Discord and Telegram: democratization of cybercrime

Introduction

In the ever-evolving landscape of cybersecurity, new technologies, new platforms, new products, and transitively new threats continuously emerge in cyberspace. Among these new technologies, two brands, which we can qualify either as new social media or messaging apps, have come out on top: Telegram and Discord. These two platforms became very popular during the last years, and now bring together millions of users and various communities.

Even if these two applications have innovated the communication and chat ecosystems with their simplicity and their capacity to create groups and communities, they have also created new opportunities for threat actors.

A godsend for cybercriminals

Discord and Telegram could, nowadays, be considered a playground for malicious actors in the Clearnet. Cybercriminals take the advantage of the anonymity provided by both platforms, and of a sort of laxism which reigns in these two messaging applications. Even if administrators of the platforms ban or remove malicious content that violates their “security policy”, most of the harmful content gets through the net.

These two applications implemented their own API systems (even a Webhook implementation for Discord), which allow users to automate tasks by developing bots for created channels on Telegram and for created servers on Discord. Unfortunately, as with many internet technologies, the benefits of Telegram and Discord's API features are overshadowed by misuse. Threat actors exploit these tools to carry out illegal activities, manipulating the provided features to their advantage.

A considerable amount of malware, especially Stealers (i.e., trojan dedicated to gathering valuable information from a host such as credentials stored in web browsers, session cookies, credit card data, or cryptocurrency wallet data), using Telegram and Discord's bot technologies as a Command & Control mechanism have emerged in the last few years. An emergence where Telegram bots are significantly preferred to Discord bots, which are still fairly rare in the threat landscape. Among famous stealers, Agent Tesla has the ability to exfiltrate stolen data to a Telegram channel using Telegram's API. By posting data via TLS protocol to api.telegram.org domain, it can be difficult to tag this encrypted traffic as suspicious without evaluating requests behavior (frequency of the requests, requests to the API outside the business hours, …).

Additionally, Discord also allows hosting files on its Content Delivery Network (CDN), which is a feature used by cybercriminals to host and propagate all sorts of malware, especially Stealers (again…), and Wipers (i.e., malware dedicated to destroying data), such as WhisperGate. WhisperGate is a Russian wiper that was deployed via Discord’s CDN against Ukrainian organizations in January 2022, indicating that the phenomenon is not recent. However, in the last quarter of 2023, Discord introduced temporary links for off-platform content (links valid for 24 hours) to "stop malware delivery." This may indicate a willingness from Discord to stem the misemployment of their CDN by cybercriminals.

Nevertheless, we can ask ourselves if the real reason to implement temporary links was to prevent the misuse of their CDN by threat actors to deploy malware via drive-by-download or just because they wanted to save money on storage costs due to the use of their CDN as a “free” file server by many users.

An opportunity for inexperienced threat actors

Telegram and Discord, accessible on the Clearnet and easy-to-use, eliminate the need for complex navigation to obscure dark web forums, lowering the entry barrier to cybercrime. As a result, inexperienced individuals with a light IT background can engage in cybercriminal activities, leveraging the robust features of Telegram and Discord to conduct and coordinate attacks with relative ease and anonymity. This trend amplifies the cyber threat landscape, as more actors can exploit these platforms for illicit purposes.

Though, Telegram, via the important public exposure of its channels in comparison with Discord servers, is more popular among cybercriminal trainees to operate wide-scaled illicit operations like phishing campaigns organized via phishing kits based on its API (and sold on private telegram channels designed similarly as a dark web marketplace), Distributed Denial of Service (DDoS) claims, or website defacement claims, where Discord is mainly used for targeted individual phishing and knowledge sharing between these new threat actors.

The current geopolitical conflicts directly impact the cyber threat landscape, particularly increasing the frequency of DDoS attacks driven by political motivations.

The flare-up of the Russian-Ukrainian conflict in February 2022 and the Israeli-Palestinian conflict in October 2023 led to an increase in DDoS attack claims on various Telegram channels, operated by a group of hacktivists. Among these groups, the pro-Russian group NoName57(016) targeted Luxembourgian and Belgian organizations with DDoS attacks in March 2024.

NoName057(16)’s threatening Luxembourg state and Luxembourgish organizations with DDOS attacks in March 2024

Number of DDoS claims identified by CERT-XLM from May 2023 to May 2024

Number of DDoS claims identified by TCS-CERT from May 2023 to May 2024

An emerging marketplace

Cybercriminal marketplaces on Discord and Telegram have become increasingly sophisticated and prevalent, serving as hubs for illegal activities, including the sale of stolen data, distribution of malicious software, and phishing kit marketplaces. The presence of both applications on the Clearnet, their ergonomics, the real-time communication system, and the anonymity they provide are facilitating cybercriminal operations. On these two platforms, users can find channels and groups dedicated to various illegal services, such as stolen credit card marketplaces, malware marketplaces, or even the sale of various stolen credentials. The marketplaces often operate on an invite-only basis, ensuring a degree of trust within the community. Transactions are typically conducted secretly and using cryptocurrencies, which is adding another layer of anonymity and discretion.

Nonetheless, these marketplaces, just as Darknet forums, are also full of scammers selling falsified data to other threat actors, which creates the phenomenon of “biter being bit.”

Office 365 account database leaked on a Telegram channel.

Conclusion

The democratization of cybercrime through Discord and Telegram caused the expansion of the cyber threat landscape, which, a decade ago, was primarily focused on Darknet forums and marketplaces. As cybersecurity enthusiasts, both platforms became a part of our lives with their positive and negative sides. Both have facilitated knowledge sharing and strengthened the community on one side and have added a layer of difficulty to our jobs on another side. Finally, we interact with both messaging apps daily and must manage without expecting drastic security improvement from their respective boards, as that seems to be a utopia.

As a part of a proactive approach, and to warn its customers about potential attacks, TCS-CERT includes the monitoring of threat actors’ activity on Telegram via its “Digital Surveillance” service, which is constantly evolving and adapting to the surveillance of new threats on the rise.