Cybercriminal activity on Telegram increased by 53% in 2024

Amid growing concerns about Telegram security, the Kaspersky Digital Footprint Intelligence team has analysed Telegram's shadow channels. Their findings reveal a disturbing trend: cybercriminals are increasingly using Telegram as a platform for their illegal activities.

Cybercriminals actively operate channels and groups on Telegram aimed at discussing fraud schemes, distributing leaked databases and marketing various criminal services, such as cashing in, forging documents, DDoS as a service attacks and more. According to data from Kaspersky's Digital Footprint Intelligence team, the volume of such posts increased by 53% in May-June 2024 compared to the same period last year.

"The growing interest in Telegram from the cybercriminal community is driven by several key factors. First, this messaging service is very popular in general - its audience has reached 900 million monthly users, according to Pavel Durov. Secondly, it is marketed as the most secure and independent messaging service that does not collect user data, giving threat actors a sense of security and impunity. In addition, finding or creating a community on Telegram is relatively easy, which, combined with other factors, allows various channels, including those of digital criminals, to quickly gather an audience," explains Alexey Bannikov, an analyst at Kaspersky Digital Footprint Intelligence.

Cybercriminals operating on Telegram generally demonstrate less technical sophistication and expertise than those on more limited and specialized forums on the dark web. This is due to the fact that it is easier to enter Telegram's shadow communities - someone with malicious intent just needs to create an account and subscribe to the criminal resources they can find, as they are already part of that criminal community. Furthermore, Telegram does not have a reputation system similar to those found on dark web forums. Consequently, there are many scammers in Telegram cyberspace who tend to deceive other members of their community.

"There is another trend: Telegram has emerged as a platform where various hacktivists make statements and express their views. Due to the extensive user base and the rapid distribution of content through Telegram channels, hacktivists find the platform a convenient tool to instigate DDoS attacks and other disruptive methods against targeted infrastructure. In addition, they can release stolen data from attacking organizations in the public domain using shadow channels," Alexey Bannikov notes.

Kaspersky Digital Footprint Intelligence has published a free comprehensive guide to monitoring shadow market activities and managing data-related incidents to help enterprises mitigate related digital risks.