Cybercrime is thriving on Telegram, with more & more threat actors choosing the encrypted messaging app as a viable alternative to the secretive forums of the deep and dark web. In this four-part series, we will explore Telegram’s cybercriminal underbelly, starting with the illicit markets for compromised financial accounts.
While many cybercriminals operate on the traditional “dark web”—sites with an .onion extension—many others take their illicit activities to Telegram, the popular messaging platform.
For threat actors, setting up shop on Telegram has both benefits and drawbacks. In comparison to the considerable time and effort required to establish and maintain an onion site, setting up a Telegram channel is a relatively quick and easy process. These channels are also searchable, and easy to join, with Telegram’s wide popularity, security, and accessibility further contributing to the messaging platform’s appeal. However, Telegram chats can easily mutate into free-for-alls, overtaken by noisy chatter and bots, making it difficult for users and intel analysts alike to follow important developments. Furthermore, while Telegram channels can be easily set up in a matter of minutes, they are just as easily shut down for violating the terms of service. Accordingly, Telegram channels are much more volatile and shorter-lived than dark web forums and markets.
With this in mind, what can be found on Telegram? How can security researchers derive valuable intelligence from the encrypted messaging platform, and how can we leverage this information to produce high-level insights?
In this four-part series, we are going to take a closer look at Telegram’s cybercriminal underbelly, starting with an analysis of the platform’s illicit market for compromised financial accounts.
As noted earlier, Telegram channels are often inundated by a drowning cacophony of spam from bots. In order to focus this analysis with higher-quality data, we did our best to filter out the noisiest actors and channels.
Telegram's Illicit Market for Compromised Financial Accounts
Throughout the COVID-19 pandemic, the popularity of e-commerce has soared. Surprisingly, however, despite this continued preference for online shopping, our analysis revealed that discourse surrounding compromised credit cards, bank logs (compromised accounts) and money transfers (laundering) decreased significantly in 2021, dropping almost 60% from its 2020 rate. Notwithstanding this overall decline, in the period between August 2020 till December 2021, the total number of suspicious mentions on these topics has hovered steadily around 3,500.
This stark nosedive in discourse surrounding compromised accounts from 2020 to 2021 might seem remarkable, but it is not an isolated event; a parallel decrease was also identified in the total number of compromised credit cards sold on underground markets throughout the same period. In our Underground Financial Fraud report for H1 2021, we attributed this decline to the closure of several credit card markets (either imposed by law enforcement or as a result of threat actor “retirement”), ongoing trends towards contactless payments accelerated during the pandemic, and the overall reduction of newly-issued credit cards. Furthermore, with ransomware attacks netting staggering profits in the tens of millions of dollars, cybercriminals have presumably shifted their attention away from credit card compromise to focus on this promising alternative attack vector.
Within this context of compromised cards, logs, and money laundering on Telegram, which financial services institutions have drawn the most mentions?
As reflected in the graph above, PayPal is the clear leader. This is unsurprising, as PayPal and similar online payment platforms serve a dual purpose for threat actors. Such platforms are lucrative targets for cyberattack (especially account takeovers), with cybercriminals seeking to compromise the accounts and drain their funds. Additionally, online payment platforms are also widely leveraged as a means of money laundering, used by actors to process stolen funds and transfer money to and from cryptocurrency.
Let’s take a closer look at posts dealing with compromised cards, logs, and money laundering.
Compromised Credit Cards
Compromised cards are a lucrative commodity on Telegram’s illicit marketplaces, sold by many actors across various groups. These compromised cards generally belong to the most popular financial services institutions, such as Chase Bank, the Bank of America, Wells Fargo, Western Union, Visa, and Mastercard.
Just like those sold on dark web markets, cards sold on Telegram come in two forms, those including CVV/CVV2 information (for remote purchases), and dumps, which contain segments of unencrypted data located on the magnetic strip of a card (the cardholder’s name, account number, and other validating points used by banks to verify purchases).
Cards from dumps require the creation of a physical clone and must be used physically for in-person purchases. CVV/CVV2 cards, however, include the 3 or 4-digit code on the back of the card required for remote transactions, such as online or phone purchases. Conducting in-person fraudulent activities carries a significantly higher risk to threat actors when compared to the anonymity afforded by an online purchase, and accordingly CVV/CVV2 cards are generally more attractive and higher in demand, with a typical ratio of ~60% CVV/CVV2 to ~40% dumps.
In the example below, an anonymous threat actor advertises a compromised card including all cardholder information, offered at the price of $1,500.
In this second listing below, a threat actor shares the bin numbers and associated prices of various compromised cards originating in differing countries. The author notes that while they do not have millions of cards in stock for sale, the cards on offer are of ‘high quality’.
In this third example, another threat actor advertises active credit cards for sale. The author includes information about the balance, price, locations, and cardholder details associated with each card.
Logs is a dark web term referring to compromised bank credentials. These credentials generally include more than just the username and password needed to login to compromised accounts, often including highly sensitive information such as the personal answers to security verification questions. The price of logs varies, depending on the balance of the compromised bank account on offer.
Within dedicated Telegram channels, actors buy and sell bank logs in order to perform cashouts, that is, taking control of the compromised bank accounts in order to fully empty them of their funds.
In the example below, an anonymous threat actor advertises several bank logs (in addition to high-balance credit cards) for sale.
In this additional listing below, the threat actor focuses primarily on Citi logs. These logs include substantial identifying information about the cardholders, which could enable the purchaser to reset the password or even change the associated phone number to their own in order to satisfy multifactor authentication processes.
Money Transferring Services
Transfer services receive funds from one account and deposit them into another. These services are highly valuable to threat actors, allowing attackers to obfuscate the origin of stolen funds, launder them, and move them across the world whilst evading detection.
Within Telegram’s cybercriminal communities, an abundance of transfer services are available for the right price, offering to move funds via payment platforms such as PayPal, Cash App, and others, as illustrated in the example below.
The post below lists the various prices for PayPal transfer services, ranging from roughly 5-10% of the transferred amount. The author specifies that the service is limited to the transfer of up to $5,000 per month, "for your and our security” - presumably inferring that exceeding this amount would trigger PayPal’s detection algorithms.
Clearly, Telegram has emerged as a powerful nexus for cybercriminal activity. Across its many chats and channels, threat actors collaborate and communicate, trading tools, stolen data and services in an illicit network that operates in parallel to its deep and dark web equivalent. In the next installment, we’ll examine Telegram activity surrounding identity theft and fraud.