Telegram has exploded as a hub for cybercriminals looking to buy, sell and share stolen data and hacking tools, new research shows, as the messaging app emerges as an alternative to the dark web.
An investigation by cyber intelligence group Cyberint, together with the Financial Times, found a ballooning network of hackers sharing data leaks on the popular messaging platform, sometimes in channels with tens of thousands of subscribers, lured by its ease of use and light-touch moderation.
In many cases, the content resembled that of the marketplaces found on the dark web, a group of hidden websites that are popular among hackers and accessed using specific anonymising software.
“We have recently been witnessing a 100 per cent-plus rise in Telegram usage by cybercriminals,” said Tal Samra, cyber threat analyst at Cyberint.
“Its encrypted messaging service is increasingly popular among threat actors conducting fraudulent activity and selling stolen data . . . as it is more convenient to use than the dark web.”
Launched in 2013, Telegram allows users to broadcast messages to a following via “channels”, or create public and private groups that are simple for others to access. Users can also send and receive large data files, including text and zip files, directly via the app.
The platform said it has more than 500m active users, and topped 1bn downloads in August, according to data from SensorTower.
But its use by the cyber criminal underworld could increase pressure on the Dubai-headquartered platform to bolster its content moderation as it plans a future initial public offering and explores introducing advertising to its service.
According to Cyberint, the number of mentions in Telegram of “Email:pass” and “Combo” — hacker parlance used to indicate that stolen email and passwords lists are being shared — rose fourfold over the past year to nearly 3,400.
In one public Telegram channel called “combolist”, which had more than 47,000 subscribers, hackers sell or simply circulate large data dumps of hundreds of thousands of leaked usernames and passwords.
A post titled “Combo List Gaming HQ” offered 300,000 emails and passwords that it claimed were useful for hacking video game platforms such as Minecraft, Origin or Uplay. Another purported to have 600,000 logins for users of the services of Russian internet group Yandex; others for Google and Yahoo.
Telegram removed the channel on Thursday after it was contacted by the Financial Times for comment.
Yet email password leaks account for only a fraction of the worrisome activity on the Telegram marketplace. Other types of data traded include financial data such as credit card information, copies of passports and credentials for bank accounts and sites such as Netflix, the research found. Online criminals also share malicious software, exploits and hacking guides via the app, Cyberint said.
Meanwhile, links to Telegram groups or channels shared inside forums on the dark web jumped to more than 1m in 2021, from 172,035 the previous year, as hackers increasingly direct users to the platform as an easier-to-use alternative or parallel information centre.
The research follows a separate report earlier this year by vpnMentor, which found data dumps circulating on Telegram from previous hacks and data leaks of companies including Facebook, marketing software provider Click.org, and dating site Meet Mindful, among others.
“In general, it appears that most data leaks and hacks are only shared on Telegram after being sold on the dark web — or the hacker failed to find a buyer and decided to share the information publicly and move on,” vpnMentor said.
Still, it dubbed the trend “a serious escalation in the ongoing surge of cyber crime”, noting that some users in these groups appeared less tech savvy than a typical dark web user.
Telegram said it was unable to verify the vpnMentor findings because the researchers had not shared details identifying which channels these alleged leaks were in.
Samra said the transition for cybercriminals from the dark web to Telegram was taking place in part because of the anonymity afforded by encryption — but noted that many of these groups were also public.
Telegram is also more accessible, provides better functionality, and is generally less likely to be tracked by law enforcement when compared to dark web forums, he added.
“In some cases, it’s easier to find buyers on Telegram rather than a forum because everything is smoother and quicker. Access is easier . . . and data can be shared much more openly.”
Hackers are less inclined to use WhatsApp both for privacy reasons and because it displays users’ numbers in group chats, unlike Telegram, Cyberint said. Encrypted app Signal remains smaller and tends to be used for more general messaging among people who know each other rather than forum-style groups, it added.
Telegram has long taken a more lax approach to content moderation than larger social media apps such as Facebook and Twitter, attracting scrutiny for allowing hate groups and conspiracy theories to flourish. In January, it began shutting down public extremist and white supremacist groups — for the first time — in the wake of the Capitol riots amid concerns it was being used to promote violence.
The Cyberint research — particularly the uncovering of public, searchable groups for cybercriminals — raises further questions about Telegram’s content moderation policies and enforcement at a time when chief executive Pavel Durov has said the company is preparing to sell advertisements in public Telegram channels.
It also comes as the company prepares to head for public markets after raising more than $1bn through bond sales in March to investors including to Mubadala Investment Company, the Gulf emirate’s large sovereign wealth fund, and Abu Dhabi Catalyst Partners, a joint venture between Mubadala and the $4bn New York hedge fund Falcon Edge Capital.
Telegram said in a statement that it “has a policy for removing personal data shared without consent”. It added that each day, its “ever growing force of professional moderators” removes more than 10,000 public communities for terms of service violations following user reports.