DarkGram: A Large-Scale Analysis of Cybercriminal Activity Channels on Telegram

We present the first large-scale analysis of 339 cybercriminal activity channels (CACs). Followed by over 23.8M users, these broadcast-style channels share a wide array of malicious and unethical content with their subscribers, including compromised credentials, pirated software and media, social media manipulation tools, and blackhat hacking resources such as malware and exploit kits, and social engineering scams. To evaluate these channels, we developed DarkGram—a BERT-based framework that automatically identifies malicious posts from the CACs with an accuracy of 96%. Using DarkGram, we conducted a quantitative analysis of 53,605 posts posted on these channels between February and May 2024, revealing key characteristics of shared content. While much of this content is distributed for free, channel administrators frequently employ strategies, such as promotions and giveaways, to engage users and boost the sales of premium cybercriminal content. Interestingly, sometimes, these channels pose significant risks to their own subscribers. Notably, 28.1% of the links shared in these channels contained phishing attacks, and 38% of executable files were bundled with malware. Looking closely into how subscribers consume and react positively to the shared content paints a dangerous picture of the perpetuation of cybercriminal content at scale. We also found that the CACs can evade scrutiny or platform takedowns by quickly migrating to new channels with minimal subscriber loss, highlighting the resilience of this ecosystem. To counteract this, we utilized DarkGram to detect emerging channels and reported malicious content to Telegram and the affected organizations. This resulted in the takedown of 196 channels over the course of three months. Our findings underscore the urgent need for coordinated efforts to combat the growing threats posed by these channels. To aid this effort, we open-source our dataset and the DarkGram framework.