Scroll Top

Why are threat actors moving from Tor to Telegram?


The world of cybercrime is undergoing a seismic shift as threat actors, ransomware gangs, malware developers, and other malicious entities are rapidly transitioning from the traditional dark web onto Telegram channels dedicated to cybercrime. In this Flare article, we will explore the reasons behind this migration and provide comprehensive guidance on monitoring these Telegram channels effectively.

In recent times, the majority of cybercriminal activities have migrated away from the traditional dark web and have found a new home on modern social media applications. Several factors are driving this shift:

Lack of exit scams
Traditional dark web marketplaces often act as intermediaries, holding cryptocurrency transactions in escrow for 14 days, allowing buyers recourse in case of scams. However, this practice also creates an incentive for marketplace owners to exit scam and abscond with the held funds, posing a significant risk for users.

Amenities of modern social media
Compared to Tor sites, Telegram offers numerous advantages, such as speed, modern social media features like emojis, direct private chats, mobile applications, and other user-friendly functionalities. Furthermore, the technical proficiency required to access cybercrime channels and make purchases on Telegram is often lower than that required for Tor, democratizing access to cybercrime data.

Telegram also hosts many channels that provide free “samples” of stolen credentials, stealer logs, data from breaches, and other valuable information, enabling users to validate the effectiveness of vendors’ offerings with ease.

Perceived anonymity
While Tor marketplaces and forums are heavily monitored by law enforcement agencies, Telegram provides a perception of anonymity. This is due to the sheer volume of channels dedicated to cybercrime, the lack of IP tracking available to security and law enforcement professionals, and the seemingly ephemeral nature of messages, making it an attractive platform for cybercriminals.

Types of cybercrime Telegram channels
In contrast to traditional dark web marketplaces that offer a wide array of illicit goods, Telegram channels specialize in specific types of criminal activity. Some common categories include:

Stealer log distribution
Stealer logs contain data from devices infected with infostealer malware, including browser fingerprints, saved passwords, clipboard data, credit card details, and cryptocurrency wallet information. These logs are distributed through two types of Telegram channels:

  • Open access stealer log channels
    These channels distribute large files containing numerous individual stealer logs, often serving as an extended advertisement for private, invite-only log channels.
  • VIP stealer log channels
    These exclusive channels offer premium logs directly from the source, with prices ranging from $200 to $400 per month, typically paid in Monero. These logs are sought after by initial access brokers for corporate access.

Financial fraud
Financial fraud channels on Telegram offer bulk access to bank account information, credit card details, and refund guides. These channels may specialize in specific types of financial crimes, such as credit card fraud, bank account access, refunding guides, SIM swapping, and gift card fraud.

Combolists and credentials
Telegram channels dedicated to combolists provide curated lists of stolen usernames and passwords, often accompanied by names, emails, and other identifying information. Threat actors use these lists for account takeover attacks. Combolists can be categorized based on factors like geography, industry, and account access, making them highly valuable to cybercriminals.

Nation state hacktivism
Hacktivist channels on Telegram, such as Bloodnet, Killnet, Noname47, and Anonymous Sudan, have gained popularity, especially since the start of the Ukraine conflict. These channels target specific entities, often critical infrastructure in NATO countries, with activities ranging from website defacement and DDoS attacks to data leaks from companies.

Concerned about Telegram, Flare can help
Flare’s Threat Exposure Management platform is designed to monitor the clear and dark web for threats efficiently. With a setup time of just 30 minutes, Flare imports over one million stealer logs per week, monitors hundreds of marketplaces and forums on Tor, and detects threats across thousands of illicit Telegram channels. Additionally, Flare automatically identifies exposure due to human errors, such as leaked API keys and credentials on GitHub, data exposure on pastebin, and other clear web sources of risk.

As the cybercrime landscape continues to evolve, staying ahead of threats is paramount. Flare offers the tools and expertise needed to protect organizations from the ever-changing world of cybercriminals who have found a new haven in the depths of Telegram’s digital underground.

Related Posts

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.