How Telegram became the Hotspot for the Sale of the Hijacked Financial Accounts?

Telegram is progressively harmed by attackers to set up underground channels to sell hijacked financial information to the affected users. Telegram is a free and cross-platform instant messaging service that offers end-to-end encryption communications, recently having a user base of over 500 million active users.

As the platform pursues an approach of sloppy moderation, only blacklisting extremist content, cyber-criminals find it reasonably easy to harm it to advertise their vicious purposes. It is also much easier to set up a Telegram channel to sell stolen data than creating a new dark website, and often, much easier to promote and draw a wider audience of interested buyers.

Finally, because Telegram channels are more explosive and short-lived than dark web markets, they could be safer to use for criminals as they are harder to track and correlate online characters with real identities.

What is the Recent Problem?

Security Investigators at Xiarch have posted a report based on the information they gathered all over 2021 and concluded that even though the sale of financial accounts on Telegram has decreased in volume, it remains a stable problem. When going through the report, the investigators processed out bot spam and only focused on high-quality data, such as listings containing specific keywords related to money laundering and financial account sales.   

Telegram-is-a-Hotspot-for-the-Sale-of-the-Hijacked-Financial-Accounts-image1

Our Analysts believe that the reason behind the simple plunge of 60% compared to 2020 is the overall reduction of newly-issued credit cards during the pandemic. “This stark nosedive in monologue surroundings negotiated the accounts from 2020 to 2021 might seem remarkable, but it is not an isolated event; a parallel decrease was also discovered in the total number of the negotiated credit cards sold on underground markets throughout the same period,” the investigators explain in their report.

“In the Underground Financial Fraud report for H1 2021, we attributed this decline to the closure of some credit card markets (either imposed by law enforcement or as a result of threat actor retirement), ongoing trends towards contactless payments accelerated during the pandemic, and the overall reduction of newly-issued credit cards.” Another factor they may have played a key role is the general decline of the carding space and the shift of the cybercriminals’ attention to the much-more prolific ransomware operations.

Why PayPal Accounts the Most Haggle item?

The leader in the number of listings on these channels is PayPal, followed by Chase and Western Union.

Telegram-is-a-Hotspot-for-the-Sale-of-the-Hijacked-Financial-Accounts-image2

Account takeovers on PayPal constitute a direct way to drain funds from other people, and thanks to the platform’s popularity, it’s easy to make online purchases with it on almost any site. Researchers explain that for most compromised PayPal accounts, the buyers use them to purchase hard-to-trace cryptocurrency, essentially laundering the money.

On that front, cyber-criminals also offer money transfer services right on Telegram, helping actors obfuscate the origin of the stolen funds.

Telegram-is-a-Hotspot-for-the-Sale-of-the-Hijacked-Financial-Accounts-image3

Credits Card Endure being Sold

Even if at a smaller volume, credit cards are also offered on Telegram channels, with roughly half of them including the highly-valuable CVV/CVV2 codes required to verify online purchases. The prices range from $10 to $1,500 per card, depending on the bank account balance and the “freshness” of the data.

If the owner hasn’t realized the breach of their credit card details, there’s no risk of being reported to the bank, so the listing’s price is higher.

Telegram-is-a-Hotspot-for-the-Sale-of-the-Hijacked-Financial-Accounts-image5

That is at least how things work theoretically, as scams are always to be found among genuine listings. Finally, there are dedicated Telegram channels that sell bank logs (credentials) as well, which can also be used for electronic cashouts.

Telegram-is-a-Hotspot-for-the-Sale-of-the-Hijacked-Financial-Accounts-image6

Summing Up!!

 The above is only the limited part of the cybercriminal’s activity on Telegram channels, with various activities included identifying theft, fraud, stolen database, network access, and much more. Anonymity in Telegram is linked to the telephone number used during the subscription, so if the actors acquired the SIM without providing real identification details, they become hard to track and catch.

We have reached out to Telegram to request a comment on the matters of abuse and what they’re planning to do about it, but we have not received a response yet.

Leave a Reply