This article is more than 1 year old

Dark web souks are so last year: Cybercrooks are switching to Telegram

From AlphaBay to 'Message me, hey!'

Underground cybercrime marketplaces are in decline because cybercrooks have begun switching to chat channels to trade illegal goods, according to a new report.

The climate of fear and mistrust following the AlphaBay and Hansa takedowns in July 2017 has resulted in crims switching tactics and using less convenient platforms, such as Telegram, according to research from Digital Shadows.

The paper, titled "Seize and Desist", claimed the cybercriminal community has instead fallen back on alternative ways to conduct transactions across decentralized markets and messaging networks such as Telegram.


Hansa down, this is cool: How Dutch cops snatched the wheel of dark web charabanc


Alongside this, digi crooks have adapted their processes to increase the security, reliability, and trust of existing sites. These trends predate the AlphaBay and Hansa takedowns, but have become more acute as the marketplace model continues to struggle.

AlphaBay was a big player in the underground market - particularly for English-language speakers - and its demise left a gap. No single marketplace has risen to the top. Mistrust and fear are rife, and, alongside hidden financial costs associated establishing a new market, this has prevented a new one from flourishing, the infosec firm said.

Telegram in particular is proving increasingly popular as an alternative. Digital Shadows said that over the last six months, its analyst teams detected over 5,000 Telegram links shared across criminal forums and dark websites, of which 1,667 were invite links to new groups. These covered a range of services, including cashing out, carding and crypto currency fraud.

Rick Holland, CISO and VP Strategy at Digital Shadows said:

“Historically, when popular marketplaces disappear, another leader emerges. The effects of law enforcement action are therefore relatively short-lived, becoming a game of 'whack-a-mole' where cybercriminals are always one step ahead. But this hasn’t happened in this case (for now) and instead they have dispersed to alternative platforms and techniques to transact online.”

Cybercrims have tried to set up alternative marketplaces in the last year but without much success. Some AlphaBay users were so fond of their former haunt that they tried to form a new iteration of the site called GammaBay. It never really took off. Similarly, the promising Olympus market disappeared after it failed to garner trust among the underground fraternity.

Another exists in the form of "Dream Market", but it has failed to gain traction in the criminal community amid poor user experience and suspicions of law enforcement activity, the research found.

Blockchain technology has been seen by some cyber criminals as a "saviour" that would bring about alternative models for decentralized marketplaces. Sites that are hosted on blockchain, often with the “.bazar” TLD, are perceived to be less susceptible to law enforcement takedowns. This is why notable sites, such as Joker’s Stash, have switched to blockchain hosting. The decentralized marketplace OpenBazaar has also experienced steady growth, with nearly 4,000 new users signed up in the last four months. While it is far from being a panacea to overcome the concerns about trust, interest in blockchain hosting has increased, Digital Shadows concluded.

Although the barriers to entry may have been raised - and criminals are more likely to be deceived by each other - cybercrime is not going away. New business models and avenues for fraud are being developed.

What to expect when you go on holiday with a cybercrime kingpin

Vladimir Kropotov, a researcher with Trend Micro, independently backed up Digital Shadows' findings that cybercriminals were switching to Telegram during a presentation at the BSides London conference yesterday.

Kropotov explained how hackers have created their own ecosystem that exploits literally all hospitality and travel industries for their own needs.

His talk covered the mechanisms and modus operandi for services including underground travel agencies, cheap flights, hotels and car rental-related scams. A variety of abuses are involved in creating these services from business process compromises to credit card fraud and exploitation of vulnerabilities in traveling systems and mileage programs.

Airlines commonly reserve one to two per cent of their revenue to cover fraud but the level of loss is much higher, according to Kropotov. Crooks are offering services to other crooks in order to run scams. For example, travel insurance fraud is facilitated by a back story supplied by a fake travel agency of cancelled hotel bookings and transportation.

“Many actors are switching from underground channels to Telegram to offer live support,” he explained. ®

More about

More about

More about


Send us news

Other stories you might like