Positive Technologies: cybercrime market in Telegram is growing

Major hacks of darkweb forums provoke a mass shift of attackers to messengers

Positive Technologies analyzed1 cybercrime posts in Telegram channels and chats. Most of the messages were shown to be related to user data compromise, including buying and selling data. A record number of hacker posts was registered in Q2.

According to the research, the number of cybercrime posts in Telegram began to increase distinctly in 2020, and in 2021 user activity in cybercrime channels and groups increased 3.5-fold. In Q2 2022, experts observed a record number of hacker-related posts—more than 27 thousand, which is 2.5 times more than in the same quarter last year. Experts attribute this growth to what seems like a mass shift of cybercrime forum users to messengers. This happened after many critical vulnerabilities in forum engines were revealed in 2020–20212, and in 2021 criminals hacked several large forums, which pushed many users away.  

Most of the posts were related to user data, including selling it and other fraudulent transactions (52%), followed by posts on cybercrime services (29%) and distribution of malware3 (15%). Among malware types, the most common were remote tools (30%) and infostealers4 (16%). The most popular infostealer was RedLine, which featured in the Q1 2022 cybersecurity threatscape study by Positive Technologies. RedLine is mentioned in more than 18% of messages related to infostealers, with many discussions about its features, sale and distribution of its source code, as well as information collected with its help. Other infostealers discussed in Telegram include Anubis, SpiderMan, Oski Stealer, and Loki Stealer. Infostealer prices range from $10 to $3,500.

Experts note that the price of ready-to-use malware depends on the type, its functionality, and the usage time5. Tools for obfuscating malware code to evade detection can cost from $20 to $100, while a botnet or a guide to building botnets can sell for up to $750. The price range of miners spans from $10 for a simple tool with limited capabilities to $1,000 for the source code of a miner with many features, including antivirus bypass and the ability to infect systems without administrator privileges.

Discussions relating to cash-out services, including cryptocurrency cash-out, account for 66% of all messages relating to criminal services. DDoS attacks rank second in popularity at 16%. About 9% of messages offer hacking services, including compromise of email and social media accounts, as well as hacking of websites and servers.

Every fifth post related to DDoS attacks is an advertisement offering services. The cost of a DDoS attack depends on its duration: an hour will cost $8, whereas a week will cost $200 or more. In Q1, there was an increase in the number of attacks on corporate web resources, and the number of Telegram posts related to DDoS attacks increased fourfold. This confirms our assumption that attacker activity in Telegram reflects cyberattack trends.

Most hack-related messages (72%) offer hacking of social media and messaging app accounts in services like VKontakte, Telegram, WhatsApp, and Viber. Prices for hacking an account on the social network VKontakte range from $10 to $50, while prices for hacking a Telegram, Viber, or WhatsApp account start from $350.Prices for hacking corporate accounts are much higher. Hackers charge $100 for breaking into a private email account and at least twice as much for a corporate email account.

A significant part of all posts related to confidential data compromise are those containing personal data (43%) or credentials (42%): these are advertisements about buying or selling personal information, document fraud services, and discussions of leaks. Ekaterina Semykina, Information Security Analyst at Positive Technologies, comments: "In 2021, user account compromise was the subject of nearly half of all messages, but the predominant subjects in the first six months of 2022 were documents, personal data, and related

  1. The final sample included more than 120,000 messages in Russian and English published in over 300 Telegram public channels and groups from the beginning of 2019 up to and including Q2 2022. They discussed malware, vulnerabilities and exploits, access to corporate networks, user data, and cyberservices: hacking resources, cash-out, spreading malware, spam, and DDoS attacks.
  2. vBulletin (CVE-2020-17496, CVE-2020-25121), XenForo (CVE-2021-43032), IP-Board (CVE-2021-39249), MyBB (CVE-2021- 27890, CVE-2021-43281).
  3. Malware is software designed to perform unauthorized actions on a device, usually to harm its owner.
  4. Malware designed to steal information.
  5. Malware is often sold on a subscription basis with a fixed access or support time.