- The Weekend Byte
- Posts
- Telegram's Criminal Underground
Telegram's Criminal Underground
An Overview of Telegram and Its Criminal Activity
Last weekend, French authorities arrested Telegram's CEO, Pavel Durov. This sparked a very divisive online reaction that touched on privacy, free speech, and protecting society from illicit activity.
In my LinkedIn post, many argued about the right to privacy. Others cited Telegram’s end-to-end encryption and how it is impossible to moderate that content because no one but the recipients should be able to read that (and they’re right when it’s used properly).
It became clear that there is a general misunderstanding of what Telegram is, what it isn’t, and how criminals operate on the platform.
This attempts to solve that. Enjoy.
-Jason
Telegram Deep Dive
Fostering Free Speech or Illegal Activity?
The charges against Telegram’s CEO, Pavel Durov: A statement from French prosecutor Laure Beccuau showed that France is accusing Durov of:
Running an online platform (aka Telegram) that enables criminal activity, including the sale of narcotics, cybercrime, fraud, and, most disturbingly, the exploitation of minors.
Refusing to communicate and cooperate with authorities for “carrying out and operating interceptions allowed by law.”
The arrest supported investigations from the Centre for the Fight against Cybercrime and the Anti-Fraud National Office.
What is Telegram? Let’s start with the basics. With nearly 950 million active users, Telegram calls itself a “messaging app with a focus on speed and security.”
Many people tout Telegram as an end-to-end encrypted messaging app. This means that only the sender and recipient can read the messages they send to each other. No one else can recover the messages, not the authorities or even Telegram. This makes end-to-end encrypted messages a very good thing.
And technically, Telegram is that. But it’s also very much so not that. Why?
Because, by default, Telegram does not enable end-to-end encryption. You have to enable the “Secret Chats” feature to use it. And it only works for one-on-one conversations. It doesn’t work for group chats with more than two people. If you're interested in a nerdy deep dive, Mattew Green has an excellent write-up on this.
Okay, so what is Telegram? In practice, it is used more like a semi-public communication platform. Some might even call it a social media platform. Let’s break that down.
Telegram offers a few features that are very social-media-esque:
Channels: Per Telegram, “Channels are a tool for broadcasting your public messages to large audiences. They offer a unique opportunity to reach people directly, sending a notification to their phones with each post.” Users can subscribe to these channels to receive all of the updates.
Public Group Chats: Per Telegram, “Telegram groups are a powerful tool for building communities and can support up to 200,000 members each.” This is basically just a public chat room.
As we learned before, Channels and Public Group Chats are not end-to-end encrypted. Users can be invited or join these groups. If the channels or chats are set to public, users can search for and join them.
Hence, my prior comments about Telegram functioning as a social media platform. It’s building communities.
Criminals are using Telegram as a marketplace. Joe Tidy with the BBC wrote a great article about his firsthand experience with Telegram while researching a subject. He realized that a default setting in Telegram allowed anyone to add you to their groups and channels.
Criminals use that ability to pull people from similar groups into their channels and groups that cover illicit topics.
Joe first found himself added to a large Telegram channel focused on selling drugs. Then, he was added to another channel where you could purchase stolen credit cards. Over a few months, he found himself added to 82 different groups.
Here is a sample of what he found in the channels he was added to:
Card Swipers group (15,700 members) sells stolen cloned credit cards and ships worldwide. Images and videos show criminals successfully draining ATMs using the faked cards and holding wads of cash
Memories and Drugs (6,253 members) Almost every drug imaginable is being offered for sale, with strings of Telegram channels advertising dozens of vendors in cities all over the world
Contraband Network (5,084 members) A group sharing advice, and vendors selling everything from prescription drugs to stolen credit cards and guns
This is just a sample of the activities that happen on Telegram, in channels that anyone can join. What Joe didn’t cover (for obvious reasons), was how Telegram also fosters more heinous crimes, like child sexual abuse material.
Content moderation is only part of the problem. Per the BBC article above, Telegram told the BBC that it does “proactively search for illegal activity, including child sexual abuse, on its site.” They stated they took action against 45,000 groups in August alone.
So it’s not that they’re doing nothing. It’s that they’re not doing enough.
The BBC found that Telegram does not participate in what would be considered industry-standard working groups aimed at detecting and removing child abuse material online. These groups include the National Centre for Missing and Exploited Children (NCMEC) or the Internet Watch Foundation (IWF).
We are here because Telegram has failed to take action against illegal activity on its platform. Just look at what Telegram says in its own FAQ about how it handles illegal content. [Note that since the writing of this original post, they’ve updated their language to inform you how to report issues]
Yikes…
Journalists have found examples of terrorist-related material where Telegram took no or limited action to curtail violence. This included channels associated with neo-Nazi terror groups for making bombs and extremist groups. While some groups mentioned in those articles were later deleted (unclear if it was Telegram), Wired found that Telegram just made the groups private. In some cases, the discussions and postings from those private groups were just forwarded to public channels and groups.
The Telegram privacy issue is a red herring. What privacy expectations do you have on what you post on social media sites? Even if your profile is public and only accessible to friends, do you expect what you post there to stay private? Is that any different with Telegram?
Again, as we learned before, Telegram groups and channels are not encrypted and are open to anyone in that group or channel. I don’t believe that leaves a strong argument over privacy.
What about free speech? This seems to be the real crux of the outcry. And I see both sides of the argument. For the proponents of the free speech side, I think Kate Ruane, Director of the Center for Democracy, put it well:
Arresting platform executives because of their alleged failures to sufficiently moderate content, even content as disturbing and harmful as content that harms children, starts us down a dangerous road that threatens free expression and gives too much power to the government to suppress speech.
I’m not an expert in free speech, nor do I wish to play one on TV. But, the real question I see is what we as a society are willing to tolerate in the name of free speech.
Perhaps asked differently, what activity are you willing to live next to in your neighborhood? And is that different than what we would be willing to allow on an online platform?
What about cybercriminals? Kela Cyber found that threat actors were supporting the Telegram CEO through #FreeDurov and #FreePavel hashtags and launching cyberattacks on France…as one does when they’re upset about something.
Rightly so, others began to worry about what would happen to Telegram and their ability to stay anonymous on the platform. Advice ranged from deleting content from the platform to switching to other platforms.
Kela noted that long before Telegram’s CEO’s arrest, many cybercriminals avoided using Telegram for sensitive private discussions due to the lack of end-to-end encryption for most chats.
Security News
What Else is Happening?
🅿️ The town of Northhampton, MA is warning drivers of everyone’s favorite security word, quishing. A scammer has placed fake QR codes on parking meters for parking payments.
😕 The City of Columbus, Ohio, sued a security researcher for downloading their data from the Rhysida ransomware leaksite and sharing it with the media. Their reasoning in the complaint was that without the security researcher releasing that data more publicly, the general public would not have been “readily available for public consumption.”
🍔 The Hamburgler has been acquitted after false claims he hacked McDonald’s Twitter account to pump up a crypto scam. The real attackers, India_X-Kr3w, posted to the McDonald’s Twitter account that they took over that they walked away with $700K, and they’re lovin it.
🦠 Sometimes, phishing exercises can go a bit overboard…a lesson the University of California Santa Cruz (UCSC) learned. In a simulated phishing exercise, the security team said someone on campus had been infected with the Ebola virus. Now, in their defense, it mimicked a phishing email they caught a few weeks before…but it's probably best not to use a topic that could cause mass panic for a simulated phishing exercise.
🎨 Attackers used an interesting new trick. Use the design site Canva to create and share an image of Canva’s home page. It’s just an image of the Canva home page, but that image is hosted on Canva’s site. That image links to the attacker’s phishing site. When a user clicks on the image, thinking it’s the actual Canva website, they are redirected to a phishing site that hijacks their browser and prompts them to call a number to “unlock” the browser.
🚓 A network engineer for an industrial company in New Jersey was arrested after locking the company out of their systems and extorting them. They did this by deleting admin accounts, changing passwords for user accounts across the company, and shutting down systems. Something tells me he won’t be invited to the holiday party this year.
🤖 Every once in a while, I like to keep tabs on how our future robot overlords are progressing. I stumbled into this clip of Boston Robotics’ Atlas, their next generation of humanoid robots. It’s equal parts impressive and terrifying. Enjoy.
If you enjoyed this, forward it to a fellow cyber nerd.
If you’re that fellow cyber nerd, subscribe here.
See you next week, nerd!
Reply