The widely popular Telegram has become a viable alternative to secretive forums on the dark web. Threat actors are increasingly abusing the platform to set up underground channels to sell stolen financial details to users.

The rising concern of abuse of Telegram

  • In a report from Cybersixgill, researchers revealed that compromised cards from most popular financial institutions are a lucrative commodity on Telegram-based illicit marketplaces.
  • These cards belong to Chase Bank, the Bank of America, Wells Fargo, Western Union, Visa, and Mastercard.
  • Just like those sold on dark web markets, cards sold on Telegram come in two forms: one that includes CVV/CVV2 information and another that contains dumps such as cardholder’s name, account number, and other valuable information.
  • Threat actors can collect the dumps to create a physical clone of a card which later allows them to make in-person purchases.
  • The prices range from $15 to $1500 per card, depending on the bank account balance and freshness of the data.

Other malicious activities observed

  • Besides selling compromised credit cards, the messaging platform is also a channel to distribute malware.
  • In the first week of January, researchers identified a malicious Telegram for Desktop installer that was used for propagating Purple Fox malware. The installer was compiled in an AutoIt script named ‘Telegram Desktop.exe’ to fool users.
  • A new variant of Echelon infostealer had also leveraged the Telegram channel as a propagation channel in an attempt to steal crypto wallets from users.
  • Moreover, the threat actors behind the RedLine stealer were found operating the malware through an abused Telegram service to steal a heap of credentials from browsers, VPN, FTP, cookies, cryptocurrency wallet, and more.


Cybercrime continues to thrive on Telegram as more and more threat actors choose the encrypted messaging app to accomplish their malicious objectives. With over 500 million active users, Telegram should ensure that it does not become the future attack surface for illegal hacking, online fraud, and other criminal activities.

Cyware Publisher