Intelligence Bulletin

July 26, 2022

TLP:AMBER

Telegram messaging service enables

cybercriminals to streamline operations,
communication
Key findings
● Benefits of the Telegram instant messaging (IM) platform include accessibility, anonymity, encryption,
specialization opportunities, utility capabilities and avoiding registration with a web host or domain service.
● Successful threat actors and groups advance operations by using Telegram and underground forums to
communicate and advertise products, goods and services.
● Increased monitoring, mobile number registration requirements, consent policies and the lack of in-application
payment capabilities or a standardized reputation system have led to some actors losing interest in using
Telegram as their primary resource.

Figure 1: This graphic depicts the benefits of Telegram for cybercriminals.

© Intel 471 Inc. 2022 1

Overview of Telegram use in underground cybercriminal population
Cybercriminals leverage different platforms for communication and to achieve their operational goals. In the last decade,
underground forums have acted as the primary location to facilitate illicit transactions and engage others in potential
business opportunities. Despite the extensive use of these forums, there has been a recent increase in threat actors and
groups using the Telegram IM platform to organize attacks, operations and offers.

Open source research reported in 2021 revealed there was more than a 100% increase in Telegram usage by
cybercriminals recently, with some Telegram groups supporting more than 250,000 users. In June 2022, Telegram
reached 700 million users and announced a new premium tier that offers individuals the ability to upload 4 GB files,
follow as many as 1,000 channels, run four accounts and create as many as 20 chat folders that could hold a maximum of
200 chats.[1][2][3] This report reviews activity on underground forums and Telegram services to outline why the increase
might have occurred.

Service advantages
Telegram is a cloud-based, end-to-end encrypted IM service. The application allows users to message others individually
or in groups, video chat and receive or send large data files. Telegram also offers actors the ability to create bespoke
channels for specific interests that are not typically catered to on cyber underground forums. This enables threat actors
to conduct criminal operations by forming and joining groups and channels that align with their interests and goals.
These variables make Telegram an efficient alternative to popular underground forums, especially when it comes to the
market for compromised access and data.

Near real-time encryption, anonymous communication, convenience

Telegram is considered the preferred method of anonymous communication over in-forum messaging services
monitored by administrators. Telegram provides actors with near real-time encrypted communication if both parties are
online simultaneously, whereas in-forum messaging requires waiting for unencrypted mail notifications. This lag time
and security risks associated with forum communication regularly encourage actors to provide other contact details in
forum advertisements, such as email addresses and Telegram IDs.
Threat actors conveniently can remain in the Telegram application for multiple levels of communication. For instance, a
Telegram user can use the same handle to access both individual private messages and group and channel
communications. The messaging service also allows threat actors to bypass the need for a web host or domain service
that potentially would leave them vulnerable to distributed denial-of-service (DDoS) attacks.

Unique bot feature

Telegram’s bot feature allows actors to automate many activities and use third-party applications on the platform. The
bots offer other useful functions such as receiving and storing phishing logs, running bots as command and control (C2)
servers for malware, easily administering group chats and automatically banning members who do not follow guidelines.
Threat actors also have weaponized Telegram bots to steal one-time password (OTP) tokens and defraud banks and
online payment systems. We observed cybercriminals pay to access and program the BloodOTPbot, SMS Buster Telegram
and SMSRanger bots to conduct attacks, defraud individuals and gain access to organizations.[4]

Region, language influence use of forums versus messaging platforms

Where threat actors live and the language they speak can significantly influence the decision to use underground forums
or Telegram-like services. For example, Chinese threat actors likely leverage Telegram to evade attention from law
enforcement since most Chinese cybercrime forums and domestic IM platforms, such as WeChat or QQ, are monitored
by regional authorities. We also observed actors gradually abandon Arabic and Persian-language forums over the last few
years, mainly in favor of Telegram channels and groups. Threat actors possibly left language-specific forums after
recognizing other messaging and underground forums were more popular. They likely assumed Telegram would provide
a larger base of followers that would help boost their services’ capabilities. It also is possible actors in countries with

© Intel 471 Inc. 2022 2

strict internet usage policies, such as Iran, realized Telegram could offer additional operational security (OPSEC)
protection and therefore decrease the likelihood of being doxxed.

Hacktivists that previously were noted to favor the Facebook and Twitter social media platforms to advertise
defacements and other activity recently were observed using Telegram as their primary communication application. The
hacktivist group Jerusalem Electronic Army had a presence on Facebook but now mostly posts on Telegram. Similarly, the
1877 Team hacktivist group from Kurdistan, Iraq, has a Facebook and Twitter presence but primarily operates on
Telegram. We observed several older groups that used Facebook are inactive and new groups have emerged via
Telegram. Facebook and Twitter policies to disable group accounts that promote illicit activity likely elevated Telegram as
a stable application choice that allows actors to continue to post any content without the risk of being banned.

Analyst comment: WeChat and QQ remain popular communication platforms for China-based threat actors by catering
to the Chinese-language market. The platforms provide extended application services such as WeChat Pay or QQPay,
which Telegram lacks. However, the wider Asia-Pacific (APAC)-based threat actors likely will continue to leverage
Telegram because of the end-to-end encryption service. A new application called Session Manager also is increasing in
popularity among underground threat actors and does not require personal information to register for an account, which
may be appealing to actors in the Chinese-language underground concerned about anonymity.

Telegram-based shops, offers

Telegram’s numerous capabilities and simple structure make it a go-to option for cybercriminals seeking a basic yet
effective method to manage and engage in illicit business. Several actors and groups use Telegram to mobilize their
operations, offering malware logs, compromised accounts and stolen data. For example, we observed an actor using a
Telegram channel to manage an underground shop selling malware logs and the pro-Russian hacktivist group KillNet
operates a Telegram channel to publish compromised organizations and mobilize member activity.

In March 2022, an actor offered to sell compromised bank accounts via a Telegram-based shop and an underground
forum. The actor promoted several other services on Telegram, including a short message service (SMS) spam offering
and compromised payment card data with cardholder records. This crossover activity indicates threat actors likely
advertise on messaging services and underground forums to increase the amount of potential customers or appeal to
specific types of clientele.

In May 2022, an actor launched a compromised payment card data shop and promoted it on the actor’s dedicated
Telegram channel, which had thousands of members at the time of this report. The Telegram channel was created over a
year before the shop was launched, allowing the actor to promote additional products, services or goods available at the
time. Threat actors likely have more success promoting their services via Telegram where they can maintain a steady
following compared to underground forums where they may not reach a similar number of prospective affiliates or
buyers.

We discovered another actor also was an administrator of multiple Telegram channels with thousands of followers at the
time of this report. Marketplaces the actor operated included the provision of compromised credit cards, escrow and
cashout services and video tutorials. The actor also used Telegram groups for backups of operations. Threat actors likely
leverage Telegram for backup services because they deem the platform to be relatively safe and secure. The application’s
encryption capabilities suggest data is less likely to be compromised or lost if a forum is shut down.

Outlook
Since 2020, Telegram has increased in popularity and is used by actors operating underground services. Current terms of
use state the service will not disclose data collected from users, how the data is used or other users the data is shared
with, likely motivating threat actors to conduct business operations via private channels and chats. Threat actors also
likely will continue to remain connected to underground forums even as they shift parts of their operations to Telegram

© Intel 471 Inc. 2022 3

or other messaging services. Forums provide additional features that allow threat actors to build reputations via built-in
scoring systems that communicate to others they have a reliable offer – a feature Telegram currently lacks.

Additionally, the platform’s laissez-faire privacy policies and refusal to cooperate with law enforcement resulted in the
service being banned in several countries. After recognizing an increase in cybercriminal activity brokers through the
platform, Telegram reinforced its policy on removing personal data that is shared on the platform without consent. For
example, in 2022, the LAPSUS$ Telegram group was closed after Telegram officials stated professional moderators
removed about 10,000 public communities per day for violating its terms of service.[1] It is possible additional oversight,
content moderation and amended platform policies could result in cybercriminals seeking alternative messaging
platforms in the future.

MITRE ATT&CK techniques

Technique ID Use
Title
Reconnaissance [TA0043]

T1595 Gather information about organizations to post when selling company data.
Gather Victim Org
Information
Resource Development [TA0042]

Compromise Infrastructure Mobilize groups and operations on Telegram and cyber underground forums to attack
T1584 infrastructure.

Establish Accounts Established accounts on IM platforms and cyber underground forums.

T1585

GIRs
1.1 Malware variants
1.1.5 Information-stealer malware
1.2 Malware-as-a-service (MaaS)
1.3 Malware development, support and delivery
4.1 Fraud supply chain monetization
4.1.1 Cashout
4.2 Compromised data or access
4.4 Social engineering
4.4.1 Phishing
5.2 Post-attack tactics
5.2.1 Initial access tactic
5.2.6 Credential access tactic
5.2.9 Collection tactic
5.2.11 Exfiltration tactic
5.5 Information compromise or disclosure tactics
5.5.3 Information or data breach
6.2 All geographic regions
6.2.2 Asia
6.2.4 Europe
6.2.5 Middle East

© Intel 471 Inc. 2022 4

6.2.6 North America
6.2.8 South America

Sources
[1]
Telegram has seen a sharp rise in cybercriminal activities, report says | Engadget
https://www.engadget.com/telegram-sharp-rise-cybercriminal-activities-072559131.html?guccounter=1

[2]
Telegram is the new battleground for cybercriminals in Russia and Ukraine
https://www.indulgexpress.com/gadgets/2022/mar/04/telegram-is-the-new-battleground-for-cybercriminals-inrussia-
and-ukraine-39418.html

[3]
700 Million Users and Telegram Premium
https://telegram.org/blog/700-million-and-premium

[4]
Cybercriminals going after one-time passwords with Telegram-powered bots
https://intel471.com/blog/otp-password-bots-telegram

© Intel 471 Inc. 2022 5