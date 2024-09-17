The arrest of Telegram's founder and CEO has sparked debates across the technology landscape. But infosec professionals largely agree the platform plays a significant role in facilitating cybercrime activities such as malware distribution, hacktivism and selling stolen credentials.

Last month, French authorities arrested Pavel Durov for allegedly enabling an array of illegal activities on the messaging platform, from drug trafficking and money laundering to the possession of child sexual abuse materials. Durov founded the cloud-based platform in 2013, and it's become widely used for its social media and instant messaging services.

While Telegram is used for legitimate purposes, cybersecurity vendors say it's also become a haven for threat actors. Durov is accused of facilitating those illegal activities through the platform's lack of content moderation and security checks.

Threat intelligence company Intel 471 expanded on the charges and Telegram's prominent role in cybercriminal activity in a blog post last month. The threat intelligence firm said the platform "is known for hands-off moderation." However, Intel 471 said Telegram rebuked such claims in a post on X, stating its standards align with its peers and that its rules abide by European Union laws and the Digital Services Act.

⚖️ Telegram abides by EU laws, including the Digital Services Act — its moderation is within industry standards and constantly improving.



✈️ Telegram's CEO Pavel Durov has nothing to hide and travels frequently in Europe.



‍ It is absurd to claim that a platform or its owner… — Telegram Messenger (@telegram) August 25, 2024

The blog post also provided technical details of how Telegram works. One facet that proliferates illegal activity is a feature known as Secret Chats. Intel 471 highlighted how decryption keys are stored in different servers with different jurisdictions, which makes it more difficult for law enforcement to act.

"Telegram's encryption model varies by chat type: Cloud Chats and Secrets. Cloud Chats employ server-client encryption, where the data is encrypted in the cloud in multiple data centers around the world. Although that data could be accessed with a court order, Telegram has intentionally designed it to be difficult for authorities," Intel 471 wrote in the blog post.

Jeremy Kirk, executive editor at Intel 471, expanded on Telegram's role in illicit activities to TechTarget Editorial. Kirk listed several appealing traits Telegram offers to cybercriminals. One example is secure, person-to-person communications with Secret Chats, which are encrypted.

He also highlighted how Telegram features allow it to act as more of a social network, allowing users to create "groups" that can accommodate up to 200,000 members. Additionally, users can create "channels" as well with unlimited subscribers. In those groups, cybercriminals continually stream advertisements for illegal services, he added.

Intel471 has observed threat actors selling SIM swapping services, bank account details, credentials, stolen credit cards and more. "There are other features that are useful as well, such as the ability to send large files up to 2 GB and bot functionality. The scale of Telegram allows threat actors to reach out to other cybercriminals who might be interested in their services," Kirk said.

Regarding how long cybercriminals have been using Telegram, Kirk said Intel 471 has collected intelligence on more than 5,500 channels linked to malicious hacking, financial fraud and other activities over the past few years. Aside from the recent charges against Durov, Kirk said many countries have been trying to get Telegram to be more compliant with law enforcement and intelligence agency requests.

"Broadly, most social media platforms have to deal with issues with users abusing their platforms, so this is a challenge that is not unique to Telegram. Telegram stands out, however, since obvious cybercriminal activity on the platform is prolific and easy to find," Kirk said.

A big part of the charges against Durov involved a lack of content moderation. While Telegram will process takedown requests for illegal content posted on public channels, Kirk said users can create private or group channels where Telegram does not process any legal requests. Additionally, he said that while intelligence agencies have been concerned that the platform is used by extremists to communicate, Telegram doesn't respond to requests for user communications or data.

Following Durov's arrest, the Verge reported that Telegram changed the language on its FAQ regarding how private chats were moderated. The company previously said, "We do not process any requests related to" private chats, but the FAQ has been updated with reporting and takedown request options. However, infosec experts agree that's not going to have much effect on the platform's widespread abuse.

Widespread illegal activity Other cybersecurity vendors and infosec experts have also observed a growing influx of illegal activities on the platform. Alexander Leslie, associate threat intelligence analyst at Recorded Future, said generally anytime a social media platform is launched, illicit activity or abuse starts immediately. However, Recorded Future saw a jump in abuse on Telegram beginning in 2020. "We do know that Telegram is, by far, one of the most used platforms for illicit activities, period. There are a lot of reasons for this, but it mostly has to do with convenience," Leslie said in an email to TechTarget Editorial. He attributed the convenience to the fact that many regions with high cybercrime activity, like Russia and Southeast Asia, use Telegram daily for legitimate purposes, so the familiarity is already instilled. Additionally, the platform is public, easily accessible for Android and iOS devices, and involves an easy registration process that only requires a telephone number and username. Leslie also highlighted Telegram's loose moderation policies. "The primary reason that criminals will use Telegram is to either amplify their business or for marketing purposes. You're going to see a lot of those public-facing channels, from fraud groups, from hacktivists, from malware operators (not necessarily from ransomware groups, because they don't consider it to be the most secure). But it's generally the public facing aspects of Telegram that allow cybercriminals to conduct a lot of business," Leslie said. The fact that anyone with a Telegram account can view most public channels makes it easy for cybercriminals to garner new business or enhance political motivation as with hacktivist campaigns. Leslie observed some hacktivist accounts grow from 10 followers to 1,000 quickly after claiming responsibility for attacks through Telegram posts, which he said is concerning. Telegram allows cybercriminals to gain widespread attention not only from other cybercriminals but also from researchers and the media. Ransomware gangs have also embraced Telegram. In a report last year, Sophos described how several gangs set up public channels to publicize recent attacks, shame victim organizations and even conduct interviews with news media outlets. Leslie warned the platform's public-facing features help cybercriminals boost their reputation and credibility. Though it is public, it also offers anonymity. "It's not as simple as looking at Telegram and looking at their username or maybe querying them and trying to get their phone number. Usually, in order to deanonymize, Telegram users have to be correlated with maybe a shared moniker on a forum somewhere else, and that forum moniker was exposed in a data breach, or that forum moniker is unique enough to maybe attribute to a social media account and that account has a phone number listed," Leslie said. "Even though it comes with some operational risk security, they are relatively guarded when they use Telegram." Following the arrest of CEO and founder Pavel Durov, Telegram updated its FAQ with new language for reporting illegal activity on the platform.