A trip into the dark corners of Telegram, which has become a magnet for criminals peddling everything from illegal drugs to fake money and COVID-19 vaccine passes.
Just a few years ago, illicit services and online contraband were firmly sourced in the hidden, largely untraceable depths of the internet: the dark web. People frequenting dark web sites knew how to take advantage of the anonymity offered, and often managed to evade law enforcement. However, fast forward a couple of years and this model is changing. We are now seeing illegal products and services brazenly advertised on popular social media, where criminal markets are open to the masses, often leaving the police with little to do but watch.
When I previously researched online crime with the police, selling drugs on the dark web was big business. Marketplaces like Silk Road and AlphaBay were havens for potential buyers to compare and purchase whatever they had their eye on. Protected by a cloak of anonymity, a setup that allowed money to travel via escrow, and even a review system for the products offered, these dark web sites were the obvious choice for miscreants to lay low.
However, the constant shutdowns of these marketplaces and the difficulty to lure big numbers to the dark web has meant that criminal enterprises have had to think differently about how they reach their markets. At the same time, the COVID-19 pandemic has helped open up new avenues for criminal activity, from the greater vulnerability of home working to restricted access to venues and the use of vaccine passports. People are online more than ever and may also be more susceptible to illicit offerings.
Who needs the dark web anymore?
In recent years, new platforms have emerged that criminals have co-opted, with perhaps Telegram being the most notable example. Telegram is a free, open-source, cloud-based instant messaging platform that has gained huge popularity as people want privacy-focused communications. Of course, it’s a completely legitimate app offering end-to-end encrypted messages and calls so that ISPs and other third parties cannot access the data.
Unsurprisingly, however, the platform has also attracted the attention of criminals who are keen to take advantage of this privacy. On offer is everything from drugs, counterfeit money, stolen credit card details and other personal data to hitmen services (or, rather, hitman scams). Notably, some sellers are also offering fraudulent NHS COVID-19 vaccination passes, certificates to enable travel, and vaccine cards, each for around £200.
Worryingly, these Telegram groups can be located in a matter of moments and with just a few clicks. What’s perhaps even more disconcerting is the number of users this information is reaching. Some groups have hundreds of thousands of members, opening up the new dark market to a huge audience.
But it’s not just Telegram. TikTok users have also offered drugs to a market in a brazen style. Class A drugs could be found on the site in seconds, luring people to use the chat function to order their narcotics. The movement to easily accessible services and the way dealers are open to communication even on an unencrypted platform suggests the bold lengths they are heading in to capitalize on the market among young people. Furthermore, the way in which young people see drug use and paraphernalia online everyday quickly normalizes drug use, which, in turn, exacerbates the broader related problems.
Down the rabbit hole
I first downloaded Telegram in 2019, but it wasn’t until the following year that I delved into its Channels feature. Channels allow anyone who downloads the app and sets it up with their phone number to search for anything that might interest them. So, with my criminal investigation hat on, I soon searched for illegal services and contraband. I was shocked at how quickly I was offered all sorts of apparently criminal activity. In fact, I was able to able to download Telegram and get into these channels in under a minute.
Once there, I was met with multiple groups in multiple countries, all offering cards and passes that are advertised to work locally. The cards on offer seem relatively straightforward – they could have been easy to steal from a hospital. Worse, the passes may grant access to travel and international events, begging troubling questions on how these scams operate on a global scale. These sellers also go one step further and offer vaccination QR codes, vaccine passports and the ability to hack the codes into the database enabling international travel and entry to places requesting vaccine proof.
It may seem less dangerous to buy through social media channels than the dark web, or even legal, but this is actually part of the problem. A semblance of respectability can encourage both sellers and buyers, leading to an increase in illicit activity. Unfortunately, these sales often fund more malicious crimes and the cycle continues.
Telegram has over 500 million users and has become more popular over recent years due to its reputation as a more secure messaging and social networking platform. As apps like WhatsApp have come under scrutiny for their data privacy, users have turned to Signal and Telegram as a better option for privacy. Unfortunately, this can also be a bit of a double-edged sword. Of course, it is vital that users are confident that their personal information and messages are kept away from prying eyes, but this can also act as a safety net for cybercriminals due to the way in which their communications can be kept under the radar.
Cybercriminals are just as confident in their ability to evade law enforcement on Telegram Channels as they were with the dark web, but are now also afforded exponentially higher numbers of customers. As more people flock to such privacy-focused apps, the criminal underworld is waiting for them with open arms.
Why are cybercriminals hard to catch even on the “open web”?
Put simply, cybercriminals are using the underpinning privacy protection in Telegram and other services. Coupled up with virtual private networks (VPNs) and other tools to evade capture, it is almost impossible to track down those using Telegram in nefarious ways. Even if devices were to be seized (and from time to time big operations do pull this off) there is unlikely to be enough or any solid evidence on the devices due to the nature of disappearing messages and other popular techniques.
The police are getting better at investigating online crime and using better tactics with more resources being placed into digital crime. When I started investigating computer crime around 2008, I could view and copy every device and locate the vast majority, if not everything, that the suspect had ever done, as everything was logged and difficult to hide or wipe. Over the last decade, however, the evidence available has dwindled.
One could be forgiven for placing blame with Telegram and its lax content moderation or even suggesting that Telegram is fuel for this fire. On the other hand, it can be very difficult to filter out illicit content without overly rigorous monitoring of users and their intentions. Communications need to be encrypted and our privacy needs to be protected in order to generate better cybersecurity. Telegram can and already have filtered some keywords that cannot be searched much like in social media hashtags but the way the criminal fraternity bypass this is by conjuring up new words so products and services remain searchable.
Unfortunately, where there is a market, there will always be a way. Telegram and some other social media services will likely continue to be used in more ‘colorful’ ways aiding the black market. With software and techniques now widely available to wipe even an inkling of evidence, it is apparent that we are slowly removing any possibility of this going anywhere anytime soon. Channels enabling privacy will always also be favored by those wanting to hide in the shadows, so it is vital that everyone is aware of the problem.
written by Jake Moore, ESET