How are fraudsters responding to Telegram’s new policies?

Telegram is one of the primary hubs for illicit activities and the platform’s concession that it will start to work with law enforcement could be a landmark moment in the criminal world. What’s the mood in Telegram? How are illicit actors reacting? Where could discourse move to next? We get into all that and more.

What actually happened?

Following the arrest of its founder and CEO Pavel Durov in France last month, messaging platform Telegram said it will implement changes focused on safety and user privacy.

Durov faced questioning by French prosecutors concerning alleged criminal activities on the platform, such as gang transactions and trafficking. Additionally, there were accusations of the company's failure to provide data pertinent to their investigations. After his arrest, Durov was released on bail, set at $5.56 million, as the investigation continues.

Telegram is making some changes in an effort to reduce criminal activity on the platform, Durov said Monday in a post on the app. Chief among them: Telegram has updated its terms of service and privacy policy to note it will hand over the IP addresses and phone numbers of users who violate its rules to authorities in response to “valid legal requests.”

“Search on Telegram is more powerful than in other messaging apps because it allows users to find public channels and bots,” Durov wrote. “Unfortunately, this feature has been abused by people who violated our Terms of Service to sell illegal goods.”

What could this mean?

While the changes may mean less criminal activity on public areas of the platform, it won’t necessarily snuff out the illicit use of private, end-to-end encrypted chats, where Telegram says it has “no ways of deciphering the actual information” from conversations.

Most Telegram watchers are expecting little impact from these changes. Most users have said the new rules are unlikely to apply to them, and that they will continue to operate on Telegram in a “business as usual” capacity. Whether or not this is true depends on how wide a net Telegram’s Terms of Service covers - previously, it had only stated that “If Telegram receives a court order that confirms you're a terror suspect, we may disclose your IP address and phone number to the relevant authorities.” Now, it has expanded to the reception of “a valid order from the relevant judicial authorities that confirms you're a suspect in a case involving criminal activities that violate the Telegram Terms of Service.”

However, there are many others who are discussing migrating away from Telegram to other chat applications, such as Signal, or social media.

When this kind of thing has happened online in the past, replacing an incumbent is no small feat (ask Bluesky about Twitter/ X); but threat actors are particularly motivated to stay one step ahead, and, as the recent Chase Glitch showed, are adept at moving in and out of the spotlight. This includes going to social media platforms like TikTok, Instagram and Facebook, when they want an audience, and to the darkest parts of the un-indexed web when they wish to hide away.

The main contender / ‘backup’ appears to be Signal, the privacy preserving app and non-profile which works closely with the American Civil Liberties Union (ACLU) to challenge and respond to subpoenas, handing over as little user data as possible. That said, it’s still an American app that does cooperate with law enforcement, which will undoubtedly raise concerns amongst cyber criminals.

Signal does not officially support bots or provide an API for building bots on its platform, a major feature in Telegram’s fraud ecosystem. However, there are some third-party solutions that allow developers to create bot-like functionality for Signal.

These third-party solutions are unofficial and may have limitations. Signal's focus on privacy and end-to-end encryption also means it doesn't natively support bots that can read messages. As one commenter noted, "All messages are encrypted end-to-end by default. Bots would require a mechanism to read message text which is not possible when they're properly encrypted by default.”

So while it's possible to create bot-like functionality for Signal using third-party tools, there's no official support or API from Signal itself for building bots on the platform.

The hype around alternatives is dying down

While there was an initial spike in chatter around alternative platforms to replace Telegram, we’re already seeing this chatter die down.

For example, sharing of alternative Signal channels spiked in September following the news but has already started quietening down:

Chatter around a wide variety of alternative platforms had also increased in August/ September, from commonly known platforms such as Discord and Tox to obscure platforms such as Threema and Session. This too has dropped off:

Interestingly, posts including reference to Facebook, Instagram, and Twitter have also increased in August 2024 - particularly since the Chase Glitch fraud method that went viral, where fraudsters shared a fast scam for exploiting a vulnerability in Chase’s check deposit system.

So What?

1. Signal Collection Challenges: The potential migration to Signal introduces new complexities for law enforcement. Signal's strong encryption and minimal data retention policies could create a "buy-time" scenario, effectively restarting the arms race between criminals and authorities.
2. Signal's Reputation at Risk: As more illicit actors potentially move to Signal, the platform may become increasingly associated with criminal activities. This shift could tarnish Signal's reputation as a privacy-focused tool for legitimate users.
3. Fragmentation of Criminal Communications: The exodus from Telegram may lead to a more fragmented criminal landscape, with threat actors spread across multiple platforms. This diversification could complicate tracking and monitoring efforts.
4. Increased Pressure on Privacy-Focused Platforms: As criminals seek new havens, privacy-centric platforms like Signal may face growing pressure from law enforcement to cooperate, potentially compromising their core principles.
5. As public search on Telegram narrows, fraudsters could also move to social media to promote their wears.

The possible shift away from Telegram marks a significant moment in the ongoing cat-and-mouse game between cybercriminals and law enforcement. As threat actors adapt to new environments, we may see an evolution in their tactics, including increased use of ephemeral messaging, decentralized platforms, or even a return to more traditional, offline methods of communication. This transition period presents both challenges and opportunities for investigators, as disrupted criminal networks reorganize and potentially expose vulnerabilities in the process. Vigilance and adaptability will be key for both sides in this ever-changing digital landscape.