Telegram emerges as new dark web for cyber criminals

New research has shown that Telegram is a popular messaging app for cybercriminals who want to sell, buy, or share stolen data or hacking tools.
Cyberintelligence group Cyberint and the Financial Times teamed up to investigate a network of hackers who were sharing data on the messaging platform. Sometimes, they did so in channels that had tens or thousands of subscribers. They were lured by its simplicity and light-touch moderation.

Many times, the content looked similar to the dark web marketplaces, which are popular among hackers. These sites can be accessed with anonymizing software and accessed by hackers.

Cybercriminals are using Telegram more frequently than ever before, according to Tal Samra (cyber threat analyst at Cyberint).

Its encrypted messaging service has become more popular with threat actors who are engaging in fraudulent activity and selling stolen information... because it is easier to use than the dark internet.

This is because many users have turned to encrypted chat apps to communicate with one another after WhatsApp's privacy policies were changed.

Telegram was launched in 2013 and allows users to send messages to their followers via channels. It also lets them create private and public groups that others can access. The app allows users to send large files directly, including zip files and text, via the app.

According to SensorTower data, the platform boasts more than 500,000,000 active users and has surpassed 1 billion downloads in August.

However, the use of the platform by cyber criminals could put more pressure on Dubai-based platform to improve its content moderation. The platform plans an initial public offering in the future and will explore advertising.

Cyberint reports that the number of mentions in Telegram of Email Pass and Combohacker parlance indicate that stolen password and email lists are being shared four times over the past year. This brings it to close to 3,400.


One public Telegram channel, combolist, had over 47,000 subscribers. Hackers sell or circulate large data dumps containing hundreds of thousands of leaked passwords.

Combo List Gaming HQ posted 300,000 passwords and emails that it claimed could be used to hack into video games platforms like Minecraft, Origin, Uplay, and Uplay. Another claimed to have 600,000. Logins for Yandex users, and others for Google or Yahoo.

Telegram deleted the channel Thursday after being contacted by Financial Times for comment.

Email password leaks are only one aspect of the disturbing activity that takes place on Telegram. The research also found that financial data, such as credit card information and copies of passports, as well as credentials for bank accounts, and sites like Netflix, are some other types of data being traded. Cyberint stated that online criminals can also share malware, exploits, and hacking guides through the app.

As hackers direct users to Telegram as an alternative or parallel information source, the number of links to Telegram channels or groups has risen to over 1 million by 2021 from 172,035 in the previous year.

This research is a follow-up to vpnMentor's earlier report from this year. It found that Telegram had data leaks from companies such as Facebook, marketing software provider, and Meet Mindful dating site, among others.

It seems that most data breaches and hacks are shared only on Telegram once they have been sold on the dark internet or the hacker fails to find a buyer, vpnMentor stated.

It called the trend an escalation of cyber crime and noted that some members of these groups were less tech-savvy than the average dark web user.


Telegram stated that it could not verify the findings of vpnMentor because the researchers hadn't shared information identifying the channels the alleged leaks were occurring in.

Samra stated that the transition of cybercriminals from dark web to Telegram was happening in part due to the anonymity afforded them by encryption, but also noted that many of these groups are public.

He said that Telegram is more accessible than dark web forums and has better functionality. Also, it is less likely to get tracked down by law enforcement.

Telegram is quicker and easier than forums in some cases. It is much easier to access data and it can be shared more freely.

Cyberint stated that hackers are less likely to use WhatsApp for privacy reasons. It also displays user numbers in group chats unlike Telegram. It said that Signal encryption is smaller and can be used to communicate with people who are familiar with each other, rather than in forum-style groups.

Telegram has been known for its lax content moderation approach than other social media platforms like Facebook and Twitter. This has led to criticisms from the public that Telegram allows hate groups and conspiracies to thrive. It began closing down white supremacist and public extremist groups for the first time in January after the Capitol riots, amid concerns that it was being used as a tool to promote violence.

Cyberint's research, particularly the discovery of cybercriminals in searchable public groups, raises more questions about Telegrams content moderators policies and enforcement. This comes at a time when Pavel Durov, chief executive, has stated that the company is planning to sell advertising on public Telegram channels.

The company also has this news as it prepares for public markets. In March, Mubadala Investment Company raised more than $1B through bond sales to investors. These included Abu Dhabi Catalyst Partners and Mubadala, the large sovereign wealth fund of the Gulf emirates.

Telegram stated in a statement, that it has a policy to remove personal data without consent.

2021 The Financial Times Ltd. All Rights Reserved.