In 2023, Danique Lummen, a cybersecurity specialist and analyst, carried out research on darknet markets, suggesting that the reason the messaging platform, which passed 700 million users last year, is seen as a growing market for the darknet is related to its "ease of use." Security teams use in app keyword search, join public channels through URLs found in hacker forums, or scrape indexes some websites list channel links by category. It refers to Telegram channels and groups used for illicit trade, resembling dark web forums.
- If your security team monitors the dark web, also watch Telegram channels.
- These instructions were often detailed and accompanied by images or videos to ensure even novice users could follow them easily.
- Ever stumbled upon a Telegram channel promising guaranteed wins throu…
- This moniker also comes from the fact that threat actors may often use these channels to share leaked credentials, disturbing content, or other sensitive information.
Key Differences Between Illicit Telegram Channels And Dark Web Forums
These channels predominantly advertised modified versions of popular applications, including games with unlocked levels and in-game currency, utility apps with premium features, enhanced communication tools, and educational applications with additional functionalities. This included 32 email providers, 11 domain providers, and 24 online services, all through their respective vulnerability disclosure programs, starting from the first week of April when we manually reviewed our data and identified the threats. However, approximately 5.2% of the posts included links behind paywalls, requiring users to make payments before accessing the files. Harmful content can include phishing scams that trick users into providing sensitive information, and malware that can infect and compromise the security of their devices. Lastly, users engage with Telegram posts by reacting with emojis, which serve as a good indicator of how the user resonnates with the content (Ling et al., 2021)., conveying a range of emotions, from approval and excitement to disapproval and anger. Telegram channels, by design, only allow channel admins to post original content and decide whether to enable replies.
- Offering such details can be particularly valuable for users unfamiliar with the software, guiding them through the installation and usage process.
- KelvinSecurity is a famous Telegram channel where people share information about ethical hacking, vulnerabilities, code reviews, and ethical hacking tips.
- It allows organizations to detect breaches, identify threats, and anticipate attacks before they cause real damage.
- We use these manually labeled samples to train a multi-class BERT model, DarkGram, which classifies posts based on their text with an average accuracy of 96% across different CAC categories, allowing us to extend our findings across the entire dataset.
- We use these posts towards identifying the characteristic features of content shared in these channels from the four CACs in Section 5, highlighting different strategies used to distribute cybercriminal content and characteristics of the content itself.
- While Haowang Guarantee responded to Telegram's bans by almost immediately shutting down, Xinbi Guarantee appears to be making an effort to relaunch itself on new Telegram channels, Robinson says.
Does Telegram Have A Native Search Engine?
In the wake of Edward Snowden’s revelations concerning government surveillance, Telegram was built in 2013 to prioritize user privacy and safeguard private conversations and data from third-party intrusion.

Telegram Emerges As New Dark Web For Cyber Criminals

This crowd-sourced validation not only distributed the risk of detection but also reinforced trust in the community, as verified credentials could be used by other members with greater confidence. These instructions were often detailed and accompanied by images or videos to ensure even novice users could follow them easily. These proofs often took the form of screenshots or videos showing successful logins or transactions, serving as evidence of the authenticity of the leaked credentials. Additionally, 29.2% of the posts included “proofs” aimed at building trust and credibility among potential buyers. We did not interact with these users directly, but we studied the characteristics of the bots, which we explore in more detail in Section 4.2.
Telegram’s Dark Web Channels
“Telegram CEO Durov announces crackdown on ‘illicit activities’ amid arrest, criminal probe”, Forbes, September 6, 2024. The platform’s public nature makes it a significant player in the digital landscape, providing a more accessible platform for both criminal and legitimate uses. This visibility can attract the attention of law enforcement, but also allows illicit activities to reach a wider user base. While the dark web operates in the shadows, Telegram’s channels and groups are visible to a larger audience. Its user-friendly interface and widespread adoption make it more reachable to a broader audience, including both legitimate and illicit users.
We will review the content and take necessary action as soon as possible. Report any incorrect/abusive/invalid content. Do you recommend this channel/group/bot to others? Get direct feedback from your users, monitor the reviews and keep the user base intact Known for its privacy and security features, Telegram has bec…
We see many of the same threats on Illicit Telegram channels that we see on dedicated dark web markets and forums. According to the reports, perpetrators then disseminated stolen information through social media platforms, eventually putting it up for sale on the dark web forums. According to the Telegram moderation overview page, the platform blocks tens of thousands channels and users daily, specifically due to violation of the app’s Terms of Service. With KELA’s cyber threat intelligence platform, you and your business can continuously monitor these channels, identify relevant threats in real time, and act before the damage occurs. KELA’s platform monitors active carding channels, detects real threats, and protects your business from cybercrime.
BLOCKS NEWS CRYPTO
Since July of last year, Elliptic has highlighted the enormous volume of money laundering and other illicit transactions taking place on Huione Guarantee and later Haowang Guarantee. Telegram's sudden move to ban the marketplace's accounts appears to have been spurred by WIRED's inquiry to Telegram late last week about new findings from researchers at the crypto-tracing firm Elliptic. Prior to its abrupt shutdown, Haowang Guarantee—which despite its rebrand was still partially owned by Huione Guarantee and its Cambodia-based parent company Huione Group—had allowed third-party vendors to sell a wide variety of services to crypto scammers, all via Telegram, using deposit and escrow systems to “guarantee” the transactions. The move comes in response to Telegram's action on Monday to ban thousands of accounts and usernames that served as the infrastructure for the sprawling marketplace of third-party vendors, many of whom provided money laundering and other services to the burgeoning industry of East Asian crypto scammers.
These conversations are more content-centric, focusing on the nature and aesthetics of the media rather than technical aspects. Users often discuss the quality of the content, as in the comment ”This is a Koikatsu model, not a drawing” (Translated from Chineese), providing clarification on the type of media being shared. Users share their social media links and ask others to follow or like their posts, as seen in comments like ”Follow my Instagram” or ”Pls like” Here, the engagement is less about problem-solving and more about reciprocal actions to enhance social media presence. It is also noteworthy that the replies to these Telegram posts were typically brief, with a median word count of just 4 words and an average of 9.16 words. DarkGram successfully took down 196 CACs, demonstrating potential for large-scale intervention while highlighting the challenges of moderating decentralized platforms.
Illicit Telegram Groups Provide Better Anonymity

My work bridges the gap between technology and cybersecurity education, helping to inform and empower others in the ever-evolving cyber landscape. My interests lie in unraveling the hidden layers of the internet, including the Deep Web and Dark Web, and understanding their impact on cybersecurity. As an experienced blogger with a deep focus on technology, I am currently channeling my expertise toward a career in IT Security Analysis. Each platform has features that can be abused; the following summarizes typical misuse without describing methods for wrongdoing. They demonstrate not only the scale of compromised data but also the evolving tactics cybercriminals use to exploit it. This is valuable because it reveals their specific targets and how they convert stolen data into cash (e.g., minimum item values, using the same receiver names and phones, parcels worth over 30,000 JPY).

This helps others understand and manage the pirated media more effectively.In Pirated Software channels, educational exchanges are common, with users sharing technical information about software modifications. This shows that users are not just passive consumers but actively engage in curating the content available in these channels.In Pirated Software channels, requests often involve software updates or modifications. This emphasis on technical support is crucial for users who engage in credential theft.In Copyright Media channels, questions often revolve around finding more content from specific creators or resolving issues with media sharing restrictions. Feedback here influences what gets shared, showing that users are invested in the quality and type of pirated content available.On the other hand, Pirated Software channels, engagement is centered on evaluating the functionality of unauthorized software. In Blackhat Resources channels, users frequently engage with the content by providing feedback on the effectiveness of various hacking tools.
Currently, the channel claims to have a database of over 2 billion records available via a subscription-based model, making it one of the most active sources for buying and selling stolen credentials. Its catalog includes data harvested via infostealer malware, such as passwords and access tokens for Google Ads, YouTube, and other popular services. In their bio, they describe themselves as “the largest and most versatile cloud on Telegram”, where logs extracted from other cybercrime channels are posted for easy access. It is a platform that compiles a massive collection of malware samples, research articles, and threat analyses—making it a key resource for researchers and hacking enthusiasts. Hacker groups, underground markets, and ransomware networks began using Telegram to distribute stolen data, sell hacking tools, and coordinate illicit operations.
While in no way related to the dark web, these channels are nicknamed “dark web” because of the encryption and secrecy that surrounds them. That is partly why these groups are often referred to as Telegram’s “dark web” channels. It uses encryption to provide anonymity to users, their activities, and hosted websites. The dark web is the intentionally hidden part of the internet accessible only through specific tools, such as Tor (The Onion Router) browser or the I2P (Invisible Internet Project).
Figure 9 shows a heatmap comparing the growth of copyright media channels to other CACs over this period. This restriction makes it difficult to determine whether the same users are interacting in multiple channels within a single CAC or across different CACs. Collectively, the identified CACs are followed by approximately 23.8 million users, with a median of 8,000 followers per channel. To receive notifications about new content, users on Telegram must follow (join) a specific channel.
URLs flagged by two or more engines were marked as malicious, a threshold commonly used in prior research. Note that while phishing URLs were shared across all CACs, executables were chiefly ( 97%) found across Pirated software and Black resources CACs only. In the previous section, we explored how cybercriminals leverage CACs to distribute content that poses risks to both individuals and organizations. Telegram’s content moderation strategy appears to rely significantly on user reporting (Wijermars and Lokot, 2022). This disparity highlights significant variations in Telegram’s content moderation efforts across different types of CACs.
Quality In Cannabis Social Clubs
This underscores the limitations of simply deleting channels as a countermeasure, as cybercriminals can swiftly adapt by creating backup channels and sharing new links with their audience, retaining their follower base. To assess this, we measured the time intervals between consecutive posts from each channel and used this as a variable for a paired t-test. In the previous section, we established the characteristics of the different Cybercriminal Activity Channels (CACs) and identified the various strategies used by channel administrators to disseminate cybercriminal content.
“If so, I think that Telegram is no longer a realistic platform for these marketplaces, and they'll have to look for somewhere else to operate.” He suggests the crypto-scam market operators would then likely try to migrate to another messaging service with less oversight, or even a decentralized one where they can't be effectively banned. Whether the two markets succeed in relaunching, Robinson notes, will depend largely on how serious Telegram is about its efforts to prevent them from using its messaging services. Tudou Guarantee has already seen a significant surge in new users, Robinson says. Although it wasn't mentioned in Vaughn's statement, Telegram's ban may have also been related to an announcement earlier this month from the US Treasury's Financial Crimes Enforcement Network that Huione Group, Huione Guarantee and Haowang Guarantee's parent company, would be added to a list of known money laundering operations in an attempt to limit its access to US financial institutions.