Shadow Telegram: How hackers move from forums to instant messengers

[Father]

Telegram has been a leader among messengers all over the world for several years. In Russia, it has become not only a means of communication, but also a full-fledged platform through which products, services, ideas and views are promoted.

Hackers also paid attention to this messenger. Many "gray" and frankly illegal sites quite successfully exist inside the platform, promote themselves, talk about their activities and offer their services.

This article will analyze the main reasons for the" relocation " of hacker groups and shadow forums to Telegram, the impact of this process on cybersecurity, and possible consequences for the entire cyberspace.

What can Telegram give to "old-timers of the Darknet"?​

Messenger is qualitatively different from the darknet platforms in that it has a multiple of the audience. At the same time, the rules for moderation and administration of content in the messenger are quite liberal, and to "earn a ban" you need to be very careless.

Roman Miskevich
Technical Director for ANWORK

An incentive for the transition of cybercriminals to public messengers was the growth of their audience. So the number of Telegram users in Russia by 2023 was 48.8 million people, and WhatsApp - 76 million. At the same time, the number of ads about the provision of hacker services also increased - in the second quarter of last year, their volume increased 2.5 times compared to the same period in 2021. More than 59% of the posted posts on the topic of hacking were offers to sell personal data obtained not only in the databases of large companies, but also in the same social networks and instant messengers. It is not for nothing that new methods of attacks on the protection of personal data regularly appear there: WhatsApp users are called in a chat on behalf of "State Services", and phishing links are sent to Telegram, by clicking on which the user registers through the specified number, thereby transferring all their data to scammers.

It is important to note that this audience is very different, from potential victims and accomplices, to "just interested" and potential advertisers. Separately, it is worth highlighting hacktivist projects that have turned into full-fledged channel grids. As an example, we can cite the resources of the Killnet group, which can include a news channel, a channel of the group itself, a channel of its founder, and, with some assumption, several partner channels.

"Corporate" channels have also gained their share of popularity, primarily related to publishing databases, "breaking through" and distributing malicious software for various tasks.

If we talk about the audience of such projects, many of them are driven by simple curiosity and the desire to "touch the forbidden". Most people, even if they have a certain database of leaked data and access to a malware file, are unlikely to become cybercriminals. Not only because they "don't know how", but also because they don't set such goals for themselves.

What is the danger of this phenomenon?​

Increasing the media footprint of cybercriminals is a double-edged sword. On the one hand, they get access to more potential customers who no longer need to install Tor and understand the structure of hacker forums.

On the other hand, any conscientious user who believes that hackers and their activities are something far away and "will never touch it" can make sure directly from the search bar of their messenger that hackers are not movie characters, but very real people, whose victim can be any user of the network.

Sergey Belov
CEO, AtreIdea

The spread of cybercrime projects beyond hacker forums on the Darknet can lead to serious consequences for individual users, as well as for business and society as a whole.

First of all, the spread of database dumps can lead to leaks of confidential information, such as usernames, passwords, and other personal data of users. This can lead to theft of personal funds, compromise of personal information, and overall security risks.

In addition, the distribution of links to dangerous software can lead to infection of users ' devices with malicious programs, including spyware, adware, etc. This can lead to a threat to data privacy, loss of control over the device, and possible security compromise.

In other words, the spread of cybercrime projects outside of hacker forums can lead to serious consequences that can negatively affect the security and confidentiality of user data. Therefore, it is very important that administrators of legal platforms take measures to combat cybercrime, including monitoring and blocking links to dangerous resources and software. Also, users should be more careful in their behavior on the Internet, avoiding suspicious links and software downloads from unknown and unreliable sources.

If we talk about moderation of Telegram, then it is certainly not aimed at encouraging hacker activity. This is noticeable, among other things, in the behavior of the hacker communities themselves, which are trying to attract the target audience to "shadow" resources. The methods used are very different, including advertising courses "on working on the Darknet", the content of which can hardly be legal by default.

Results​

Based on the experience of hacker communities in Telegram, we can conclude that hackers are not marginals who can only "cluster" among their colleagues in closed forum branches. They know how to work with an audience, promote themselves, and find conditionally legal channels to attract potential customers to their projects. At the same time, they are quite capable of using advanced business experience and borrowing models of legal startups.

Starostina Ekaterina
Cybersecurity expert, Development Director of Webmonitorex

Telegram has long been a platform that has "everything". Who is looking for will always find it, whether on the Darknet, Telegram. What can it lead to? To great consequences in terms of the spread of malware, because simply researchers may not fully understand what harm they can unknowingly cause. Although, as we know, ignorance of the law does not exempt from liability.

For cybersecurity specialists, this, on the one hand, promises difficulties, as HPE and information about hacking techniques becomes more accessible. On the other hand, it is much easier to study "public" hackers, which can contribute to the introduction of preventive response practices to certain potential information security problems.