How Telegram Turbocharges Organized Crime
Published by The Lawfare Institute
in Cooperation With
Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on news.risky.biz.
How Telegram Turbocharges Organized Crime
A new report highlights the need to crack down on Telegram’s role as a massive enabler of transnational criminal organizations. It says Telegram is used to facilitate criminal activity ranging from cyber-enabled fraud and illegal gambling to money laundering and criminal marketplaces that sell malware, stolen data, and even murder for hire.
The report, authored by the UN Office on Drugs and Crime, examined the criminal adoption of technology and described the rapid evolution of the criminal ecosystem in Southeast Asia. It noted criminal groups started out running illegal or under-regulated gambling facilities, particularly in weakly governed regions including locations in Myanmar. These groups developed money laundering capabilities to handle the cash their activities generated.
The rise of online gambling, particularly since the pandemic, resulted in huge cash inflows to many groups. Some criminal networks also involved themselves in synthetic drug manufacturing and trafficking. The billions of dollars involved in these activities “attracted new criminal networks, innovators, and specialist service providers to enter illicit markets while simultaneously driving demand for sophisticated new channels to be created.”
Per the report:
Criminals are no longer required to handle their own money laundering, coding malware, or stealing sensitive personal information to profile potential victims or obtain initial access for their attacks themselves. Instead, these key components can be purchased from service providers in underground markets and forums, often at very accessible prices.
Telegram acts as a communication fabric for this criminal ecosystem:
Several platforms controlled by powerful and influential regional criminal networks have come to dominate the illicit economy, particularly on Telegram, representing key venues where criminals and service providers congregate, connect, and conduct business online, fueling the growth of the regional illicit economy.
Organized crime groups developed large criminal marketplaces on Telegram. Currently, the largest of these is called Telegram Marketplace 1 or TM1 in the report. It is a predominantly Chinese-language platform with over 820,000 users and is controlled by a “powerful and influential conglomerate” referred to as Business Group 1 or BG1. The report says that the group maintains TM1 and “serves as a guarantor and escrow provider for all transactions to prevent fraud within the illicit economy.”
A wide range of criminal services are offered on TM1:
[M]ost active merchants can be observed explicitly targeting cyber-enabled fraud operators, with the largest proportion of merchants focused on international underground banking and laundering services. This includes hundreds of motorcade [money laundering] teams specializing in organized money muling and shell company registration in various jurisdictions, as well as solutions for unblocking frozen funds and obtaining large numbers of pre-registered point-of-sale terminals. Other service categories include vendors dedicated to malicious software development including fraudulent investment apps and scam kits, data theft and hacking, as well as vendors engaged in citizenship-by-investment and identity transfer schemes, prostitution, murder-for-hire, procurement and distribution of telecommunication equipment, and deep fake software development and installation. It has recently also established groups dedicating to hacking activities and has exhibited a notable increase in groups and vendors focusing specifically on Japanese and Korean language cyber-enabled fraud activity, as well as the sale of “first hand” registered bank accounts at major western financial institutions in countries including Canada, the United States, and various European countries.
Cryptocurrencies also play a role in the rise of these criminal networks. Blockchain analysis companies said that BG1 had processed more than $49 billion in cryptocurrency transactions since 2021. While a proportion of these transactions may be legal, this figure provides some guidance as to the scale of these enterprises. As per the report:
The growing adoption of cryptocurrency within Southeast Asia’s illicit economy has served as an important catalyst for cyber-enabled fraud operators based in the region to expand globally. This is due to the ease with which rapid cross-border transactions can take place, widespread misinformation and low levels of understanding about how cryptocurrency functions, and, in some cases, the breakdown of cross-border law enforcement cooperation, investigation, case intake, and asset recovery.
Powerful transnational criminal networks have developed a range of sophisticated mechanisms, structures, and techniques to launder stolen funds, particularly using stablecoins—or cryptocurrencies pegged to and backed by fiat currencies like the U.S. dollar—which have become popular in East and Southeast Asia compared to other regions.
The report also covers the increasing use of deepfake or generative artificial intelligence (AI) technologies. These are increasingly used for “social engineering in fraud schemes, deceptive recruitment campaigns (i.e. recruitment of victims of trafficking for forced criminality), disinformation, and money laundering by services specializing in bypassing [know your customer or] KYC measures.” (KYC bypasses could include impersonating someone using voice or face-swap technologies.) These deepfake technologies are provided on Telegram marketplaces.
We have previously covered the vast human misery that some of these criminal groups cause by scamming victims and trafficking people as forced labor. This is a complex problem with no magic bullet solution, but we are struck by how often Telegram appears as an enabler.
After his arrest in Paris in August, Telegram’s CEO Pavel Durov said the app would disclose the phone numbers and IP addresses of its users in response to valid legal requests. This might be a win for police when it comes to individual crimes, but it will achieve next to nothing when it comes to tackling large-scale organized crime marketplaces that contain hundreds of thousands of buyers and sellers.
There is an opportunity here to force Telegram to reconsider its takedown policies for criminal marketplaces. We hope someone seizes it.
China Wants to Watch the Watchers
U.S. officials have raised the specter of Chinese hackers using American lawful intercept systems to uncover its counterintelligence efforts. This incident is being seized on by privacy advocates to argue against the use of mandated backdoors. This week the Washington Post reported that a recent breach of U.S. telecommunications companies by China was likely aimed in part at discovering which Chinese espionage assets were the target of American surveillance. The breaches, which were first reported in late September, were carried out by a group Microsoft has dubbed “Salt Typhoon.” The group successfully penetrated at least three of the U.S.’s largest internet service providers: Verizon, AT&T, and Lumen.
The Washington Post reports officials have linked Salt Typhoon to China’s Ministry of State Security, although there has not been a government attribution statement. Officials said there was “some indication” that telecommunication companies’ lawful intercept systems were targeted. These systems provide official access to otherwise private communications when authorized by a court order or equivalent. They are widely deployed around the world, and ETSI standards cover their technical aspects. By compromising these systems, Salt Typhoon could potentially find out who the U.S. government had under surveillance and therefore identify any Chinese espionage assets under investigation.
A counter-counter-intelligence operation, if you will.
This incident is being cited by various advocates as proof that, in the words of the Electronic Frontier Foundation, “there is no such thing as a security backdoor that is only for the ‘good guys’.” The implicit argument of those opposing lawful intercept is that any malicious use means that lawful access schemes should never be used. That can’t be right. Any system has benefits and costs and should be justified (or not) on the net benefit. In the U.S., the 2023 Wiretap Report indicates that data from lawful intercept was involved in the arrest of 5,530 people and in the conviction of 456 (with likely more to come as court cases end). The Wiretap Report is authored by the U.S. court system, so on the benefit side of the equation are lawful intercepts used for intelligence and counterespionage purposes.
How do you weigh those benefits against a potential Chinese operation? We suspect that although this incident harms U.S. national security, fighting crime domestically is even more important.
Three Reasons to Be Cheerful This Week:
- International ransomware guidance: The International Counter Ransomware Initiative (CRI) appears to be making progress and this week published its guidance to organizations about how to respond to ransomware attacks. It’s short, readable, and makes a lot of sense.
- Over 100 FSB domains seized: The FBI and Microsoft seized more than 100 domains used in a Russian Federal Security Service (FSB) spear phishing campaign. One of the reasons Microsoft is able to seize domains is because the campaign impersonated its brands while targeting its customers. The action was filed jointly with the NGO-ISAC, a membership cybersecurity organization for nonprofits. Some members had their trademarks infringed in spear phishing messages, which sometimes impersonated an employee of an NGO-ISAC member organization.
- Russia cracks down on money laundering: Last week, Russian authorities announced the arrest of nearly 100 people in relation to cryptocurrency money laundering. The action occurred just a week after Sergey Ivanov, one of the individuals arrested, was named in U.S. sanctions action.
Shorts
North Korea Swamps the Crypto Industry
CoinDesk has a remarkably entertaining account of its investigation that found that more than a dozen blockchain firms had inadvertently hired North Korean information technology (IT) workers. Per CoinDesk:
In many cases, North Korean workers conducted their work just like typical employees; so the employers mostly got what they paid for, in a sense. But CoinDesk found evidence of workers subsequently funneling their wages to blockchain addresses linked to the North Korean government.
CoinDesk’s investigation also revealed several instances where crypto projects that employed DPRK IT workers later fell victim to hacks. In some of those cases, CoinDesk was able to link the heists directly to suspected DPRK IT workers on a firm’s payroll.
One firm, Truflation, found that five people, more than a third of its entire team, were North Korean. Cluster, a decentralized finance start-up, fired two developers after being tipped off that the pair were linked to North Korea. Its founder, known as z3n, told CoinDesk that there were some “clear red flags.” “Every two weeks they changed their payment address, and every month or so they would change their Discord name or Telegram name,” z3n said.
All the Things Invading Your Privacy
A rash of stories this week describe devices capturing data about you in your home or car including voice and photo or video recordings:
- Chinese Ecovacs robot vacuums are using photos, videos, and audio recordings from inside your house to train the company’s AI models.
- Smart TVs track your viewing habits by taking snapshots of what you are watching.
- Cars collect and share voice and video with third parties.
The common thread in all these stories is that information contained in privacy policies is opaque and hard to interpret. When it comes to that kind of data collection and sharing—the creepy kind, that is—privacy policies should be crystal clear, and sharing should require an explicit opt-in.
Risky Biz Talks
In the latest “Between Two Nerds” discussion, Tom Uren and The Grugq talk about “cyber persistence theory.” They cover what it is, why it is increasingly popular among America’s allies, why they think the theory is right, and some critiques of the theory.
From Risky Biz News:
EU adopts new sanctions framework to cover Russia’s cyber warfare and disinformation: The European Council adopted on Tuesday a new sanctions framework designed to counter Russia’s hybrid attacks against EU member states. The new framework expands the type of actions the EU can leverage against the Russian government, organizations, and individuals involved in the Kremlin’s ever-increasing aggression.
It’s been expanded to cover:
- The use of coordinated disinformation, foreign information manipulation and interference (FIMI).
- Malicious cyber activities.
- The undermining of electoral processes and the functioning of democratic institutions.
- Threats and sabotage of economic activities, services of public interest, and critical infrastructure.
- The instrumentalization of migrants.
Smart TVs take snapshots of what you watch: LG and Samsung smart TVs are shipping with intrusive technology that takes snapshots of the screen in order to track what users are watching. The technology is named “automatic content recognition” (ACR) and was pioneered in the early 2010s by Shazam.
It was initially offered via software libraries and software developer kits, and was found only in a few apps, such as Netflix, Hulu, and others. However, over the past few years, ACR tracking tech has slowly crept into the core firmware of almost all modern-day smart TVs—making it almost impossible to avoid if you’ve bought a TV recently. In a research paper published at the start of September, a team of academics from the U.S., the U.K., and Spain has looked at how ACR works on LG and Samsung smart TVs.
Russia arrests Cryptex founder a week after U.S. sanctions: Russian authorities have arrested 96 individuals linked to the Cryptex cryptocurrency exchange, the UAPS anonymous money transfer system, and 33 other illegal payment systems. The arrests took place following house searches at 148 locations across 14 Russian regions in what Russian media has called one of the country’s largest crackdowns against cybercrime and cryptocurrency gangs.
According to Russian news agency Interfax, one of the detained suspects was identified as Sergey Ivanov, the administrator of Cryptex and UAPS. Ivanov’s arrest comes a week after U.S. authorities charged and sanctioned him for running the same platforms and facilitating a large-scale money laundering business for cybercrime operations.