Chinese Threat Actors’ Dark Web Activities on Telegram

By Ori Rubinstein – September 17, 2019

Beyond Chinese dark, deep and open web forums and blogs, and like popular
instant messaging apps such as WeChat and QQ, Telegram is an unlikely platform
for Chinese threat actors in which to operate considering it is completely censored
in China.

Despite China’s great firewall, Chinese internet users find various ways to access
blocked platforms such as Telegram. A popular way to access Telegram is not VPN,
but rather Shadowsocks – an open source Socks5 proxy project which acts as an
intermediary designed specifically to bypass censorship. Shadowsocks does not
protect your privacy and security like a VPN does, but its benefits are in its
simplicity and easy usage as well as eligibility to access both China-only sites and
censored sites and apps.

While Telegram is still inferior in terms of usage to other Chinese platforms, it is
widely used as a secondary channel by many actors who wish to sell their illegal
products and services. Actors will leave their telegram user details next to their QQ
or jabber contact information and many Telegram channels promote their
business. In addition, there are large (sometimes huge - tens of thousands of users)
groups devoted to general black market products as well as more specific ones.
Besides hacking products and services, credit cards, leaked data and forged
documents that are not unique, Telegram covers a few industries that overshadows
all other platforms. The most prominent are the gambling industry, E-commerce
related frauds and shadow banking.

Blog - China's Unique Platforms for Cyber Threat Actors: WeChat and QQ
The gambling industry serves Chinese nationals on web platforms and has a strong
connection to Chinese groups and businesses in countries such as Cambodia and
the Philippines. Besides the illegal gambling activities, the industry provides hackers
with a ripe and huge base for stealing data and credit card information.

The E-commerce industry in China is truly staggering and unparalleled and with
that comes unique cyber challenges. This time it is not only personal data and
banking information to be used by the hacker. It carries with it huge commercial
value. Many Chinese Telegram actors will offer services to attack rival E-commerce
shops by using attacks such as DDoS to hamper competition, extract data about
their competitors’ costumers and gain an edge in this ultra-competitive
environment.

Shadow banking, aka unregulated loans that do not involve any banks or formal
organizations, is a trillion dollar industry that was of late scrutinized and cracked
down by the Chinese government because of the risk it poses on the overall macro-
economic factors of the Chinese economy. Telegram offers a home to many
Chinese informal lenders, agents and loan sharks, offering illegal high-interest short
term loans.

In the picture below – Sixgill’s threat intelligence platform monitoring a Chinese
drug dealer on Telegram:

 

Contact Us

Don’t miss out on the latest

Get notified on Industry updates.
we promise not to spam