The ephemeral nature of some Telegram communications, such as self-destructing messages, adds another layer of complexity to threat intelligence efforts, requiring real-time monitoring and analysis to capture and preserve crucial information. While cybercriminals are using other platforms, they’re unlikely to abandon the communities they’ve built on Telegram. There has been some migration, but so far only Signal seems to have benefited from the crackdown on Telegram. It is important to note, however, that criminals don’t stick to just one platform. Most criminals appear to be using Telegram as well as other messaging apps, and in fact they may change their messaging app depending on the data they are sharing. Expect cybercriminals to split their operations between messaging apps and traditional underground forums and marketplaces.
- Telegram’s dark web channels are private or invite-only messaging groups, in which users chat, share information, or otherwise collaborate between themselves.
- Vx-underground operates as a prominent channel for sharing malware-related content, offering insights into recent threats, leaked tools, and historical malware samples.
- In Blackhat Resources channels, users share knowledge about using various hacking tools.
- Find out why Telegram is still cybercriminals’ favorite forum and why it’s a popular alternative to traditional dark web forums.
- For ongoing shows, new content was shared weekly.Additionally, it is crucial to highlight that distributing pirated media is a serious offense.
12 Frequency Of Posts
Additionally, Omega Cloud maintains a database exceeding 2 billion records, accessible through a subscription-based model. A Telegram channel specializing in the distribution of credentials obtained from stealer logs. With 20,000 members, Moon Cloud shares a wide range of compromised data, including URLs, email addresses, IP addresses, passwords, and usernames. A widely recognized platform in the cybersecurity community, vx-underground is known for its extensive collection of malware samples, research papers, and cybersecurity insights.
MyGov Newsdesk
The directory provides a comprehensive collection of darknet-related information and resources for those interested in exploring the hidden aspects of the internet. It includes channels on topics such as hacking, carding, Drugs, Darknet Links, and more. The Darknet Telegram Directory is regularly updated and maintained to ensure the highest quality and relevance for its users. The deep web on Telegram is an underworld of the Internet that hosts content not indexed by conventional search engines. On Telegram, there are channels dedicated to sharing links and resources related to the deep web.
Morocco’s Social Security Database Breach
In addition to some of the differences between the experience levels and type of activity seen on forums versus Telegram, there is also a key difference between the accessibility, user interface and technical requirements in order to join the communities. For example, most dark web forums operate solely with the use of special browsers like Tor, unique URLs, and appear similar to traditional internet forums. To receive notifications about new content, users on Telegram must follow (join) a specific channel. We tracked the growth of followers across all CACs in our database over the study period, yielding insights into their growth patterns. Collectively, the identified CACs are followed by approximately 23.8 million users, with a median of 8,000 followers per channel. Unfortunately, the Telegram API only allows channel administrators to view the list of followers, a limitation we faced.
How To Avoid A Dark Web Telegram Scam
The extent of damage caused by cyberattacks conducted by SiegedSec is unknown and many of them have not been mentioned by public news media sources. However, the leaked data shared on their Telegram channel and on deep web forums like Breached could easily be employed by other threat actors to gain access to companies, individuals, and networks by leveraging the private corporate and personal information posted. In Blackhat Resources channels, users share knowledge about using various hacking tools. Information about tool capabilities, such as ”Free Trial For 30 minutes only for 1 month DM for access,” helps users make informed decisions. This exchange of information supports skill development within the community.In Artificial Boosting channels, education is more informal, focusing on effective engagement tactics. Users learn from each other’s requests and feedback, experimenting with different approaches to boost their social media presence.
Key Differences Between Illicit Telegram Channels And Dark Web Forums
This channel provides real-time updates on detected credit card data, with some posts visibly displaying card numbers and other financial details. BidenCash claims to impose fines or bans on suppliers whose listings are repeatedly found in public sources. The channel states that all shared content is sourced from open internet platforms and intended for educational purposes, disclaiming responsibility for any misuse of the published information. While not a direct cyber threat, vx-underground serves as an educational resource, providing access to malware source codes, breach analysis, and cybersecurity intelligence.
CACs promoted 4,051 unique websites that offered round-the-clock services for 51 different platforms. Beyond these websites, CACs also encouraged users to acquire services by contacting Telegram users or interacting with specific bots. Our data revealed 399 unique Telegram users and 515 unique bot accounts being promoted. While we did not engage directly with these user accounts, we conducted a brief analysis of the bots to understand the options they offered.
Why Do Cybercriminals Use Telegram?
Using the two tools, found 1,210 files to be malicious, out of which only 491 (4̃0%) had been priorly scanned by Hybrid Analysis, suggesting several of the malicious files shared in the CACs had not been seen by the tool. Considering Hybrid Analysis is a popular tool which contributes threat intelligence to antivirus vendors, there is a possible detection gap for these files. We cross-referenced the APKs with those listed in the AndroZoo repository (Allix et al., 2016), using package names to avoid discrepancies caused by modified file hashes.
This focus on personal OpSec underscores the challenges faced by cybersecurity professionals attempting to monitor and disrupt these activities. It is important to remember that cybersecurity is a constant effort that requires your security leaders and end users to stay informed about these threats in order to preserve a safer online environment. In addition, at TecnetOne we have a cyber patrol solution that allows you to proactively monitor the dark web and other hard-to-reach areas of the Internet, identifying potential threats, illicit activities and data breaches before they can affect your organization. Unlike more specialized cybercrime groups, EMP/mailpass/sqli Chat covers a broad range of topics, including stolen account sales, financial fraud, SQL injection techniques, and malware deployment. Members frequently share logs, stealer data, and access credentials for various platforms, ranging from streaming services and social media to financial accounts and VPN services.
Users often discuss the quality of the content, as in the comment ”This is a Koikatsu model, not a drawing” (Translated from Chineese), providing clarification on the type of media being shared. These conversations are more content-centric, focusing on the nature and aesthetics of the media rather than technical aspects. Feedback here influences what gets shared, showing that users are invested in the quality and type of pirated content available.On the other hand, Pirated Software channels, engagement is centered on evaluating the functionality of unauthorized software. We first visited and interacted with each URL, focusing on the first five links within the website’s DOM and their redirections. Each resulting URL was scanned with VirusTotal, which aggregates results from 80 anti-phishing engines. URLs flagged by two or more engines were marked as malicious, a threshold commonly used in prior research.
Telegram’s Place In The Cybercriminal Ecosystem
Features like end-to-end encryption, anonymous usernames, and message forwarding without revealing the original sender reinforced its reputation as a secure communication platform. The built-in anonymity and encryption make it difficult to trace the origins of illicit content, identify threat actors, and understand the full scope of their activities. This necessitates the development of advanced analytical techniques and tools to effectively monitor and analyze the vast amounts of data exchanged within these encrypted environments.
Read this Dark Web Pulse to see examples of illicit content on Telegram and a thorough breakdown of why threat groups prefer instant messaging. Even though they can be sold for just a couple of dollars, browser fingerprints and stealer logs can represent the digital lives of their victims. With saved login credentials and more (especially combined with OSINT), a threat actor could even guess the victim’s general geographic location. Threat actors distribute stealer logs in various ways depending on the channel. They distribute stealer logs themselves for free, while monetizing access to the channel through subscriptions.
The platform’s structure, which supports anonymous group creation and minimal oversight, facilitates these transactions 2. By joining specialised groups, users can discreetly exchange illegal items, highlighting the platform’s role in enabling covert trade operations. The ease with which users can access these groups underscores the app’s function as a digital marketplace for illicit activities. The group has leaked a significant volume of stolen data from compromised networks, but there is no indication the group uses ransomware nor has attempted to sell the stolen data. DarkOwl analysts regularly follow “darknet threat actors” that openly discuss cyberattacks and disseminate stolen critical corporate and personal data.
