Ever since its debut in August 2013, Telegram has emerged as the preferred messaging application for individuals who prioritize privacy. To commence utilizing the application, users have the option to register using either their genuine phone number or an undisclosed number procured from the Section blockchain marketplace. In the latter instance, Telegram cannot be tied to the user’s legitimate phone number or any other personally identifiable information (PII).
Telegram has also been recognized for its lenient approach towards content moderation. The platform has explicitly mentioned in its FAQ that private conversations are completely untouchable in terms of moderation. The responsibility of content moderation was primarily entrusted to users, with the task of reporting unlawful activities being largely left to the users themselves. In contrast, many of its counterparts, such as WhatsApp, allocate substantial resources towards content moderation and collaboration with law enforcement agencies.
These attributes have also positioned Telegram as the preferred messaging platform for cyber criminal activities and other illicit endeavors. This encompasses the dissemination of malware, vending illegal commodities and services, enlisting accomplices, and coordinating cyber offensives. For more structured cyber crime factions, Telegram acts as a central hub for disseminating operational insights and magnifying unlawful business activities in a similar manner as legitimate entities operate through conventional channels.
However, Telegram’s stance on user privacy and content moderation underwent a noteworthy transformation subsequent to the arrest of CEO Pavel Durov in France on August 24, 2024, prompting the organization to quietly amend its FAQ page and privacy policy in the ensuing weeks. Albeit the application’s source code remains unaltered, as per Telegram spokesperson Remy Vaughn, users can now disclose instances of illegal activities for automated removal or manual moderation. Furthermore, Telegram has revised its privacy policy to specify that in response to a valid court order, it will reveal users’ phone numbers and IP addresses.
What implications does this bear for cybersecurity squads?
While these adjustments can be perceived as a positive move towards assisting law enforcement endeavors, they have also triggered a migration of cyber criminal undertakings to alternative platforms like Signal or Session. One cyber crime syndicate, famously known as the Bl00dy ransomware gang, publicly announced their withdrawal from Telegram as a direct consequence of the company’s policy realignment. Numerous hacktivist groups have also followed suit, along with legitimate users who depend on Telegram for the freedom of expression in authoritarian regimes.
Regrettably, one could interpret such policy shifts as merely displacing illicit activities, resulting in cyber crime splintering across an extensive array of platforms. This could potentially impede law enforcement authorities and cybersecurity analysts in tracking and impeding threat actors effectively. For instance, red teams might encounter heightened challenges in infiltrating these clandestine communities to identify and neutralize threats before they inflict tangible harm.
Discover data security solutions
Telegram has perennially served as a bountiful resource of threat intelligence, with a multitude of public channels being utilized to coordinate cyber criminal operations. While private chats have predominantly remained beyond the grasp of threat analysts and law enforcement agencies alike, more stringent moderation standards have been imposed on public channels, potentially facilitating the exposure of criminals. However, although few individuals could dispute the benefits this yields in essence, there’s a drawback: Culprits may simply migrate elsewhere instead.
An escalating concern is the heightened likelihood of propelling both cyber criminals and hacktivists towards state-backed cyber crime and cyber espionage. This, in turn, heightens the prospect of threat actors resorting to end-to-end encrypted and decentralized platforms with even fewer regulations than what Telegram previously imposed. This could complicate the tasks of red teams assigned with simulating attacks or surveilling these networks, thereby diminishing their effectiveness in detecting threats promptly.
None of the aforementioned necessarily indicates an imminent mass exodus of cyber criminal activities from Telegram. After all, boasting around 900 million active users monthly, as per Telegram’s data, the platform continues to draw a substantial audience that sizable cyber criminal ventures such as Malware-as-a-Service necessitate to broaden their influence.
Moreover, fresh users can still enlist themselves anonymously using a number acquired from the Section blockchain, rendering Telegram’s pledge to comply with law enforcement requests for a user’s phone number inconsequential. Nevertheless, Telegram retains the capacity to divulge IP addresses, which could potentially be leveraged to surveil a user’s online pursuits.
What strategies can security executives adopt to pre-empt threats?
As every security executive is acutely conscious, the threat panorama undergoes constant evolution and burgeons in complexity as cyber criminal operations diffuse across platforms. Several threat-monitoring tools and tactics are grappling to keep pace, thereby extending scanty or no coverage to platforms beyond Telegram. The escalating prevalence of decentralized, open-source platforms will only compound threat hunting and analysis endeavors. Additionally, competing nations are formulating their platforms for cyber espionage and state-endorsed cyber crime.
It’s imperative now more than ever to adopt a proactive cybersecurity stance — one that spans across all platforms and is equipped to prioritize threat attribution via multiple intel channels. This entails harnessing a blend of human proficiency and cutting-edge threat analytics tools to access intelligence from channels that could otherwise remain concealed.
AI-powered threat intelligence presents a robust complement to the proficiency and acumen of adept security analysts. For instance, stylometry — which scrutinizes linguistic traits to craft a distinctive profile of a user’s writing style — can aid in pinpointing cyber criminals and uncovering insider threats, irrespective of the platform they operate on. AI facilitates this at a scale that human analysts unassisted would struggle to manage.
Even as cyber criminals gravitate towards an expanding assortment of platforms, their conduct can still disclose discernible patterns. By tracking their actions, such as the timing of specific posts and styles of interactions, analysts can formulate comprehensive profiles that aid in connecting operations and personalities across platforms.
While tracking data points like transactional metadata or cryptocurrency transactions may become more challenging — if not insurmountable — AI-driven behavioral analytics tools can help bridge this gap by aiding human analysts in identifying threat actors and their attack methods. This will assume greater significance as cyber crime activities spread across platforms, and security analysts strive to maintain visibility into the forthcoming generation of cyber threats.