Pavel Durov, the founder and CEO of Telegram, was arrested in Paris on August 25, 2024 on charges related to his platform allegedly being used for illegal activities. Three days later, he was indicted and released on bail, with six charges related to illicit activity on Telegram. While people all over the world discuss Telegram’s loose moderation measures and wonder if providers of web services should be liable for the actions of their users, a certain type of Telegram users — cybercriminals using the platform — have something to say too.
In recent years, as detailed by KELA, Telegram has become popular as a platform for a wide range of cybercrimes. These include selling illegally obtained data, such as personal information, sensitive documents, and compromised accounts, and using the platform to facilitate infostealer, ransomware, hacktivist and other operations. Among reasons why Telegram is attractive to cybercriminals are anonymity and the ability to build communities, enabling cybercriminals to both hide their identities from law enforcement and have access to multiple potential sellers.
Now these cybercriminals are concerned with repercussions that Durov’s arrest can cause to their operations. While some of them discuss additional safety precautions, others go on the offensive and support Durov with cyberattacks against France. KELA has reviewed cybercriminals’ actions and discussions on the matter.
Threat Actors Supporting Durov
After Durov’s arrest, many people all over the world have expressed their dissatisfaction with the Telegram CEO’s arrest, viewing it as unjustified. In response, a campaign using the hashtags #FreeDurov” and #FreePavel was initiated and spread across the internet. Public figures who participated in the campaign included Elon Musk and Robert F. Kennedy.
Some threat actors, mainly hacktivists who are actively using Telegram, were seen discussing the arrest and supporting Durov. For example, StucxTeam, a hacktivist group known for targeting Israeli organizations, was debating whether Durov is responsible for terrorism and other illegal activities that use Telegram as their communication platform, adding the “#freedurov” hashtag at the end of the message. This message was one of many supporting statements observed using the hashtag on different hacktivist channels.
StucxTeam commenting on Durov’s arrest: Source: KELA platform
Some actors went beyond using the hashtags to launch cyberattacks on France in response to the arrest. On August 25, the pro-Russian hacktivist group People’s Cyber Army of Russia posted “#freedurov” on their channel and then announced a week-long attack on French “internet portals” in reaction to the arrest. They invited other threat groups to join them in this activity. As their first action, the group claimed to have launched a DDoS attack on the website of the French National Agency for the Safety of Medicines and Health Products (ANSM), which is associated with the French government, causing the website to be inaccessible for a period of time, as noticed by KELA.
The People’s Cyber Army of Russia statement and attacks announcement (auto-translated by KELA platform)
Another pro-Russian hacking group called UserSec initiated an attack campaign named “#FreeDurov” on their Telegram channel and urged other threat groups to unite in cyberattacks against France, citing their use of Durov’s messenger: “It will not be better for any of us if Durov is imprisoned on the charges that they want to bring against him. I invite all interested groups to join. Don’t forget that we use Durov’s messenger.”
Later, UserSec announced that, in collaboration with the People’s Cyber Army of Russia, they had carried out DDoS attacks on specific French targets. The first target was the website of the National Court of France, which was down on August 27, following the attack, and the second target was the website of the Paris tribunal. UserSec also claimed to deploy their “stealer” on French targets (possibly a stealer targeting Google Chrome that was mentioned on their channel a year ago). Other gangs, such as CyberDragon and OverFlame, have joined the campaign, while others have reposted the call.
UserSec initiating the #FreeDurov campaign on their Telegram channel (auto-translated by KELA platform)
Not only pro-Russian hacktivists have joined the efforts: the pro-Palestinian hacktivist group RipperSec conducted cyberattacks targeting various French websites, including PriceBank. RipperSec shared a message from the CGPLLNET threat group, announcing a new alliance and their plans to target France, and calling for more participants. On August 27, 2024, the group claimed responsibility for another cyberattack on France, and mentioned the groups involved in carrying out the attacks.
RipperSec is crediting other threat groups on helping to attack France
Based on this activity, it seems that hacktivists’ attacks on French organizations could be intensified in the near future, depending on how Durov’s case unfolds.
Interestingly, some cybercriminals have decided to support Telegram financially, for example, by investing in Telegram Stars, a recently introduced virtual items that allow users to purchase digital goods and services from bots and mini apps, as well as assist with channels’ monetization.
An owner of Deanon club project and Killnet Telegram channel invests in Telegram stars to support Durov (auto-translated by KELA platform)
Cybercriminals’ Concerns
For many other cybercriminals and their customers using Telegram, Durov’s arrest caused concerns about the platform’s safety and possible changes in moderation. Users of different cybercrime forums have created multiple threads mentioning the arrest, expressing mixed reactions.
Some users of cybercrime/drugs supply services are taking precautions communicating with these services, with several pausing their activities on the Telegram platform. The services suppliers are concerned about the security of their operations, particularly those who have stored sensitive information on Telegram, recognizing that this could expose them to significant risks if authorities gain access. KELA has also noticed instructions on how to prevent data loss on Telegram in case the authorities seize the servers circulating across different platforms.
A user plans to stop their regular communications with their “dealer” to lower the risk of them being caught
A user planning to delete their Telegram archives, containing stolen information from credit cards, bank accounts and more
Some threat actors are discussing alternative platforms, such as Tox, Session or Jabber for private messaging, due to their fear of being exposed if law enforcement gets access to some conversations. However, it does not seem that cybercriminals are actively leaving Telegram, with such activity merely related to setting up back up channels. For example, the actor claiming to be associated with the Lapsus$ group has set up an XMPP-protocol based channel, and shared a link on their Telegram channel for others to join.
Lapsus$-related channel announces a back-up XMPP conference channel
In general, long before Durov’s arrest, many cybercriminals avoided using Telegram for sensitive private conversations, claiming it is not safe. While some suspected Telegram of cooperation with Russian or other authorities, others pointed out the lack of end-to-end encryption on most of the chats (except so-called Secret chats). Therefore, the most cautious actors appear to have quit Telegram for a while now: for example, most of active RaaS operations now list only TOX, Jabber and Session as their contact methods.
A user discussing dangers of using Telegram
What’s Next
The recent attacks and discussions indicate that cybercrime users are concerned about Pavel Durov’s arrest, with some being concerned that his arrest may affect their primary communication platform. The arrest is likely to have a dual impact on cybercriminal activities on Telegram.
On one hand, it may lead to some actors taking precautions or considering alternative communication platforms, probably till the arrest’s full consequences will be clear. However, unlikely those who currently rely on Telegram will conduct a massive exodus, as many use it to form communities, advertise their product to multiple potential buyers and automate their operations, highly depending on Telegram’s channels, groups and bots. Currently, alternative platforms discussed by cybercriminals do not provide such functionality.
On the other hand, the arrest has inflamed certain hacktivist groups, leading to an increase in retaliatory cyberattacks, particularly against French organizations. The situation could evolve depending on the outcomes of ongoing legal actions.
Update - September, 25th
Telegram has updated its terms of use claiming the company will now disclose users’ phone numbers and IP addresses to law enforcement. This is a change from its previous policy, which limited data sharing to cases involving terrorism. The update clarifies that Telegram will only comply with court orders confirming a user’s involvement in criminal activities that violate the platform’s Terms of Service to sell illegal goods. Additionally, Telegram has reportedly enhanced its search feature to prevent its misuse for promoting illegal goods and encourages users to report illicit content via the SearchReport bot.
KELA has reviewed cybercriminals’ reactions to this change and found that multiple threat actors are dissatisfied with it, being unsure what to do and seeking alternatives to Telegram, with some mentioning Signal and Discord. Some hacktivist groups, such as Ghosts of Palestine, announced on their Telegram channel their decision to transition away from Telegram, citing concerns following the changes. The group claimed they are currently evaluating alternative platforms with stronger privacy features. The pro-Palestinian hacktivist group RipperSec announced that the group is creating a backup channel on Discord. Interestingly, the UserSec hacktivist group leader offered for sale lessons on how to stay anonymous online, including how to secure personal data on Telegram. Multiple other discussions were started in different groups, for example, members of BF Repo V3 Chat also expressed concerns about the changes, with some of them discussing a possibility to create their own messaging based on Telegram’s GUI. While currently KELA did not observe mass migration to other platforms, the change has raised significant concerns among cybercriminals and could affect activity of some of them on Telegram.