Amid growing concerns about Telegram’s security, the Kaspersky Digital Footprint Intelligence team analyzed the channels operating behind the scenes of the platform. Their findings reveal that cybercriminals are increasingly using Telegram as a platform for underground market activities.

Cybercriminals operate in Telegram channels and groups dedicated to discussing fraud schemes, distributing leaked databases, and trading various criminal services, such as cash collection, document forgery, DDoS-as-a-service attacks, and more. According to data from Kaspersky’s Digital Footprint Intelligence, the volume of such messages increased by 53% in May-June 2024 compared to the same period last year.

“Cybercriminals’ growing interest in Telegram is driven by several factors. Firstly, this platform is very popular – its audience has reached 900 million monthly users, according to Pavel Durov. Secondly, it is marketed as the most secure and independent one that does not collect any user data, which gives threat actors a sense of security and impunity. In addition, finding or creating a community on Telegram is relatively easy, which, combined with other factors, allows cybercriminals to quickly gather an audience,” explains Alexey Bannikov, analyst at Kaspersky Digital Footprint Intelligence.

On Telegram, it is very easy to join the underground community: a person with malicious intent only needs to create an account and subscribe to the available criminal feeds to become part of this criminal community. Moreover, Telegram does not have a reputation system similar to those found on dark web forums, as highlighted by Kaspersky’s study ‘Business on the dark web: deals and regulatory mechanisms’. As a result, there are many scammers in the Telegram cybercriminal space who often deceive other members of the community.

“There is another trend: Telegram has emerged as a platform where various hacktivists make statements and express their opinions. Due to its wide user base and rapid distribution of content via Telegram channels, cybercriminals find the platform a convenient tool for inciting DDoS attacks and other disruptive methods against some infrastructures. In addition, they can make public the stolen data of the attacked organizations using hidden channels,” says Alexey Bannikov. Kaspersky Digital Footprint Intelligence has published a comprehensive and free manual for tracking shadow market activities and handling data-related incidents to help businesses mitigate associated cyber risks.