Amid rising concerns about Telegram’s security, the Kaspersky Digital Footprint Intelligence team analyzed shadow Telegram channels. Their findings reveal a troubling trend: cybercriminals increasingly use Telegram as a platform for underground market activities.
Cybercriminals actively operate channels and groups on Telegram dedicated to discussing fraud schemes, distributing leaked databases, and trading various criminal services, such as cashing out, forging documents, DDoS attacks as a service and more.
According to Kaspersky’s Digital Footprint Intelligence data, the volume of such posts surged by 53% in May-June 2024 compared to the same period last year.
“The growing interest in Telegram from the cybercriminal community is driven by several key factors. Firstly, this messenger is very popular in general – its audience has reached 900 million monthly users.
“Secondly, it is marketed as the most secure and independent messenger that does not collect any user data, giving threat actors a sense of security and impunity. Moreover, finding or creating a community on Telegram is relatively easy, which, combined with other factors, allows various channels, including cybercriminal ones, to gather an audience quickly,” said Alexey Bannikov, analyst at Kaspersky Digital Footprint Intelligence.
Cybercriminals operating on Telegram generally demonstrate less technical sophistication and expertise compared to those found on more restricted and specialized dark web forums.
This is due to the low entry barrier into the Telegram shadow community – someone with malicious purposes simply needs to create an account and subscribe to the criminal sources they can find as they are already part of this criminal community.
Furthermore, Telegram lacks a reputation system similar to those found on the dark web forums (as highlighted in this Kaspersky study). Consequently, there are many scammers in Telegram’s cybercriminal space who tend to deceive their fellow community members.
“There is another trend: Telegram has emerged as a platform where various hacktivists make statements and express their views. Due to its extensive user base and rapid content distribution through Telegram channels, hacktivists find the platform a convenient tool to incite DDoS attacks and other disruptive methods against targeted infrastructures.
“Additionally, they can release stolen data from attacked organizations into the public domain using shadow channels,” added Alexey.
Kaspersky Digital Footprint Intelligence published a free comprehensive playbook to track shadow market activities and handle data-related incidents to help enterprises mitigate associated cyber risks.