$20K Buys Insider Access to Telegram Servers, Dark Web Ad Claims

For the non-negotiable price of $20,000, threat actors claim they can provide insider access to Telegram servers running the encrypted instant messaging platform preferred by a security-conscious clientele.

The ad, posted on a Dark Web marketplace and discovered by the researchers of SafetyDetectives, boasts that the access is high-level and provided "through their employees."

Rather than providing remote access, the seller is hawking "an offering of correspondence for six months," the SafetyDetectives team added.

"It is impossible to say how many users, or Telegram servers, may be impacted," the report explained. "However, if the vendor’s claims are valid, an insider in the internal Telegram network would be able to exfiltrate logs and compromise user data."

Meanwhile, it seems Telegram might have a broader phishing problem.

Phishing Explodes on Telegram

The discovery comes on the heels of the release of new data from Cofense that shows that the abuse of Telegram bots exploded by 800% in 2022, driven by threat actors using malicious HTML attachments to deliver credential phishing attempts. Telegram bots are also attractive to spear-phishers because they're free and easy to set up and run.

"Threat actors appreciate the ease of setting up bots in a private or group chat, the bots' compatibility with a wide range of programming languages, and ease of integrations into malicious mediums such as malware or credential phishing kits," the Cofense report said. "Coupling the ease of Telegram bot setup and use with the popular and successful tactic of attaching an HTML credential phishing file to an email, a threat actor can quickly and efficiently reach inboxes while exfiltrating credentials to a single point using an often-trusted service."