The world of cybercrime is changing rapidly. Threat actors, ransomware gangsmalware developers and others are increasingly leaving the “traditional” dark web (Tor sites) for Illegal Telegram channels specializing in cybercrime.
This To burst The article will examine the reasons why threat actors are abandoning Tor and provide detailed guidance on best practices for monitoring Telegram channels.
Why are threat actors switching from Tor to Telegram?
Today, we see the majority of cybercrime activity happening outside of the traditional dark web and on modern social media apps.
There are myriad reasons for this change, including the commodification of cybercrime, increased law enforcement surveillance of Tor sites, and the general slowness of Tor. We will cover each in turn.
Lack of exit scams
One of the biggest advantages and disadvantages of the traditional dark web markets is that the market acts as a clearing house.
Typically, there is a 14-day hold on trades where the market holds the cryptocurrency and where the buyer can seek redress if they are scammed.
The challenge becomes that, in many cases, market owners can hold millions of dollars in crypto at any given time, creating a strong incentive to get out of the scam and steal the money held.
Modern social media conveniences
Compared to Tor sites, Telegram has an advantage in the following areas:
- Telegram is fast and has many conveniences that modern social media apps have, such as emoticons, direct private chats, a phone app, and other cool features.
- The level of technical proficiency to find cybercrime channels and make successful purchases is even lower than Tor, creating democratization of cybercrime data
- There are many channels that provide free “samples” of credentials, flight logs, breach data, and other data that can provide users with an easy way to “validate” the effectiveness of supplier offers.
It’s no secret that Tor marketplaces, forums and sites are closely monitored by law enforcement agencies. Users know that when they post a message on a forum or marketplace listing, they will likely be seen by corporate security teams, dozens of law enforcement agencies, and many more. others.
Conversely, Telegram offers perceived anonymity given the thousands of channels specializing in cybercrime, the lack of IP tracking available to security and LE professionals, and the seemingly ephemeral nature of the messages.
Types of Cybercrime Telegram Channels
Compared to older dark web markets, Telegram channels tend to specialize in a particular type of criminal activity. A dark web market can offer a criminal the opportunity to purchase drugs, guns, credit card numbers, combolists, and dozens of other illicit goods.
Contract telegram channels act as a single store for a single type of product and can be categorized by what they offer.
The following categories that we have identified are not exhaustive:
Stealer Log Distribution
Log Thief represent data from devices infected with infostealer malware. They usually include browser fingerprint, passwords saved in the browser, clipboard data, credit card data saved in the browser, cryptocurrency wallet information and relevant information .
An individual log ›represents data from one computer. Stealer log channels on Telegram are of two types:
Open Access Stealer Log Channels
These channels routinely distribute megabyte-gigabyte sized files containing hundreds, thousands, or in some cases hundreds of thousands of individual flight logs.
These can be seen as an extended advertisement for private, invitation-only log channels, and as a way for providers to prove that the logs they provide are of high quality and contain valuable identifying information.
VIP Stealer Log Channels
VIP Theft Log Channels provide a limited number of threat actors with access to “premium” logs that are supposed to come directly from the source and are untouched by other threat actors. Generally, the price of access to these channels varies from $200 to $400 per month paid in Monero.
We suspect that many initial access brokers sift through logs posted to these channels to identify specific logs that have corporate access, validate access, and then resell access on prominent cybercrime forums. such as Exploit or XSS.
Another type of channel that we commonly see are financial fraud channels where bank account, credit card and refund information is provided in bulk. These chains usually sub-specialize in their particular “type” of crime, for example.
- Credit card numbers
- Bank accounts
- Refund guides
- SIM card exchange
- Gift Card Fraud
Combolists and Credentials
Another common and critical channel type to watch out for are channels that provide combolists. Combolists are “curated” lists of stolen usernames and passwords, sometimes along with names, emails, and other identifying information that criminals use to attempt account takeover attacks .
Combolists can be created based on geography, industry, account access, and other features that make them valuable to threat actors.
In many cases usernames, emails and passwords are pasted directly into the Telegram chat. In other cases, threat actors may deliver files containing thousands or tens of thousands of data points (and are often accompanied by malware).
The final category of channels particularly relevant to cybersecurity teams are nation-state hacktivist channels. Channels such as Bloodnet, Killnet, Noname47, Anonymous Sudan and others have exploded in popularity, especially since the start of the war in Ukraine.
These channels typically select specific targets, often critical infrastructure in NATO countries and attempt to deface websites, DDoS vital services and leak corporate data.
Concerned about Telegram? The flare can help
Flare Threat Exposure Management Platform installs in 30 minutes and Seamlessly monitors the light and dark web for threats. We import over a million thieves’ logs per week, monitor hundreds of Tor marketplaces and forums, and also detect threats on thousands of illicit Telegram channels.
Additionally, Flare automatically detects exposure due to human error, such as leaked API keys and credentials on GitHub, data exposure on pastebin, and other clear web risk sources.
Register for free 5 minute trial.
Sponsored and written by To burst