Losing confidence in the anonymity offered by cybercrime forums, illicit marketplaces are increasingly turning to Telegram, cybersecurity company Positive Technologies said.
“Some forums, such as RaidForums and DarkMarket, were shut down by law enforcement. Others, like BHF, Carding Mafia, Nulled, and Maza, were hacked by competitors. Some cybercrime forums changed ownership, as was the case with DarkMoney.”
Fearing their data could be compromised, their identities or location exposed, cybercriminals eye Telegram to discuss and sell tools and services.
Positive Technologies released a study analyzing the maturity of cybercrime services on Telegram. Researchers looked into over 300 channels and groups with more than one million subscribers.
The company observed a boost in the number of cybercrime-related Telegram messages. Q2 2022 saw a record number of over 27,000 messages.
Cybercriminals discuss pretty much everything on Telegram – from zero-day vulnerabilities to forged documents and cash-out services.
The most prevalent malware types discussed in those messages were remote access trojans (RAT) and infostealers. RATs, designed to gain unauthorized access to a victim’s device, were mentioned in 30% of the messages. Infostealers accounted for 18% of all cybercrime-related messages, followed by botnets (16%).
The most popular RATs mentioned on Telegram were SpyMax, SpyNote, and Mobihok – all designed for Android Devices. Their price ranges from $10 to $500.
The most popular infostealers, crafted to collect user information including passwords, banking details, webcam recording, and crypto wallet credentials, turned out to be Redline, Anubis, SpiderMan, Oski Stealer, and Loki Stealer, with a price range of $10 to $3,500.
Even though ransomware attacks have been reaching new highs, ransomware was mentioned only in 8% of the analyzed messages.
“One reason for this might be that ransomware is distributed mostly through partner programs, on specialized darkweb forums and websites, or in closed groups. This would explain why the messaging app, being in the public domain, has so few ads for buying and selling ransomware tools, most of which are quite basic and sell for as little as $10,” Positive Technologies said.
The majority of the messages (70%) were discussions about malware functionality and distribution, 11% were malware seller ads, and 10% of messages offered malware for free.
Hacking social media
In addition to various tools, cybercriminals also offer their services on Telegram, such as malware installation, distributed denial-of-service (DDoS) attack execution, and different hacking services.
Most messages offer hacking into social media and messenger accounts, with VKontakte, Telegram, WhatsApp, and Viber being the most popular targets.
Threat actors charge at least $350 for hacking a Telegram, Viber, or WhatsApp account. Breaching a social media account is considerably cheaper – hacking a VKontakte (the Russian equivalent of Facebook) account costs from $10 to $50.
Cash-out and document forgery services are also gaining popularity on Telegram. Falsified documents can be used to create verified bank and crypto exchange accounts.
“The increasing level of demand may be due to the fact that many online services are now unavailable or only partially available to Russian users,” Positive Technologies said.
The company also observed an uptick in VPN-related messages – compared to early 2020, the number more than tripled by 2022. Stolen NordVPN accounts are the most widely offered for sale.
More from Cybernews:
Subscribe to our newsletter