android is increasing in scale and frequency, while tools for scanning Laravel — a popular PHP website-building tool used by 600,000 websites — were very popular.

Exploits for software vulnerabilities would appear in Telegram discussions within 24 hours after a vulnerability disclosure in 17 percent of cases, but on average, this was 13 days after disclosure. In the first half of 2022, Spring4Shell, Linux Dirty Pipe and Atlassian vulnerabilities were among the most discussed, researchers said.

Discussions About User Accounts, Cash-Out Services

Between 2021 and 2022, user accounts, documents, personal data, and related services made up 71 percent of all criminal communications about data compromisation. Offers to buy and sell data, forged documents, and digital signatures made up a significant portion of messages.

Furthermore, messages advertising user accounts offered access to streaming services such as Netflix and Spotify, as well as to crypto exchanges, betting websites, and social networks. Spotify accounts were sold for $5, while a one-year Netflix premium subscription started at $10. Hacked crypto exchange accounts and betting-related accounts were pricier, costing between $65 and $200.

Furthermore, cash-out services appeared in 66 percent of all criminal services messages about data compromise, along with document forgery, the study said. DDoS attack services were a distant second place, with a one-hour DDoS attack costing $8, $40 for 24 hours, and around $200 for a week-long attack.

“The increasing level of demand may be due to the fact that many online services are now unavailable or only partially available to Russian Users.”

Numerous attacks at the beginning of 2022 saw “the number of services involving documents leaked from various institutions surge,” the study said.

Telegram activity also revealed that, compared to early 2020, VPN-related messages saw more than a three-fold increase by 2022, the study said. “NordVPN accounts, which are harvested by the infostealers mentioned in the malware section, are the most widely offered for sale.”

Hacking Services: Social Media and Messaging Apps Dominate

According to analysis, 72 percent of Telegram messages’ in regards to hacking services involved hacking into social media and messaging app accounts like WhatsApp, Viber, Telegram, and VKontakte.

“Prices for hacking messenger accounts are much higher than for hacking social media accounts,” researchers noted. A hacked VKontakte account costs between $10 to $50, while a WhatsApp, Viber, or Telegram account starts from $350.

Discussions about hacking into websites and servers or email were a distant second and third place. Researchers found that $100 is sufficient to hack a private email account, but a corporate email address would cost at least twice as much.

The study found criminals also discussed mass spamming and phishing via SMS text, mail, and messaging apps. In this category, 54 percent of discussions were related to bulk SMS spam services, followed by email and messaging app spam.

“Telegram is the most popular messaging platform for spamming,” the study said. Prices depend on the duration of a spam/phishing campaign or on how many messages are sent. For instance, email flooding for one email address costs about $1 per hour or 1,000 emails, the study said.

Messaging Platforms Lower the ‘Entry Threshold’

The answer to why cybercriminals prefer messaging apps like Telegram to traditional dark web marketplaces is manifold. For one, the study explained, this makes it easier for more criminals to communicate and expand.

The knowledge that Telegram is now a new safe haven for cybercriminal operations gives organizations and law enforcement time to take preventive actions while also being useful for current cyber-intelligence and cyber threat forecasts, the study said.

“The number of unique cyberattacks is constantly growing, and the market for cybercriminal services is expanding and moving into ordinary social media and messaging apps, thereby significantly lowering the entry threshold for cybercriminals.”

To familiarize yourself with what lies beneath the surface and deep web, check out our full guide on the dark web. Likewise, if you want to learn more about the anonymous messaging platform, we’ve compiled a full guide to optimizing Telegram privacy and security.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.