Cybercrime is moving from the dark web to Telegram more and more, study finds

It's been touted as a WhatsApp alternative. The company that operates it has faced sharp criticism for not doing enough to curtail revenge porn or counterfeit vaccination cards. Now, a new study has found that Telegram is, surprise surprise, an appealing home for cybercriminals.

The revelation comes from a study conducted by Cyberint for a Financial Times story. The cybersecurity firm found that hackers are selling and sharing data leaks on Telegram because it's easy to use and not heavily moderated.

In the past, such data dumps were largely the domain of the so-called "dark web," a sort of West West version of the internet that can only be accessed using special browsers and logins. Hackers find the dark web appealing because it lives in a corner of the deep web — which is to say, the part of the internet that doesn't appear in search engines — which is even more locked down against outside observers and intrusion.

All those barriers come with a price, of course: Not just anyone can access the dark web. That's where Telegram enters the picture. It's easy to download the app and set up an account. The service's "secret" chats use end-to-end encryption, for added privacy. And while group chats don't have the same protection, you still need a link or invite to get in. Telegram also allows for massive group chats of up to 200,000 users.

These features have prompted what Cyberint threat analyst Tal Samra called a more than "100 percent rise" in Telegram usage among cybercriminals. "Its encrypted messaging service is increasingly popular among threat actors conducting fraudulent activity and selling stolen data... as it is more convenient to use than the dark web."

The burst of movement toward Telegram was prompted, according to the study, by recent changes at one of the apps competitors, the Facebook-owned WhatsApp. While Telegram and WhatsApp both are popular destinations for those seeking more privacy in their digital communications — the two platforms offer some form of end-to-end encryption — the latter's new, if beleaguered, privacy policy has made the platform less appealing for users with unsavory goals.

Cyberint found that mentions of certain terms hackers use when they're hawking stolen emails and passwords "rose fourfold" between 2020 and 2021. The FT story also mentions a (since-removed) public channel called "combolist" — the name of which is itself a reference to hacker terminology — where data dumps were sold or simply shared.

There were around 47,000 users in the channel when Telegram shut it down, a move that only happened after FT inquired about its existence. The Cyberint study also found that there's a marketplace on Telegram for financial data, personal documents, malware, and hacking guides, in addition to online account credentials.

The dark web itself is feeding Telegram's growth, Cyberint found. The company's researchers noticed a massive spikes in links to Telegram destinations being shared on dark web forums between 2020 and 2021, rising from just over 172,000 last year to more than one million this year.

Telegram hasn't yet responded to a Mashable request for comment, but the company maintained to FT that its policy is to remove personal data when it's "shared without consent." Though with growing signs that the company is looking to and eventually go public, one wonders how much longer its reportedly lax moderation will stand.