The proliferation of cybercrime on the Internet has given rise to thousands of criminal communities. These corners of the internet, often dominated by malicious actors, provide space for them to coordinate and carry out their illegal activities. Generally, the area of ​​the Internet that experts believe has the highest criminal activity is on dark web forums and markets.

More recently, there has been a spike in illicit activity moving to online messaging apps such as Telegram. Combined, these two facets of cyberspace harbor a plethora of criminal activity by threat actors.

In this article, we will explore common threat actors and their activities on dark web forums versus illicit Telegram communities. Additionally, we will cover the key similarities and differences between each platform to better understand that not all cybercriminal-based communities are created equally.

Dark Web Forums: Experienced Cybercriminals

The dark web is notoriously known as the corner of the internet accessible via TOR and the hotbed of nefarious activity. Within the dark web are also numerous forums that allow others to regularly share, communicate, buy, sell and trade illegal goods and services. These forums also allow others to do many illicit activities seemingly with a cloak of anonymity.

Common Dark Web Hacking Activities

Illegal cybercrime activities are proliferating on the dark web. These include ransomware-as-a-service providers, theft logs, marketplaces, credential dumps, and hacking forums.

Several of these forums, such as RaidForums, have allowed the cybercriminals executing the attacks to directly share their stolen credentials and leaked data with other forum users.

A number of these forums are also home to more experienced hackers, such as initial access brokers active on prominent forums such as XSS and Exploit in. Hackers on dark web forums are more notorious for sharing more zero-day exploits with other threat actors. as well as sharing with other hackers how to use these exploits to their advantage as well.

Although there has been a greater law enforcement presence on the dark web aimed at shutting down more dark web forums, many have continued to maintain their more experienced cybercriminal establishments.

Illicit telegram communities: the Direct to Consumer model

In recent years, Telegram has become a popular messaging platform for illicit and legitimate communication activities. The app has enabled people around the world to share and collaborate more than ever. However, it has also enabled many dark web forums and other nefarious groups to also switch to the messaging app and create illicit channels successfully.

Common Activities of Illegal Telegram Channels

Many of these groups can range from selling credit card information or user credentials to groups of Russian hacktivists sharing their latest exploits, recruiting hackers to support their cause, and targeting victims of their attacks.

Due to the popularity and sheer volume of illicit groups that users can join, there is a much wider range of cyber criminals on the app. The common type of cybercriminals that research has shown to be active on Telegram often tend to be more low-level beginners in cybercrime than experienced mid-level cybercriminals. Among the many illicit groups studied on Telegram, there was a wide variety of groups operating as a market for sale:

• Bank account user data
• Data leakage channels
• Credit card information
• Botnets
• Combolists
• Log Thief

Many of the groups studied typically offered either user data or services aimed at being able to aid in an attack on an organization. In this sense, Telegram actors tend to focus more on providing the means to access a system rather than the access itself.

All these services sought by a user in one of these malicious communities were often directed to navigate directly from Telegram to a dark web forum. Additionally, in some communities beyond financial fraud, many of these groups share and reinforce recent exploits. It also allowed threat actors to communicate with each other and share other new or existing illicit communities.

Parallels Between Dark Web Forums and Illicit Telegram Communities

These illicit communities also allow countless users to have more anonymity within a global community that allows them to share, trade or earn money by successfully selling services or exploits.

Dark Web Forums & Telegram: Key Similarities

There are many similarities between dark web forums and illicit Telegram communities. The most notable parallels between these two platforms are:

• They can be a hotbed for both illegal and criminal activity, ranging from selling financial data to consumers to effectively carrying out distributed denial-of-service (DDoS) attacks against organizations.
• They can both provide a borderless community built among thieves.

Additionally, these types of communities often include moderation and governance of forums and channels in order to:

• Oversee operations
• Control membership
• Moderate content
• Lead the general direction of the communities

Quick adaptation with forum/channel changes

Dark web forums are adaptable, even in the face of law enforcement action. For example, if a forum or channel owner, moderator, or administrator needs to step down, they are often picked up by another community leader.

Channel owners on Telegram can often sell their group to the highest bidder in order to take money out of the group.

This is often done in advance before law enforcement steps in to shut down the group or the Telegram channel is reported and threatened with shutdown due to illicit activity.

Main differences between illicit telegram channels and dark web forums

While there are many parallels between criminal activity between illicit Telegram groups and dark web forums, there are also several key differences between these communities.

Differences in activities

Not all dark web activity seen on many forums is also seen on Telegram. For example, illicit communities on Telegram have rarely been seen to allow others to buy, sell, or trade other cyberattack methods such as RaaS or other attacks as a service.

Often many of these types of attacks as a type of crime ops service that are sold are still mostly on dark web forums and marketplaces.

Telegram: Simplified accessibility

In addition to some of the differences in experience levels and type of activity seen on forums versus Telegram, there is also a key difference between accessibility, user interface and technical requirements for joining communities. . For example, most dark web forums only work with the use of special browsers such as Tor, unique URLs, and look like traditional internet forums.

On the other hand, Telegram is much more user-friendly and accessible for threat actors to create an account and join or start their own channel. Most Telegram channels, including illicit communities, can make criminal activities on the platform more accessible and easier even for low-level cybercrime.

Follow both Dark Web and Telegram forums for better protection

The cybercrime landscape has evolved significantly, with hackers using both dark web forums and illicit Telegram communities to facilitate their activities.

For organizations to effectively protect against these ever-evolving threats, cybersecurity strategies must include monitoring of both of these platforms. This will allow us to anticipate and counter malicious activities in different cybercrime ecosystems.

Concerned about Telegram? The flare can help

Flare Threat Exposure Management Platform installs in 30 minutes and monitors the light and dark web and illicit Telegram channels for external risks.

We monitor:

• Over 12 billion credentials leaked on the dark web
• Hundreds of Tor marketplaces and forums
• Thousands of illicit Telegram channels

Additionally, Flare automatically detects exposure due to human error, such as leaked API keys and credentials on GitHub, data exposure on pastebin, and other clear web sources of risk.

Sign up for a free try in 5 minutes.

Sponsored and written by To burst