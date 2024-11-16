With Telegram in the spotlight over legal issues and security concerns, cybercriminals are beginning to leave the platform in droves, seeking other platforms and alternatives.
With about 700 million users around the world, the messaging platform that once prided itself on lack of moderation and privacy has implemented significant changes since the arrest of its founder and CEO in France, Durov Pavel.
Cyberint, a dark web threat intelligence company, has found that threat actors are having conversations on the most popular underground forums about where they go now after Durov’s arrests and changes in Telegram.
We explore the findings and try to see where scammers will head next.
Investigation Reveals Threat Actors’ Move Away From Telegram
Some bad actors have already created new channels, users, and infrastructure on other messaging platforms like Discord, Singal, Jabber, and SimpleX. Others are beginning the migration process.
Of all the changes Telegram implemented following the arrest of Durov, one stands out as the “that which worries cybercriminals”: Wider cooperation with law enforcement and courts and the possible disclosure of user data to police, including IP addresses and phone numbers.
Governments and law enforcement now have a backdoor on Telegram, which they can open with court orders.
That said, those who have opened accounts on other platforms remain on Telegram — the lure of a big crowd and group features is alluring.
Aryan Singh, Threat Researcher at BforeAI, an automated preventive remediation company, told Techopedia.
“While there are several Instant Messengers available that can be used as a replacement for Telegram, almost none of them provide features that are available on Telegram.”
Singh explained that some Telegram features are heavily used by the cybercriminal ecosystem.
These include ‘Supergroups’ that allow up to 200k members, broadcast channels, and bots.
Telegram bots have been particularly popular among threat actors in the past few years as a replacement for websites and web infrastructure streamlining services like buying and selling data, leaking large databases, and creating malicious payloads.
“Most cybercriminals have not been able to move to any other platform due to their dependency on these features to conduct their activities and also because Telegram has the majority of the user community who use these services,” Singh said.
Which Messaging Apps Do Criminals Plan to Use Next?
Cyberint’s researchers gathered data from various forums and Telegram channels to understand what platforms are emerging as top alternatives.
Cyberint researchers found that SimpleX links in underground forums have nearly doubled since August, with over 6,000 mentions in September and early October on the dark web.
But SimpleX is not popular everywhere. Cyberint breaks it down:
“Notably, SimpleX appears to be less popular among Chinese and Russian-speaking threat actors but more attractive among Europe and the US, as well as among far-right and neo-Nazi groups.”
Other apps where cybercriminals are building a presence include Signal and Discord.
Cyberint concluded that the new alternative groups have only dozens or hundreds of members, which falls short of the thousands or tens of thousands still active on Telegram.
Additionally, most of the newly created threat actor groups on other platforms have little activity and low levels of interactions and engagement.
We asked Josh Copeland, 20-year Air Force veteran and Director of Managed Security at Quadrant Information Security, a Florida-based Managed Detection and Response (MDR) provider, whether cybercriminals plan to use these alternative apps if a wider and more aggressive crackdown on illegal activities on Telegram begins.
And if so, is this plan effective?
Copeland said:
“Like the historical Hydra, as one application that is used by cybercriminals is locked down or removed entirely, two more will pop up to replace it.
“I think Session is a likely candidate for the replacement of Telegram.
“It uses several key features that make it ideal for bad actors, like the lack of a need for a telephone number or email to sign up, no usernames, onion routing, and no data collection on the part of Session — along with the ability to have disappearing messages.”
With social media platforms increasingly subject to regulatory oversight and collaborative efforts with law enforcement agencies and governments, the wider tech industry is experiencing significant ramifications.
“We’re trending in China’s direction when it comes to social media and chat apps. China requires real-name registration for pretty much every online account,” Paul Bischoff, Consumer Privacy Advocate at Comparitech, a technology research company told Techopedia.
Hauk said that although he supports privacy, the number of participants in end-to-end encrypted group chats should be capped.
“I can’t think of a single legitimate reason why 500+ people need to keep something secret from the rest of the world,” Hauk said.
Hauk believes that capping the number of group participants would cut down on terrorist cells, human trafficking and drug cartels, cryptocurrency scammers, and the distribution of child porn.
Ian Campbell, Senior Security Operations Engineer at DomainTools, an enterprise-grade domain intelligence company, told us that it’s still premature to expect too many substantive changes from Telegram.
While law enforcement can request access to Telegram data, they still cannot read the end-to-end encrypted messages.
Campbel said some things remain to be seen, such as whether Telegram will deliver more than a few sacrificial lambs to authorities.
“In the meantime, we see an area of the criminal ecosphere ripe for disruption by newcomers, but in a more risk-averse and distracted economy than usual, which may delay or lessen investments in the space.”
The Bottom Line
The Telegram saga has been going on for years, if not decades, at a minor scale to what we see today. Jumping on the privacy bandwagon, it wasn’t long before Telegram gained a bad reputation among cybersecurity researchers for the illegal activity on the platform.
Today, even after Durov’s case shined the global public spotlight on Telegram, cybercriminals choose to remain on the platform despite having an exit plan. Telegram continues to be the place where hundreds of thousands of threat actors group members congregate under a crime-as-a-service umbrella.