The Evolving Landscape of Cybercrime on Messaging Platforms
Introduction
In an age where communication apps are intricately woven into the fabric of daily life, platforms like WhatsApp, Telegram, and Signal are emerging as the unlikely hosts of illicit activities. Kaspersky Digital Footprint Intelligence has conducted exhaustive monitoring of over 800 blocked cybercriminal Telegram channels from 2021 to 2024, revealing a dual narrative: while illegal exploits continue to thrive, the environment for such operations is becoming increasingly precarious.
The Attractive Yet Risky Ecosystem of Telegram
Telegram’s sophisticated bot framework offers an almost effortless infrastructure for illicit actors. Through a single bot, a cybercriminal can manage inquiries, facilitate cryptocurrency transactions, and distribute a variety of stolen assets—from bank card information to phishing kits—reaching hundreds of clients daily with little to no manual oversight. The platform’s unlimited, non-expiring file storage enhances this ecosystem, enabling the seamless distribution of sizable data dumps without the need for external hosting.
This automated environment naturally fosters high-volume, low-cost offerings that cater to a burgeoning illicit market seeking quick returns. However, while shady operations involving stolen data flourish, higher-stakes deals—such as zero-day vulnerabilities—remain confined to reputation-gated dark web forums, reinforcing a class divide in underground markets.
Shifting Trends in Cybercriminal Activities
Kaspersky’s research presents compelling insights into the evolving dynamics of cybercrime on Telegram. Notably, the average lifespan of shadow channels has increased, with the percentage of channels surviving longer than nine months more than tripling from 2021-2022 to 2023-2024. However, this apparent resilience is juxtaposed with a striking surge in Telegram’s blocking initiatives. By the end of 2024, monthly takedown figures have consistently mirrored peak levels from the previous year, indicating a rapid acceleration in moderation efforts aimed at stymying malicious activities.
The platform’s centralized infrastructure presents additional hurdles for cybercriminals. Without default end-to-end encryption and the inability to utilize personal servers, Telegram’s structure undermines the anonymity that many in the underground economy depend upon. The closed-server architecture raises questions about the security and reliability of communication, further complicating the operational landscape for illicit enterprises.
Migration to Safer Grounds
In light of these mounting challenges, established underground communities are beginning to seek refuge elsewhere. Groups such as the nearly 9,000-member BFRepo and the Angel Drainer malware-as-a-service operation have reportedly shifted their primary activities to alternative platforms or proprietary messengers. The shift is largely influenced by ongoing disruptions to their operations on Telegram, underscoring the necessity for adaptability in an increasingly volatile environment.
Vladislav Belousov, a Digital Footprint Analyst at Kaspersky, offers a sobering assessment of this transformation: “Fraudsters find Telegram a convenient tool for many malicious activities, but the risk-reward balance is clearly shifting. Channels are managing to stay online longer than a couple of years ago, yet the dramatically higher volume of blocks means operators can no longer count on long-term stability. When a storefront or service disappears overnight—and sometimes reappears only to be removed again weeks later—building a reliable business becomes much harder. We’re starting to see the early stages of migration as a direct consequence.”
Staying Vigilant: Protective Measures
In the face of evolving threats, Kaspersky emphasizes the importance of proactive measures for both users and organizations. To combat this surge in illicit activities, they recommend reporting clearly illegal channels and bots, which fosters community-driven moderation. Additionally, utilizing multiple sources of Threat Intelligence, covering surface, deep, and dark web resources, is crucial for staying informed about recent underground dynamics and the tactics, techniques, and procedures (TTPs) employed by cybercriminals.
Conclusion
As the landscape of cybercrime continues to morph, driven by both technological advancements and concerted enforcement efforts, the urgency for vigilance and adaptation has never been more pronounced. While platforms like Telegram offer a bewildering array of opportunities for illicit activities, the tide is turning, urging cybercriminals to reassess their tactics and consider safer digital havens. The report from Kaspersky serves as a timely reminder of the ongoing battle between innovation and regulation in the digital age. For those navigating these turbulent waters, the need for awareness and action remains paramount.
