Cybercrime is thriving on Telegram, with more & more threat actors choosing the encrypted messaging app as a viable alternative to the secretive forums of the deep and dark web. In the second installment of this four-part series exploring Telegram’s cybercriminal underbelly, we delve into the other illicit items sold on the platform, including counterfeit and forged documents, narcotics, and compromised account credentials for streaming and software services.
In the first part of our four-part series exploring Telegram’s cybercriminal underbelly, we looked at the messaging app’s illicit market for compromised financial accounts. Today, we will delve into the other illicit items sold on the platform, including documents, narcotics, and compromised account credentials for streaming and software services.
Telegram channels are filled with offers for fake documents services, known in Telegram slang as lookups scans, and physicals.
In a lookup service, an actor offers to locate a specific legitimate document belonging to a target of the customer’s choice. This can include passports, social security numbers, bank documents, and more, enabling the customer to execute all sorts of fraudulent schemes.
A scanning service, meanwhile, offers to produce photos of fake documents, including drivers’ licenses, passports, credit cards, bank statements, social security numbers, COVID-19 vaccine proof cards, and more. Consumers of scanning services presumably seek to present these documents as their own official, legitimate documentation to governments, businesses, and health services. In our understanding, the cost of each item is based on its type and quality.
Physical services go one step further by delivering a physical counterfeit document, doctored to appear legitimate. Obviously, these hard copy counterfeits come at a premium cost compared to a simple online digital copy.
There has been a sharp rise in documents services over Telegram throughout the last few years; activity in 2021 more than doubled from 2020. We can assume that this rise has been partially influenced by COVID-19 and the global vaccine mandate, requiring individuals to provide various healthcare and identification documents in order to use public services and spaces freely.
Let’s look at some examples:
In this post below, a user offers lookups, scans, and physicals of credit cards, passports, IDs, social security numbers and bank statements.
This second post offers a variety of documents, ranging from paystubs to passports to utility bills. It also offers an editing service, whereby the buyer provides the original document and the seller returns an edited version of the document, manipulated according to the buyer’s specifications.
This third post offers several documents for sale, including fake COVID-19 vaccination cards.
Compromised Account Credentials for Streaming and Software Services
In addition to compromised financial accounts (as discussed in the previous installment) there are two more broad categories of compromised accounts sold on Telegram. The first is for streaming services, such as Disney+, Netflix, Apple TV, Amazon TV, Spotify, Apple Music, and YouTube. The second is for various software offerings, such as Microsoft Office, Windows OS, Microsoft OneDrive, Adobe programs, Google Drive, Anti-Viruses, and Autodesk.
In 2020, the popularity of these compromised account credentials in Telegram markets peaked in April and May, presumably as people were resigned to their homes during the first COVID lockdowns. This peak on Telegram parallels the surge in streaming accounts observed for sale on underground deep and dark web forums during this same time period.
In 2021, the peaks of April and May 2020 were vastly exceeded in September by almost 20,000. This surge may have been spurred by the Delta variant, or possibly as a result of the rising demand for streaming and software accounts as students returned to school.
It is not entirely accurate to refer to these accounts as “compromised”. While some of the accounts for sale do indeed belong to legitimate account holders whose usernames and passwords had been compromised, many of the listings on Telegram appear to be selling original, legitimate accounts with licenses and/or software keys, unconnected to an existing user’s paid account, but for prices well under the market value.
Some of these listings even allow users to specify the username and email linked to the account, and offer services to upgrade existing accounts to a premium version. For example, the post below offers to upgrade free Spotify and Youtube accounts (with limited, ad-overloaded features) into premium, full access, ad-free accounts.
However, just as with any illegal product purchased in any black market, the buyer does not always receive the product as they expect it. Like most deals that seem too good to be true, there is often a catch – for example, sellers could theoretically sell the same key or license to multiple buyers, meaning that it would only be a matter of time before the account provider detects the abuse and closes the account.
With just a few swipes and the right search terms, Open Sesame! Telegram opens a hidden door leading to a secret online marketplace for illegal drugs, unauthorized prescription medicine and various drug paraphernalia. Drug dealers loitering ominously on street corners is quickly becoming a thing of the past, with cartels, peddlers and users alike moving their transactions to the anonymous and highly convenient Telegram narcotics hub, where their identities are safely hidden behind layers of encryption. Consumers do not have to venture out in search of trusted drug dealers, and can easily order their drug of choice from the comfort of their own homes – often delivered to their doorstep faster than Uber Eats. This conduit for drug transactions does not only benefit consumers, dealers and manufacturers enjoy a larger and more organized client base, extending their reach while maintaining total anonymity through encrypted chats and channels.
It appears that the sale of narcotics on Telegram is growing tremendously. From month-to-month, we observed drastic rises in mentions of narcotics such as cocaine, marijuana, crystal meth as well as pharmaceuticals.
We also observed a significant expansion in the total number of actors and channels operating within the Telegram narcotics market. In 2020, 582 channels were observed within the Telegram drugs markets, while in 2021, we identified 1085 unique channels, signifying a growth rate of 86.42%!
While some of this growth can be attributed to improvements in Cybersixgill’s collection methodology, this rapid expansion indicates an overall significant rise in the volume of narcotics trading on Telegram. This rise shows no sign of abating, even as law enforcement authorities across the globe amp up operations to arrest dealers and shut down Telegram-based narcotics channels, as in the recent law enforcement operation in Singapore.
Below are some examples of drug types, prices and benefits afforded to those who purchase narcotics through Telegram:
It is worth reiterating that the primary utility of Telegram for threat actors is the ease with which prospective sellers can open a new channel as well as the simplicity for prospective buyers to find these channels, in comparison with a .onion marketplace.
Of course, this makes the job for law enforcement all the more difficult. Even if one channel is successfully shut down, several new alternatives will undoubtedly emerge in its place. Thus, combating illicit trade of documents, accounts, and narcotics on Telegram is – like vulnerability management – a relentless game of whack-a-mole.