article featured image


Cybercriminals take advantage of the popular instant messaging service dubbed Telegram for underground channels setup purposes. Their goal is to put for sale details of financial stolen data as pseudonym users become the buyers.

Why Telegram Is Easily Abused by Hackers?

According to BleepingComputer, one reason worth mentioning why threat actors manage easily to abuse this platform is due to the reason that Telegram censors only content that is extremist, adopting a loose moderation method.

Another reason would represent the fact that hackers find it much more simple to create a Telegram channel for their selling purposes, instead of building a new dark website. Besides, they can easily attract buyers and promote their activities on this channel.

A third reason points to the fact that compared to dark web markets, Telegram channels are characterized by a much short-lived and volatile nature, this means that threat actors have an advantage as they cannot be so easily tracked plus the association of this channels’ online personas with real identities.

Selling Data on Telegram: A Continous Matter

This topic was addressed by researchers from Cybersixgill in a report they published. During the year that just passed, the experts gathered data that made them come to the conclusion that the sale of financial accounts still represents a problem of great importance, even if the volume of this activity has diminished.

In their investigation, the researchers focused their attention on high-quality information and filtered out bot spams. An example in this sense would be the method of listing specific keywords associated with the sale of these financial accounts along with money laundering activities.

They also inserted a diagram in their report, highlighting the sales activity in 2020 and 2021.

illustration sales-activity-Telegram-Cybersixgill

Image Source

According to the experts under discussion, the decrease in sales in 2021 by 60% compared to the precedent year was caused by the fact that during the pandemic period there were not so many new credit cards issues as in the past.

This stark nosedive in discourse surrounding compromised accounts from 2020 to 2021 might seem remarkable, but it is not an isolated event; a parallel decrease was also identified in the total number of compromised credit cards sold on underground markets throughout the same period. (…) In our Underground Financial Fraud report for H1 2021, we attributed this decline to the closure of several credit card markets (either imposed by law enforcement or as a result of threat actor “retirement”), ongoing trends towards contactless payments accelerated during the pandemic, and the overall reduction of newly-issued credit cards.


The experts also mentioned that this decrease might also be an effect of the general carding space decline and that at the present moment threat actors focus rather on ransomware operations that are more productive.

Which Financial Institutions Were Mostly Listed on Telegram?

The most mentioned financial institution on Telegram channels, according to researchers, was PayPal with Western Union and Chase closely following it.

 This is unsurprising, as PayPal and similar online payment platforms serve a dual purpose for threat actors. Such platforms are lucrative targets for cyberattack (especially account takeovers), with cybercriminals seeking to compromise the accounts and drain their funds. Additionally, online payment platforms are also widely leveraged as a means of money laundering, used by actors to process stolen funds and transfer money to and from cryptocurrency.



Credit Cards Still Sold On Telegram

Even if these malicious sales are not as big as they used to be, credit cards continue to be sold on Telegram. Almost half of these include also the CVV/CVV2 codes.

A card can cost from $10 to $1,500, the price being related to the balance on the bank account, but also to how fresh is the information.

The price can grow also if the victim has not figured out their credit card details were compromised, meaning that they did not report this to the bank. So no risk of reporting to the bank means that hackers sell these for a higher price.

Bank Credentials are also for sale on dedicated Telegram channels which can serve for electronic cashout purposes.

bank logs sold on Telegram Cybersixgill illlustration

Image Source

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Andra Andrioaie

Security Enthusiast

linkedin icon

Hi! My name is Andra and I am a passionate writer interested in a variety of topics. I am curious about the cybersecurity world and what I want to achieve through what I write is to keep you curious too!