Executive Summary
Telegram is a messaging app that is used by many people around the world for a variety of purposes. However, it has also become a hub for cybercrime activities, including the sale and leakage of stolen personal and corporate data, the organization of cybercrime gangs, the distribution of hacking tutorials, hacktivism and the sale of illegal physical products such as counterfeits and drugs.
There are several other messaging apps that are favored by cybercriminals, but Telegram is one of the most popular. This presents a significant challenge for security researchers trying to combat cybercrime on the platform.
One reason why Telegram is attractive to cybercriminals is its alleged built-in encryption and the ability to create channels and large, private groups. These features make it difficult for law enforcement and security researchers to monitor and track criminal activity on the platform. In addition, cybercriminals often use coded language and alternative spellings to communicate on Telegram, making it even more challenging to decipher their conversations.
This report, compiled by KELA, aims to provide an in-depth understanding of why Telegram has become a significant player in the cybercrime ecosystem. It covers various services, products and cybercrime activities that exist on the platform, as well as the threat actors involved. The report also includes showcases for each topic, highlighting specific examples of the types of activities that take place on Telegram. In addition, the report lists prominent groups and channels that are involved in these activities, providing a comprehensive overview of the scope and scale of cybercrime on the platform.
The following topics and actors are discussed in this report:
- Personal and corporate data being sold and leaked on Telegram
- Info-stealing hacking teams that use Telegram to sell and leak data harveste
through infostealers, and to organize gangs and build bots to facilitate their activities - Banking fraud actors that use Telegram to easily sell credit cards, checks and other
financial instruments - Ransomware and data extortion groups that adopt Telegram as an alternative or
addition to their blogs and data leak sites, such as Lapsus$ - Hacktivists who use Telegram to publicize information about their attacks, such as
Killnet and ALtahrea Team - Illegal physical products being sold via Telegram, including counterfeits, guns, drugs
and COVID-19 documents
While KELA chose to focus on items specific to each topic, it’s important to remember that
more information on each subject can be found on the platform, such as tutorials, services,
etc. Overall, Telegram has become a thriving ecosystem for cybercrime and will likely continue
to be a major challenge for security researchers and law enforcement.
