How Cybercriminals Are Responding to New Data Sharing Regulations • KELA Cyber ​​​​Threat Intelligence

Telegram recently made waves by updating its privacy policy, marking a significant departure from its long-standing reputation as a haven for privacy-minded users, including cybercriminals. The messaging platform, known for its hands-off approach to moderation, will now share users’ phone numbers and IP addresses with law enforcement following court orders. The change applies to various criminal investigations, going beyond the previous limit of only terror-related offenses. You can read the full details of the new policy at Telegram Privacy Policy Page.

What Telegram’s new policy means for privacy and security

The update comes amid mounting legal pressure on Telegram and its founder, Pavel Durov, following his recent arrest in France. Authorities have been pressuring Telegram to combat the illegal activity flourishing on the platform, ultimately leading to this sweeping policy update. For more context on Durov’s arrest, check out our blog post: Durov’s arrest and Telegram’s transformation.

For years, Telegram was a go-to platform for those looking to operate under the radar of law enforcement. For more context, read our report: Telegram: How a messenger turned into a cybercrime ecosystemThis update marks a turning point, as the platform will now cooperate with authorities in criminal investigations.

How Cybercriminals Are Responding to Telegram’s Policy Update

KELA’s research reveals widespread unease within cybercriminal communities about these changes. Groups such as Ghosts of Palestine have publicly announced their intention to leave Telegram and seek more privacy-focused platforms. RipperSecanother prominent hacktivist group, has already started setting up backup channels on Disagreementexpecting that Telegram’s cooperation with law enforcement would pose a threat to their anonymity. Al-AhadHacktivists also created a Signal group and promised to close their Telegram channel soon. GlorySec Hacktivists even indicated that they “may or may not” have created Facebook and Threads accounts, but without taking any action.

Meanwhile, other groups are taking a more pragmatic approach. UserSecFor example, it now offers tutorials on how to stay anonymous on Telegram, and shares tips on how to avoid detection under the new data sharing rules. BF Repo V3 Chat group, a Telegram chat for BreachForums users, members have even floated the idea of ​​creating a custom messaging platform with Telegram’s GUI as a base, so they can continue their activities with less risk of exposure.

Overall, KELA has seen several cybercriminals discussing Jabber, MatrixAnd Session as alternatives to Telegram, however, mostly for private messages or private groups — while Telegram offers them the opportunity to create open communities around illegal activities. So far, only Disagreement was mentioned as a platform that can provide the same functionality as well Signal groups.

Despite these initial reactions, there has not yet been a mass exodus of cybercriminals from Telegram. However, these discussions do indicate that there may be movement in the future, as groups and individuals weigh their options in response to the platform’s shift.

Does Telegram’s policy change affect criminal activity?

It is unclear whether this policy change has the potential to significantly disrupt criminal activity on Telegram and drive it to Discord or other platforms. While cybercriminals are certainly expressing concern about the issue, their activity on Telegram is simply too large to be immediately moved to another platform.

Infostealer operations don’t just use Telegram to sell and share collected data via “clouds of logs”, for example. Read more in our blog: Telegram Clouds of Logs – the fastest gateway to your network. Commodity infostealers have given rise to cybercriminal gangs and teams that work together to infect as many people as possible. To coordinate their activities, many use Telegram, creating a variety of tools: channels for hiring new traffickers and advertising the team, public and private chats for coordinating activities and discussions, and Telegram bots for automating tasks, payments, and more. Such behavior is common among many malware-as-a-service operations, as well as hacktivists and other cybercriminals.

Additionally, Telegram’s new dedicated team of moderators, which uses AI, is stepping up efforts to monitor and remove illegal content from search. This increased focus on moderation could make it harder for cybercriminals to operate openly on the platform. However, many of them are used to overcome such barriers. As seen with groups like UserSecSome may try to exploit loopholes or develop strategies to continue their activities despite these new challenges. KELA is aware that cybercriminals have been maintaining backup Telegram channels for some time; they usually switch to another channel once their main channel is banned, which was proactively advertised to their followers.

This policy change won’t eliminate cybercrime on Telegram, but it will likely change the way malicious actors operate in the short and long term.

What this means for threat intelligence: insights from KELA

For companies like KELA, these changes present both challenges and opportunities. While some cybercriminals may move to other platforms, KELA’s unparalleled coverage ensures that we continue to track and monitor activity across a wide range of forums and messaging apps. It’s not just about knowing the right sources, it’s about gaining access to these underground communities. KELA’s combination of human expertise and advanced technology provides unique access to forums and channels that are often hidden from other intelligence agencies.

This constant vigilance allows us to stay ahead of emerging trends by tracking where threat actors are moving and how they attempt to evade detection. By quickly adapting to shifts in the cybercrime landscape, KELA ensures our customers gain actionable insights, allowing them to remain proactive in their defense strategies, even as platforms like Telegram evolve.

Conclusion: The Future of Telegram and Cybercrime

Telegram’s recent policy shift is a clear response to mounting legal pressure and a broader need to curb the platform’s use for illegal activities. While the new rules may push some criminals toward more secure platforms, Telegram’s 900 million active users mean it’s likely to remain a major player in the cybercrime ecosystem for the foreseeable future.

As these changes continue, KELA will continue to provide critical information on how malicious actors are adapting to the changing environment, ensuring that security teams stay one step ahead of malicious activity.