Dark Web Forums vs. Illicit Telegram Communities


The proliferation of cybercrime on the internet has given rise to thousands of criminal communities. These corners of the internet, often dominated by malicious actors, allow them the space to coordinate and carry out their illegal activities successfully. Commonly, the area of the internet that experts advise has the highest criminal activity is on dark web forums and markets.

More recently, there has been a spike in illicit activities moving into online messaging applications like Telegram. Combined these two facets of cyberspace host a plethora of criminal activities carried out by threat actors.

In this post, we’re going to explore common threat actors and their activities on dark web forums versus illicit Telegram communities. Additionally, we’ll cover core similarities and key differences between each platform in order to better understand that not all cybercriminal based communities are created equally.

Dark Web Forums:  Experienced Cybercriminals

The dark web has been notoriously known as the corner of the internet accessible through TOR,  and home to nefarious activity. Within the dark web also sits many forums that allow others to share, communicate, buy, sell, and trade illegal goods and services regularly. These forums also allow others to do many illicit activities seemingly with a cloak of anonymity.

Common Dark Web Hacking Activities

Illegal cybercrime activities proliferate on the dark web. These include ransomware as a service vendors, stealer logs, marketplaces, credential dumps and hacking forums.

Several of these forums, such as RaidForums, allowed cybercriminals that are executing the attacks to share their stolen credentials and data leaks with other forum users directly.

A number of these forums are also home to more seasoned hackers such as initial access brokers active on top-tier forums such as XSS and Exploit in. Hackers on dark web forums are more commonly known to share more zero-day exploits to other threat actors as well as share with other hackers how to use these exploits to their advantage as well.

While there has been a greater presence of law enforcement on the dark web aimed at shutting down more dark web forums, numerous have continued to maintain their more experienced cybercriminal establishments.

Cybercrime forum

Illicit Telegram Communities: The Direct to Consumer Model

In recent years, Telegram has become a popular messaging platform for both illicit and legitimate communication activities. The app has allowed people from all over the world to be able to share and collaborate more than ever before. However, it has also allowed numerous dark web forums and other nefarious groups to move onto the messaging app as well and create illicit channels successfully.

Common Illicit Telegram Channel Activities

Many of these groups can range from selling credit card information or user credentials to others to Russian hacktivist groups sharing their latest exploits, recruiting hackers to support their cause, and targeted victims of their attacks.

Due to the popularity and sheer volume of illicit groups for users to join there is a much larger range of cybercriminals on the app. The common type of cybercriminals that research has shown to be active on Telegram often tend to be more low-level beginners to cybercrime to mid-level experienced cybercriminals. Of many of the illicit groups researched on Telegram there was a large variety of groups operating as a marketplace to sell:

  • Bank account user data
  • Data leak channels
  • Credit card information
  • Botnets
  • Combolists
  • Stealer logs

Many of the groups researched commonly offered either user data or services geared toward being able to aid in an attack of an organization. In this sense Telegram actors tend to be more focused on providing the means to gain access to a system rather than the access itself.

Any such services that were sought by a user in one of these malicious communities were often directed to navigate from Telegram to a dark web forum directly. Additionally, in some of the communities beyond financial fraud there are a great number of these groups sharing about and boosting recent exploits. It also allowed for threat actors to communicate with each other and share other new or ongoing illicit communities.

Parallels Between Dark Web Forums & Illicit Telegram Communities

These illicit communities also allow countless users to have more anonymity within a global community that allows them to share, trade, or make money selling services or exploits successfully.

Dark Web Forums & Telegram: Main Similarities

There are numerous similarities between dark web forums and illicit Telegram communities. The most notable parallels between these two platforms are that:

  • They can be a hotbed of both illegal and criminal activity from selling consumer financial data to carrying out distributed denial of service (DDoS) attacks against organizations effectively.
  • They can both provide a borderless community built among thieves.

Additionally these types of communities often include moderation and governance over the forums and channels in order to:

  • Oversee operations
  • Control membership
  • Moderate content
  • Drive the general direction of the communities

Rapid Adaptation with Changes to Forum/Channel

Dark Web forums are adaptable, even in the event of law enforcement action. For example, if an owner, moderator, or administrator of the forum or channel has to step down it is often taken over by another leader of the community.

Illicit Telegram Channel

Channel owners on Telegram can often sell their group to the highest bidder in order to cash out of the group.

This is often done ahead of time before law enforcement intervenes to shut down the group or the Telegram channel has been reported and threatened to be shut down due to illicit activity.

Key Differences Between Illicit Telegram Channels and Dark Web Forums

While there are many parallels between the criminal activity between illicit Telegram groups and dark web forums, there are several key differences between these communities as well.

Differences in Activities

Not all dark web activity seen on many forums is also seen on Telegram. For example, rarely has it been seen that the illicit communities on Telegram allow others to buy, sell, or trade other cyberattack methods such RaaS or other attacks as a service.

Often many of these types of attacks as a service type of criminal operations that are sold are still predominantly on dark web forums and marketplaces.

Telegram: Easier Accessibility

In addition to some of the differences between the experience levels and type of activity seen on forums versus Telegram, there is also a key difference between the accessibility, user interface and technical requirements in order to join the communities. For example, most dark web forums operate solely with the use of special browsers like Tor, unique URLs, and appear similar to traditional internet forums.

On the other hand, Telegram is much more user-friendly and accessible for threat actors to set up an account along with joining or starting their own channel. Most Telegram channels including illicit communities can make criminal activity on the platform more accessible and easier for even low-level cybercrime.

Track Both Dark Web Forums and Telegram for Greater Protection

The landscape of cybercrime has evolved dramatically, with hackers leveraging both dark web forums and illicit Telegram communities to facilitate their activities.

For organizations to effectively protect themselves from these continuously changing threats, cybersecurity strategies must include monitoring both of these platforms. This will enable us to anticipate and counter malicious activities across different cybercrime ecosystems.

Concerned about Telegram? Flare Can Help

Flare’s Threat Exposure Management platform sets up in 30 minutes and monitors the clear & dark web and illicit Telegram channels for external risks.

We monitor:

  • Over 12 billion leaked credentials on the dark web
  • Hundreds of marketplaces and forums on Tor
  • Thousands of illicit Telegram channels

In addition, Flare automatically detects exposure due to human error such as leaked API keys & credentials on GitHub, data exposure on pastebin, and other clear web sources of risk.

Sign up for a free trial in 5 minutes.

Sponsored and written by Flare



Source link