Telegram Fraud & Cybercrime: A Rising Concern in 2023

Gradient blue background. There is a light orange oval with the white text "BLOG" inside of it. Below it there's white text: "Telegram Fraud: A Rising Concern in 2023." There is white text underneath that which says "Learn More" with a light orange arrow pointing down.

Criminals are consistently looking for new ways to exploit consumers and businesses. Today’s online communication channels, such as social media and messaging apps, have recently become a prime target for many scammers. One cyber threat trend that has been increasing is the issue of Telegram cybercrime scams. 

Threat actors routinely use Telegram to share leaked credentials, coordinate fraud schemes against retail and ecommerce businesses, and share consumer bank information.  In some ways Telegram can be seen as another facet of Tor (the dark web) due to threat actors seamlessly switching between the two. 

Telegram is an online messaging app that has become increasingly popular with people who want to chat securely with enhanced privacy and encryption. This app has gained popularity over the past few years, which has also made it a prime location for scammers and hackers to discuss fraud schemes, cybercrime and other relevant threats.

Telegram scams have been gaining traction across the globe, forcing countries to implement public alerts and legal restrictions regarding the use of this app to commit cybercrimes. In this article, we’ll cover what this fraud is, how it works, why it’s so alluring to criminals, and how you can detect targeted schemes on Telegram related to your organization.

What is Telegram Fraud?

Telegram fraud refers to any malicious or deceitful activity that takes place on the Telegram messaging app. The rise of telegram fraud and cybercrime is due in part to the ease of channel creation and user anonymity of the app. Compared to a traditional dark web site on Tor which may take days or weeks to set up, Telegram channel and group creation takes seconds. 

Threat actors have also been using Telegram for distributing infostealer malware logs, files that contain millions of unique credentials that malware victims had saved in their browsers. As cybercrime continues to proliferate on Telegram it is becoming increasingly critical for organizations to build an effective monitoring approach.

The types of fraud conducted on the app can often include financial scams, phishing attempts, and other types of activity targeting users to provide their personally identifiable information (PII). In addition, Telegram has become a hotbed for selling malware, discussions of cybercrime and other high-risk activity.

Screenshot of threat actor on Telegram promoting RedLine stealer malware. White text over a black background. The advertisement includes explanation of features, what information it collects, and more.
Threat actor promotes RedLine stealer malware on Telegram

How Threat Actors Use Telegram to Conduct Fraud

Threat actors are often looking for innovative ways to distribute malware, sell leaked credentials, and commit financial and retail fraud, and Telegram has made that opportunity easier than ever before. It’s well known that Tor is heavily monitored by law enforcement and government agencies, creating new Telegram channels focused on fraud, stealer logs, leaked credentials, refunding and other crime enables for a decentralized and harder to monitor forum for cybercriminals. 

Phishing Scams & Malware Distribution

Threat actors often execute their phishing scams by creating fake websites or login pages for users. They can do so by creating lookalike websites targeted at popular service websites such as banking, cryptocurrency exchanges, or other financial institutions. Threat actors routinely discuss how best to develop & distribute infostealer malware and ransomware, with some channels reaching thousands of active participants. 

Anonymous Accounts & Activity

A key draw of Telegram is the anonymity and encryption that the application offers. Users can easily sign up with a phone number and are provided with the ability to quickly search for hundreds of fraud and cybercrime channels, many with names like “FRAUD CHANNEL” making it easy for threat actors to find what they are looking for. In addition, compared to dark web forums, Telegram offers users the ability to quickly create new accounts, rename accounts, and doesn’t offer a centralized view of an accounts activity, making it extremely challenging to track individual threat actors across forums and marketplaces. 

Malware Deployment

Threat actors may use Telegram to distribute malware code, such as infostealer malware and ransomware, to other threat actors who then deploy it against consumers and companies. Many channels exist that specialize in selling various variants of ransomware and malware to other actors. We have also seen a limited number of threat actor groups using Telegram as their primary meeting place. 

Threat actor advertises RedLine stealer malware on Telegram. The text is mostly white over a navy background. The listing lists price to rent for a month, the pro plan, the benefits of the pro version, where to purchase the malware, and who to contact for help (the latter 2 are blurred out).
Threat actor promotes RedLine stealer malware on Telegram, offers different plans

Romance Scams

Romance scams are nothing new, but scammers use Telegram to ensnare their victims in emotionally and financially devastating situations. According to NBC News, there are scammers who will initially reach out to victims on Facebook, then move their conversations to Telegram. As people use Telegram globally, scammers can also easily connect with victims in different countries.

Threat actors are escalating their scams from hundreds of dollars worth of gift cards to thousands of dollars of retirement savings. Cryptocurrency often plays a role in these romance scams, as malicious actors entice their victims with claims of “get rich quick” schemes and encourage them to move money out of their accounts in ways that are difficult to get back.

Telegram Fraud: What Threat Actors Find Appealing

Many individuals often ponder what makes Telegram users an appealing venue for cybercrime discussions. Aside from the popularity of the app, one of the main reasons Telegram and other online messaging apps have made scam activity appealing to criminals is how quick and easy channels and rooms are set up, and the fact that if threat actors believe a channel has been infiltrated it can be deleted and replaced in minutes.

While messaging apps have made it better for us to connect socially, it has also opened the door for thieves to steal from consumers and businesses without much recourse. Some other reasons why Telegram fraud can be appealing to threat actors include:

  • It is borderless – this app is driven by being an international messaging platform. Therefore, it can be easier to connect with someone in a country or region successfully. This can allow cybercriminals to discuss with other threat actors globally.
  • Users can remain anonymous – the app is also focused on anonymity and end-to-end encryption messaging, which allows users to create anonymous accounts. It can make it challenging for law enforcement to identify and arrest the perpetrators. This anonymity provides a safe haven for cybercriminals to engage in their fraudulent activities without the fear or retribution of being caught.
  • It is user-friendly – Telegram is ultimately a user-friendly app that facilitates both group conversations and channels, while also enabling P2P encrypted messaging. This makes it particularly appealing to actors who may be tired of the laborious set up required to create a dark web forum or market.
  • Actors can employ a direct to consumer model of crime – Threat actors can easily distribute their own stealer logs, malware and other threats without the need to pay escrows on traditional dark web marketplaces. 

Preventing Telegram Fraud

Here are some ways to be proactive and prevent Telegram fraud:

1. Establish robust monitoring for relevant cybercrime channels: Flare’s platform automates monitoring and archiving over 4,000 Telegram channels, creating a vast historic database for cybercrime activity. 

2. Ensure that your vendor is monitoring stealer logs: If you employ a cybersecurity vendor make sure that they are actively monitoring channels providing stealer logs, including hidden and private channels.

3. Avoid clicking on links or downloading files from unknown sources: In general, the use of strong passwords and multi-factor authentication will reduce the risk of being a victim of cybercrime. Building strong security policies for your organization can help prevent threats from Telegram as well.

As Telegram fraud continues to be a trend in 2023, taking measures to avoid any suspicious activity will be key. When protecting yourself from Telegram scams, it is essential to be cautious when interacting with unfamiliar connections or groups. You should always verify the identity of the person or organization you are communicating with on the app.

Telegram Monitoring with Flare

Flare provides automated scanning protection for you by monitoring thousands of malicious Telegram channels across the globe. It can conduct a deep crawl of the dark web and identify criminal communities found on apps like Telegram. 

With all the Telegram scams increasing as the usage of this messaging app grows, it can be critical to secure your system and data more effectively. Sign up for a free trial today.

Share This Article

Related Content