How Telegram Became a Destination for Criminals

source: axios.com (contributed by FAN, Bill Amshey)  |  image: pexels.com

 

Telegram has long been a hotbed for cybercriminal gangs boasting about their attacks and looking to recruit new members.

Why it matters: Billionaire Telegram CEO Pavel Durov’s arrest over the weekend has put a spotlight on what policies Telegram does — and doesn’t — have to deter cybercriminals and extremist groups who use its platform.

The big picture: Telegram’s relaxed content moderation policies and encrypted service offerings have made it an attractive destination for cybercriminals, terrorism organizations and drug dealers.

  • Terrorist organizations, including ISIS, have used Telegram to publicly claim responsibility for attacks.
  • Politically motivated hackers — including those tied to the war in Ukraine and the Israel-Hamas war — also post about their crimes in public Telegram forums.

Experts say Telegram has unique features that — taken in combination — hackers have been able to abuse in an effort to hide their activities.

  • Secret Chats allows users to turn on end-to-end encryption.
  • That means Telegram has no way of seeing what’s discussed in Secret Chat conversations. Users also can’t forward these messages, which can self-destruct — making it even harder for third parties to intercept their contents.
  • Apple Messages and WhatsApp messages are also encrypted by default, but neither allows users to sign up with a virtual phone number.
  • Telegram accounts don’t need to be linked to a SIM card, Taisiia Garkava, an intelligence analyst at Intel 471, told Axios.

Between the lines: Telegram allows hackers to communicate in real time with little interruption.

  • In contrast, messaging features in dark web forums typically aren’t encrypted and have a lag since they operate similarly to email.
  • Telegram is also unlikely to go completely dark as part of a law enforcement crackdown — unlike a dark web forum.

Telegram’s terms of service and moderation are vague enough that illegal activity, including the spread of child sexual abuse material, is allowed to flourish.

  • As Casey Newton points out in Platformer, Telegram users are officially prohibited from posting illegal pornographic content, but only in public channels, not in private ones.
  • “All Telegram chats and group chats are private amongst their participants,” an FAQ on Telegram says. “We do not process any requests related to them.”

Zoom in: Killnet, a pro-Russia politically motivated hacker group, is a prime example of how cybercriminals have used Telegram’s more public channels.

  • The group coordinates attacks and shares malicious scripts in real time via a publicly viewable channel.
  • Typically, the group starts by publishing a long list of potential targets for its distributed denial-of-service attacks. Those targets have included websites belonging to U.S. hospitals, airports and others.
  • In September 2022, the group created a separate so-called supergroup, which can support up to 5,000 people, with the sole purpose of recruiting new members, according to analysts at Flashpoint.

The intrigue: Cybercriminals also find Telegram’s overseas ownership appealing, Synack co-founder and CTO Mark Kuhr told Axios.

  • Telegram was originally founded in Russia but moved to the United Arab Emirates in 2017.
  • “There’s less of a perceived risk of law enforcement cooperation,” Kuhr said in an email.
  • Telegram also “rarely cracks down on message boards, giving more breathing room for cybercriminals to talk openly before getting kicked off the platform,” he added.

Yes, but: Telegram is still a destination for legitimate, real-time communications.

  • The Ukrainian army has been broadcasting its actions on the app since Russia’s invasion in 2022.

Go deeper: What to know about Telegram CEO Pavel Durov.