Telegram and Cybercrime in 2024: A Persistent Threat

As one of the most secure platforms for the end user, Telegram has become a popular communication channel for threat actors. Many criminals choose Telegram because, as users, they can create a username in order to hide user phone numbers. Without a phone number to trace back to the person, threat actors using Telegram have full anonymity.

Cybercriminals are attracted to secure instant messaging platforms for several reasons. The main factors include: end-to-end encryption, unindexed content, ease of use, versatile communication options, and a low barrier to entry. 

1. End-to-end encryption
   1. End-to-end encryption helps cybercriminals stay anonymous. This level of privacy is similar to what they are accustomed to on the dark web’s sites.
2. Unindexed content
   1. IM group messages are not indexed by standard search engines, making it difficult for law enforcement to track and identify criminal groups.
3. Ease of use
   1. The user-friendly mobile interfaces make IM apps appealing for a variety of use cases, including cybercrime. As a result, mobile-based platforms are becoming increasingly appealing for facilitating the illegal cyber economy.
4. Versatile communication options
   1. Beyond private one-on-one messaging, IM apps allow users to form groups, channels, and servers, creating both closed and public communities. This flexibility offers greater control and the ability to manage communication networks in an effective manner.
5. Low  barrier to entry
   1. Setting up and maintaining a community on an IM app like Telegram is simpler and cheaper  than building and maintaining a website or domain on the dark web.

Despite recent developments—like Telegram CEO Pavel Durov’s high-profile arrest and policy adjustments—Telegram continues to be a favored channel for cybercriminals. For many threat actors, its unique combination of encryption, ease of use, and decentralized infrastructure make it an essential platform for communication and coordination. Although there are divided feelings regarding the arrest and the pressure put on Telegram’s CEO by authorities, the vast majority of the users are still on the platform and trust it. 

The preferred communication channel for threat actors 

Telegram’s encryption, ease of use, and extensive feature set have made it a popular choice for threat actors. Cybercriminals use the platform to coordinate attacks, share malicious code, and communicate securely. The large number of channels dedicated to cybercrime highlights the platform’s widespread use among threat actors.

MagicHound and ToddyCat, APT groups likely linked to Iran and China respectively, have used Telegram for malicious activities. Both groups have leveraged Telegram’s privacy features, decentralized nature, and ease of use to communicate, distribute malware, and research targets. These factors make Telegram an attractive platform for threat actors seeking to avoid detection and facilitate their operations.

What Effect Does Durov’s Arrest on Threat Actors and Telegram?

On August 24, 2024, the head of Telegram, Pavel Durov, was arrested at Le Bourget Airport in Paris. His arrest was part of a much larger investigation into serious criminal activities facilitated through Telegram. If convicted, Durov would be charged with twelve counts of criminal activities and at least fifteen years of prison time. Not long after his arrest, Durov was released on €5 million bail under strict supervision by law enforcement.

Durov’s arrest received mixed reactions. The Russian government criticized the arrest, calling it politically motivated. They claimed that the purpose of the arrest was to force Durov to hand over control of Telegram to authorities. 

What Telegram Users Are Saying

We used Lunar, powered by Webz.io, to monitor activity on Telegram channels to see how various threat actor groups responded to Pavel’s arrest. Real-time monitoring of the deep and dark web, particularly Telegram channels, enables cybersecurity researchers to identify emerging threats and analyze threat actor behavior. 

Bl00dy Ransomware Gang claimed they would leave Telegram because Durov was weak and broke under pressure, and using Telegram is not  safe anymore.

Some hacktivist groups, like Ghosts Of Palestine and Al Ahad called for their followers to leave Telegram and switch to “a more secure alternative.” They provided a direct link to their Signal group.

Other known deep and dark web forum users are voicing their lack of trust in Telegram since they see the arrest of Pavel and the requirements that authorities demanded from Durov as a form of active cooperation.

On the other hand, various hacktivist groups started the campaign to #FreeDurov, showing their support for Telegram’s CEO. The following screenshots were taken with Lunar showing how different groups incorporated #FreeDurov into their Telegram channel and activities. 

This information can be used to anticipate potential security threats to governments and major global events. Additionally, it helps identify trends and shifts in tactics among cybercriminals and hacktivists, enabling more proactive cybersecurity measures.

Changes to Telegram’s Policies and their Implications

On September 23, 2024 Durov changed Telegram’s privacy policy to comply with the authorities. 

Telegram’s privacy policy states  “If Telegram receives a valid order from the relevant judicial authorities that confirms you’re a suspect in a case involving criminal activities that violate the Telegram Terms of Service, we will perform a legal analysis of the request and may disclose your IP address and phone number to the relevant authorities. If any data is shared, we will include such occurrences in a quarterly transparency report published at: https://t.me/transparency.”

Durov has also published an official announcement to discourage criminals, declaring Telegram will now disclose the IP addresses and phone numbers of users who violated the platform rules by performing illegal actions and were investigated by the different authorities, only if they have a relevant subpoena. 

A seismic shift has occurred in the digital underworld. Telegram’s crackdown on its global search feature is a major setback for cybercriminals. The global search feature of Telegram, which allows users to search by keywords, was changed and restricted to avoid those who try to search for illicit goods or content. Cybercriminals who rely on Telegram to advertise or sell illicit goods and services will face more challenges in reaching potential customers. Cybercriminals may need to adapt their tactics for the new search restrictions. They could use more obscure keywords, create private channels or groups, or rely on personal recommendations to connect with potential buyers. 

Changing the game for Telegram’s global search feature could indicate that other significant changes will be coming to the platform in the future. 

Where To Next? Read the next Dark Web Pulse to find out the platforms threat intelligence analysts believe might be alternatives to Telegram.