November 6, 2024 By Charles Owen-Jackson 4 min read

Since its launch in August 2013, Telegram has become the go-to messaging app for privacy-focused users. To start using the app, users can sign up using either their real phone number or an anonymous number purchased from the Fragment blockchain marketplace. In the case of the latter, Telegram cannot be linked to the user’s real phone number or any other personally identifiable information (PII).

Telegram has also long been known for its hands-off moderation policy. The platform explicitly stated in its FAQ that private chats were entirely off-limits for moderation. Content moderation was instead user-driven, and reporting illegal activities was left primarily to the users themselves. By contrast, many of its peers, such as WhatsApp, invest heavily in moderating content and cooperation with law enforcement.

These characteristics have also made Telegram the messaging app of choice for cyber crime and other illegal activity. This includes distributing malware, selling illegal goods and services, recruiting associates and coordinating cyberattacks. For more organized cyber crime groups, Telegram is a hub for sharing operational intelligence and amplifying illicit business in much the same way as legitimate organizations do on mainstream channels.

However, Telegram’s approach to user privacy and content moderation changed significantly following CEO Pavel Durov’s arrest in France on August 24, 2024, with the company quietly changing its FAQ page and privacy policy in the following weeks. Although the app’s source code hasn’t changed, according to Telegram spokesperson Remy Vaughn, users can now report illegal activity for automated takedown or manual moderation. Furthermore, Telegram also updated its privacy policy, stating that, upon receiving a valid court order, it will disclose users’ phone numbers and IP addresses.

What does this mean for cybersecurity teams?

Although these changes are arguably a step in the right direction for law enforcement, they’re also driving a migration of cyber criminal activity to other platforms, such as Signal or Session. One cyber crime syndicate, known as the Bl00dy ransomware gang, publicly declared they were quitting Telegram as a direct result of the company’s policy shift. Many hacktivist groups have also followed suit, as have legitimate users who rely on Telegram for freedom of speech in oppressive regimes.

Unfortunately, one could also view such policy shifts as a mere displacement of illegal activity, with cyber crime becoming fragmented across an ever-wider range of platforms. Potentially, this may make it more difficult for law enforcement and cybersecurity analysts to track and disrupt threat actors. For example, red teams may have a harder time gaining access to these underground communities to identify and mitigate threats before they can cause real damage.

Explore data security solutions

Telegram has long been a rich source of threat intelligence, with many public-facing channels being used to organize cyber criminal activity. While private chats have, for the most part, been completely off-limits to threat analysts and law enforcement alike, stricter moderation policies have also been applied to public channels, potentially making it easier to expose criminals. However, while few would argue that that’s a bad thing in principle, it does come with a caveat: Criminals might simply move elsewhere instead.

Perhaps even more concerning is the increased possibility of driving both cyber criminals and hacktivists into the arms of state-sponsored cyber crime and cyber espionage. This also opens up the likelihood of threat actors using end-to-end encrypted and decentralized platforms that have even less oversight than Telegram ever did. This could complicate efforts for red teams tasked with simulating attacks or monitoring these communities, thus reducing their abilities to detect threats early.

None of the above necessarily means that there will be a mass exodus of cyber criminal activity from Telegram. After all, with around 900 million monthly users, according to Telegram’s own data, the platform still has the massive audience that large-scale cyber criminal operations, like Malware-as-a-Service, need to expand their reach.

Also, new users can still sign up anonymously using a number purchased from the Fragment blockchain, in which case Telegram’s promise to comply with a request from law enforcement for a user’s phone number becomes irrelevant. That said, Telegram will still be able to share IP addresses, which could still potentially be used to track a user’s activity.

What can security leaders do to stay ahead of the threats?

As every security leader is well aware, the threat landscape is ever-changing and growing more complex as cyber criminal operations become more fragmented across platforms. Many threat-monitoring tools and strategies are struggling to keep up, thus providing limited or no coverage for platforms other than Telegram. The continuing rise of decentralized, open-source platforms will only further complicate threat hunting and analysis. In addition, rival states are developing their own platforms for cyber espionage and state-sponsored cyber crime.

It has never been more important to take a proactive stance on cybersecurity — one that spans all platforms and is capable of prioritizing threat attribution through multiple data points. That means drawing upon a combination of human expertise and advanced threat analytics tools to gain access to intelligence from channels that might otherwise remain hidden.

AI-powered threat intelligence offers a powerful augmentation to the expertise and insight of talented security analysts. For example, stylometry — which examines linguistic characteristics to create a unique profile of a user’s writing style — can help identify cyber criminals and detect insider threats, regardless of the platform they’re using. AI helps make that possible at a scale that human analysts alone can’t possibly hope to tackle.

Even as cyber criminals migrate to a growing range of other platforms, their behavior can still expose various patterns. With the ability to track their activities, such as the timing of certain posts and styles of interaction, analysts can build comprehensive profiles that can help them link operations and individuals across platforms.

While it will only get harder — if not impossible — to track data points like transactional metadata or cryptocurrency transaction histories, AI-powered behavioral analytics tools can help close the gap by helping human analysts identify threat actors and their attack vectors. This will only become more important as cyber crime activity scatters across platforms and security analysts try to maintain visibility into the next generation of cyber threats.

More from Risk Management

CISA’s cyber incident reporting portal: Progress and future plans

3 min read - On August 29, 2024, CISA announced the launch of a new cyber-incident Reporting Portal, part of the new CISA Services Portal.“The Incident Reporting Portal enables entities and individuals reporting cyber incidents to create unique accounts, save reports and return to submit later, and eliminate the repetitive nature of inputting routine information such as contact information,” says Lauren Boas Hayes, Senior Advisor for Technology & Innovation, at CISA.Shortly after the announcement, Security Intelligence reported on how the portal was designed and…

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today