Getty Images/iStockphoto

Infosec experts detail widespread Telegram abuse

Cybersecurity vendors say threat activity on Telegram has grown rapidly in recent years, and they don't expect the arrest of founder and CEO Pavel Durov to change that trend.

The arrest of Telegram's founder and CEO has sparked debates across the technology landscape. But infosec professionals largely agree the platform plays a significant role in facilitating cybercrime activities such as malware distribution, hacktivism and selling stolen credentials.

Last month, French authorities arrested Pavel Durov for allegedly enabling an array of illegal activities on the messaging platform, from drug trafficking and money laundering to the possession of child sexual abuse materials. Durov founded the cloud-based platform in 2013, and it's become widely used for its social media and instant messaging services.

While Telegram is used for legitimate purposes, cybersecurity vendors say it's also become a haven for threat actors. Durov is accused of facilitating those illegal activities through the platform's lack of content moderation and security checks.

Threat intelligence company Intel 471 expanded on the charges and Telegram's prominent role in cybercriminal activity in a blog post last month. The threat intelligence firm said the platform "is known for hands-off moderation." However, Intel 471 said Telegram rebuked such claims in a post on X, stating its standards align with its peers and that its rules abide by European Union laws and the Digital Services Act.

The blog post also provided technical details of how Telegram works. One facet that proliferates illegal activity is a feature known as Secret Chats. Intel 471 highlighted how decryption keys are stored in different servers with different jurisdictions, which makes it more difficult for law enforcement to act.

"Telegram's encryption model varies by chat type: Cloud Chats and Secrets. Cloud Chats employ server-client encryption, where the data is encrypted in the cloud in multiple data centers around the world. Although that data could be accessed with a court order, Telegram has intentionally designed it to be difficult for authorities," Intel 471 wrote in the blog post.

Jeremy Kirk, executive editor at Intel 471, expanded on Telegram's role in illicit activities to TechTarget Editorial. Kirk listed several appealing traits Telegram offers to cybercriminals. One example is secure, person-to-person communications with Secret Chats, which are encrypted.

He also highlighted how Telegram features allow it to act as more of a social network, allowing users to create "groups" that can accommodate up to 200,000 members. Additionally, users can create "channels" as well with unlimited subscribers. In those groups, cybercriminals continually stream advertisements for illegal services, he added.

Intel471 has observed threat actors selling SIM swapping services, bank account details, credentials, stolen credit cards and more. "There are other features that are useful as well, such as the ability to send large files up to 2 GB and bot functionality. The scale of Telegram allows threat actors to reach out to other cybercriminals who might be interested in their services," Kirk said.

Regarding how long cybercriminals have been using Telegram, Kirk said Intel 471 has collected intelligence on more than 5,500 channels linked to malicious hacking, financial fraud and other activities over the past few years. Aside from the recent charges against Durov, Kirk said many countries have been trying to get Telegram to be more compliant with law enforcement and intelligence agency requests.

"Broadly, most social media platforms have to deal with issues with users abusing their platforms, so this is a challenge that is not unique to Telegram. Telegram stands out, however, since obvious cybercriminal activity on the platform is prolific and easy to find," Kirk said.

A big part of the charges against Durov involved a lack of content moderation. While Telegram will process takedown requests for illegal content posted on public channels, Kirk said users can create private or group channels where Telegram does not process any legal requests. Additionally, he said that while intelligence agencies have been concerned that the platform is used by extremists to communicate, Telegram doesn't respond to requests for user communications or data.

Following Durov's arrest, the Verge reported that Telegram changed the language on its FAQ regarding how private chats were moderated. The company previously said, "We do not process any requests related to" private chats, but the FAQ has been updated with reporting and takedown request options. However, infosec experts agree that's not going to have much effect on the platform's widespread abuse.

Widespread illegal activity

Other cybersecurity vendors and infosec experts have also observed a growing influx of illegal activities on the platform. Alexander Leslie, associate threat intelligence analyst at Recorded Future, said generally anytime a social media platform is launched, illicit activity or abuse starts immediately. However, Recorded Future saw a jump in abuse on Telegram beginning in 2020.

"We do know that Telegram is, by far, one of the most used platforms for illicit activities, period. There are a lot of reasons for this, but it mostly has to do with convenience," Leslie said in an email to TechTarget Editorial.

He attributed the convenience to the fact that many regions with high cybercrime activity, like Russia and Southeast Asia, use Telegram daily for legitimate purposes, so the familiarity is already instilled. Additionally, the platform is public, easily accessible for Android and iOS devices, and involves an easy registration process that only requires a telephone number and username. Leslie also highlighted Telegram's loose moderation policies.

"The primary reason that criminals will use Telegram is to either amplify their business or for marketing purposes. You're going to see a lot of those public-facing channels, from fraud groups, from hacktivists, from malware operators (not necessarily from ransomware groups, because they don't consider it to be the most secure). But it's generally the public facing aspects of Telegram that allow cybercriminals to conduct a lot of business," Leslie said.

The fact that anyone with a Telegram account can view most public channels makes it easy for cybercriminals to garner new business or enhance political motivation as with hacktivist campaigns. Leslie observed some hacktivist accounts grow from 10 followers to 1,000 quickly after claiming responsibility for attacks through Telegram posts, which he said is concerning.

Telegram allows cybercriminals to gain widespread attention not only from other cybercriminals but also from researchers and the media. Ransomware gangs have also embraced Telegram. In a report last year, Sophos described how several gangs set up public channels to publicize recent attacks, shame victim organizations and even conduct interviews with news media outlets.

Leslie warned the platform's public-facing features help cybercriminals boost their reputation and credibility. Though it is public, it also offers anonymity.

"It's not as simple as looking at Telegram and looking at their username or maybe querying them and trying to get their phone number. Usually, in order to deanonymize, Telegram users have to be correlated with maybe a shared moniker on a forum somewhere else, and that forum moniker was exposed in a data breach, or that forum moniker is unique enough to maybe attribute to a social media account and that account has a phone number listed," Leslie said. "Even though it comes with some operational risk security, they are relatively guarded when they use Telegram."

Telegram updates to its FAQ entry for reporting illegal activity.
Following the arrest of CEO and founder Pavel Durov, Telegram updated its FAQ with new language for reporting illegal activity on the platform.

'The next darknet'

According to Telegram's FAQ, all apps have a report option to flag illegal content, and there is an automated takedown email address to contact. Leslie said part of the problem is the influx of abuse and illegal activity going on through the platform is too much to even process.

For example, he said Recorded Future looks at approximately 500,000 unique references in its intelligence collections on public cybercriminal Telegram sources. "It's impossible to triage that many alerts and impossible to kind of report all of it and hope that content moderation policies are going to catch it, either manually or automated. So the volume really outpaces what can be handled," Leslie said.

Bogdan Botezatu, director of threat research and reporting at Bitdefender, agreed that Telegram's moderation process is ineffective and said the platform does not have active checks in place to regulate the abuse. He's observed cybercriminals using Telegram as a file sharing platform to advertise and sell malware, initial access tools, hacking kits and email lists obtained from data breaches.

"Most social networks or most file sharing platforms have specific mitigations that disallow the embedding of specific types of files. Telegram happily receives anything from the user and makes it easily downloadable," Botezatu said.

He added that Telegram welcomes bots and has an API that allows any developer to build bots that interact with other users and the infrastructure. "It's easy to imagine that this functionality is constantly being abused by malware authors that are using Telegram as a command and control for instructing malware to perform specific actions," Botezatu said. "This is amazing because command control infrastructure is usually painful to maintain and to ensure that it's working. In this case, it's Telegram that takes care of liability and other performance metrics. So hacking groups are using Telegram to communicate with their malware."

Botezatu attributed a lack of security checks to Telegram not being held fully accountable for the abuse. He said it comes down to politics and the fact that no one wants to add friction between a service and the user base. The security checks and safety mechanisms add stress and workload to the social network operators while, at the same time, deanonymize users. "There are a few social networks who take great pride in providing anonymous usage to their services, and Telegram is one of these," Botezatu.

Regarding the charges against Durov, Botezatu said it's not surprising that any government would want some regulation and capability to inspect what's happening on large social platforms. He said it's a constant fight between user privacy and enabling illegal activity.

"It's good because it brings order to an otherwise very disorderly community. On the other side, it comes with a privacy trade off. So the more you try to regulate the model, you're going to want the social network to know your customers and information," Botezatu said.

Botezatu said Bitdefender views Telegram as the next darknet, with demonstrated ability to amass large quantities of stolen information and malware. "It has all the mechanisms of driving cybercrime supply and demand together. It currently offers significant anonymous access for the platform to be desirable to cybercriminals," he said.

TechTarget Editorial contacted Telegram through its official press bot account, but the company did not respond at press time.

Arielle Waldman is a Boston-based reporter covering enterprise security news.

Dig Deeper on Data security and privacy