At the end of March, Tal Prihar, one of the owners and operators of DeepDotWeb, pleaded guilty to taking kickback payments from underground markets in exchange for sending DeepDotWeb users links to their criminal bazaars. This takedown was far from law enforcement’s first, and is unlikely to be its last. After every takedown, it seems as though there are always groups ready to step in and take over. Names change, tactics change, but the web remains home to all manner of content – both illicit and otherwise.
This reality is part of what makes it essential to search the surface and deep web for threat intelligence. It is tempting to think of threat intelligence as only applying to underground markets available on darknets like TOR. Truth be told, however, threat intelligence efforts cannot stop there. Messaging applications such as Telegram and Discord, while they are both used by legitimate users, are refuges for cybercriminals as well. Rather than abandon underground markets, it has become more common for conversations about stolen goods to start on dark web forums and then migrate to chat groups on platforms like Telegram and Discord.
For example, between Sept. 2019 and June 2020, there was a 62% increase in the ratio of flagged content to total monitored content on Telegram. On Discord, the increase was 70% during the same period.
Leaked credentials became more popular on both platforms as well. Much of the small-ticket items—such as individual or small batches of stolen credit cards—can be found on Telegram or the Discord platform. The big-ticket items, such as records from major data breaches or contraband weapons, are more likely to be found on TOR—which will also have the small-ticket items as well.
The anonymity that these types of apps offer is what makes them attractive. Discord seems innocuous; after all, it was created for gamers that wanted to communicate via video and audio chat during online play. These features, however, as well as the ability to host Discord services on a private server, have made it the go-to communication and sharing tool for threat actors. The same is true for Telegram, which enables “secret chats” that use end-to-end encryption. Similarly, on Discord, servers are organized into channels where users can communicate. The creators of the servers can manage access to them. While these features are typically used for innocent gaming, they are also unfortunately abused.
This push-pull between legitimate users seeking privacy and cybercriminals looking to conceal activity is part of the story of the Internet. In the case of Telegram, many businesses are attracted to it not only for security reasons but because it can amplify their digital marketing efforts. But as is often the case when it comes to technology, there is a dark side. In November 2020, it was reported that a massive file containing more than 23,000 hacked databases was shared over Telegram and several hacking forums. On Discord, threat actors have been observed offering everything from credit cards and gift cards to credentials for Hulu accounts.
Though the makers of these platforms prohibit their use for malicious activity, in recent years, cybercriminals have used them for not only communication but also to host malware. The ToxicEye malware recently spotted by researchers at CheckPoint leveraged Telegram for its command and control, adding its name to the dozens of other pieces of malware that have done the same. From a threat intelligence perspective, these and other messaging apps can be culled for more than just the presence of personally identifiable information (PII). Extremist speech, attack methods, communication about plans for an attack—all of it can be potentially found on these platforms.
There is no longer a one-stop-shop for criminal discussion; there’s a whole network of networks predicated on simple concepts: anonymity, decentralization, and privacy. For enterprises, this makes including these kinds of apps as threat intelligence sources extremely vital.
While TOR is often treated as synonymous with cybercrime by those outside the security community, it is far from being the only home for cybercriminals. The list of active darknets is likely to continue to increase as law enforcement crackdowns and concerns about privacy and security surface. While the Libertas market folded not long after moving from TOR to I2P, the movement of markets from TOR to other darknets can be expected to jump as takedowns send threat actors to other corners of the dark web.
Similar content, however, will remain available on the surface web. Focusing only on darknets will create blind spots. Effective monitoring and analysis of activity on apps such as Telegram, Discord, and others allow organizations to properly perform threat modeling and potentially detect data breaches and potential threats before they make the headlines.