Cybercrime on Telegram: Hackers abuse the messenger

[German]Telegram is a semi-encrypted messaging and chat app, that's is seen as a rival to Whatsapp. Cybercriminals have moved beyond the Dark Web and started using Telegram to share their hacks and reach a wider audience. Private data from millions of people is openly shared in groups with 10,000s of members, and very little is being done to stop this worrying trend.

Telegram is a semi-encrypted messaging and chat app, app seen as a rival to Whatsapp, has always received a lot of negative attention as a safe harbor and essential tool for extremist hate groups, conspiracy theorists, child pornographers, and so on. Now, it appears cybercriminals are also flocking to Telegram to share and discuss massive data leaks exposing millions of people to unprecedented levels of online fraud, hacking, and attack.

vpnMentor's cybersecurity research team joined several cybercrime-focused Telegram groups and channels to learn more about how and why the app has become so popular amongst hackers and threat actors. The security experts from vpnMentor discovered a vast network disseminating data leaks and dumps amongst 1,000s of people and openly discussing how to exploit them in various criminal enterprises. vpnMentor has shared it's findings with me.

How are Hackers using Telegram?

Hackers are sharing data leaks on Telegram in two different ways. They abuse the Telegram channels to post data dumps with brief explanations about what people can find inside. These channels are more passive, with minimal conversation happening in them. Some channels have 10,000s of followers. Below is a screenshot of such a channel chat.

Data dumps shared on a hacking channel

The other method hackers are using is dedicated hacking groups, where hundreds of members actively discuss various aspects of cybercrime and how to exploit data dumps shared.

Chat in a hacking group

Examples of data shared directly in a group

In general, it appears that most data leaks and hacks are only shared on Telegram after being sold on the dark web – or the hacker failed to find a buyer and decided to share the information publicly and move on.

Some of the data leaks were months old, but many were as recent as a few days. Hackers have also used Telegram as part of cyber attacks and blackmail schemes, as vpnMentor told me. After hackers stole a database from Israeli company Shirbit, they created a Telegram group and started sharing sensitive information as a form of extortion against the company.

Why Post Leaks on Telegram?

The big question is: Why hackers are using Telegram now to post leaks? Traditionally, hackers have relied on the dark web or other anonymous forums to share, discuss, and sell information about data leaks and successful hacks. However, Telegram offers numerous advantages, as vpnMentor have learned. Here are a few items, that attracts Telegram for cyber criminals.

• The app claims to be incredibly focused on guaranteeing privacy for its users. The only thing you need to join is a mobile phone number, which is supposedly hidden from all other users, but visible to Telegram and SMS verification. In theory, law enforcement could request the phone number of a Telegram user, or hackers could break in and steal it.
• Creating Telegram channels and groups also saves criminals from registering with a web host or domain service, shields them from attacks like DDOS, and reduces the need to protect their operations from online scanners and security tools.
• Telegram also offers a much lower barrier to entry, both for people distributing data and those hoping to receive it. Telegram is far considerably more accessible than the dark web, which requires specific technical know-how to access and navigate, and more robust safety and privacy measures. Hackers can reach a much wider audience and share information a lot quicker on an app installed on a device or computer.

Throughout their research, vmnMentor security experts witnessed members of these groups downloading zip files of data dumps and then asking how to open them, or what tools they needed to use them. This shows that even people with incredibly low computer literacy (and probably not on the Dark Web) are gaining access to incredibly sensitive data belonging to millions of people. Most likely, they're also not storing this data in any secure fashion, creating another set of issues and concerns.

Telegram also offers malicious hackers and cybercriminals a considerable scope for automating their activities. Telegram bots allow developers to run third-party apps on the platform. Usually, companies use the technology for advertising and marketing campaigns. Hackers can use the bots to run their operations while remaining in the shadows and spread their influence more easily across chats and groups.

Finally, Telegram has proven incredibly slow at tackling how much illegal and dangerous activity takes place on the app. Hackers know they can most likely remain anonymous and shielded from surveillance or basic accountability.

What Is Telegram doing to Combat These Groups?

Telegram has taken limited steps to shut these groups down, but some are operating for months before any action is taken. In that time, they can openly share private data from millions of people. Some group admins also create a 'backup' group, ready to accept new members and pinned to the top of the group. This way, members know to join the 'backup' group if the primary one is shut down. Thus, they can continue on the backup as if nothing happened.

In contrast, Telegram has shown much greater enthusiasm in shutting down problematic groups in other areas, such as piracy. The company consistently closes any groups or channels sharing copyrighted material amongst users. Thus, it appears that when they feel liable for legal action due to activity on the app, Telegram's owners are happy to step in – and they keep a close eye on activity happening on the app.

Telegram is Not as Private as it Claims

Despite its growing popularity as a privacy-focused communications app, most of Telegram's claims for high privacy standards are misleading. Telegram is incredibly secretive and operates with zero transparency. Two Russian brothers started the company, spent years moving around in different cities, before settling in Dubai. The company doesn't officially disclose where its team members or offices are based.

Their encryption is 'homemade' by the founders, and it's been widely criticized by experts. The company claims to be open-source, which is an exaggeration at best. The most crucial part of its system – the servers – remain a closed black-box. And finally, Telegram doesn't disclose what data it collects from users, how it's used, or who they share it with. Their promised "transparency report" remains empty to this day despite numerous data requests from various governments. These are just some of the many red flags surrounding the company.

For both criminal and ethical hackers, the illusion of pseudo-anonymity on Telegram could backfire incredibly if the company ever decided to exploit its access to their data, identity, and activity. Or if there was another data breach on the app itself. This already happened once, in 2020, when millions of Telegram users were exposed.

More about that on vpnMentor

The security researcher from vpnMentor has collected samples of material they found as members of the Telegram groups in the last six months. They has published some more details about what they found at this vpnMentor blog post.

Implications and Impact

The fact that so many hackers and cybercriminals (not to mention would-be 'fans' of cybercrime) have adopted Telegram is a serious escalation in the ongoing surge of cybercrime. Those involved in illegal hacking, online fraud, and other criminal activities have clearly gotten used to almost zero accountability. They've grown increasingly bold, and seemingly have no qualms about openly discussing their activities on a semi-public messaging app.

In doing so, they could significantly increase the scope of their own malicious activities and inspire many people to give cybercrime a go, making it look easy and risk-free. This could create a devastating ripple effect across the globe. Governments and cybersecurity organizations are already struggling to keep up with the growing scale and frequency of cyber attacks, hacking, and online fraud. There are an estimated 3.5 million unfilled cybersecurity jobs in 2021, as employers struggle to meet the demand with adequately trained staff.

If a whole generation of amateur hackers hanging out on Telegram was inspired to pursue cybercrime, the impact could be devastating. Whether or not they were successful, chasing down and persecuting these amateurs would be a huge drain on already strained efforts, taking valuable resources away from monitoring and combating bigger criminals and cyber attacks.

And while we're not exactly sympathetic to the people using Telegram to celebrate and distribute their hacks, they may eventually regret doing so. Telegram operates in secrecy, with zero transparency or accountability. The company never shares any details about how it monitors users or their data – or who it shares this information with. Using Telegram for illegal pursuits could backfire spectacularly – for both the hackers sharing their work, and the people following them. So, for everyone's sake, hopefully, Telegram will finally start addressing this issue.

The Bottom Line

The discovery of thriving criminal hacking communities on Telegram represents a troubling new chapter in the worsening epidemic of cybercrime increasing across the globe. If the company doesn't step in and address the issue, or regulators and government don't force it to, Telegram's cybercrime communities threaten the safety and security of millions of people. Furthermore, they could turn cybercrime into an amateur pursuit, in which even someone with limited computer literacy can pursue potentially devastating criminal schemes. While these communities represent a major escalation, they could simply be a small step towards cybercrime becoming a mainstream pastime.

vpnMentor is the world's largest VPN review website. Their research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users' data. Their ethical security research team has discovered and disclosed some of the most impactful data breaches in recent years.