Beyond Chinese dark, deep and open web forums and blogs, and like popular instant messaging apps such as WeChat and QQ, Telegram is an unlikely platform for Chinese threat actors in which to operate considering it is completely censored in China.
Despite China’s great firewall, Chinese internet users find various ways to access blocked platforms such as Telegram. A popular way to access Telegram is not VPN, but rather Shadowsocks – an open source Socks5 proxy project which acts as an intermediary designed specifically to bypass censorship. Shadowsocks does not protect your privacy and security like a VPN does, but its benefits are in its simplicity and easy usage as well as eligibility to access both China-only sites and censored sites and apps.
While Telegram is still inferior in terms of usage to other Chinese platforms, it is widely used as a secondary channel by many actors who wish to sell their illegal products and services. Actors will leave their telegram user details next to their QQ or jabber contact information and many Telegram channels promote their business. In addition, there are large (sometimes huge - tens of thousands of users) groups devoted to general black market products as well as more specific ones. Besides hacking products and services, credit cards, leaked data and forged documents that are not unique, Telegram covers a few industries that overshadows all other platforms. The most prominent are the gambling industry, E-commerce related frauds and shadow banking.
The gambling industry serves Chinese nationals on web platforms and has a strong connection to Chinese groups and businesses in countries such as Cambodia and the Philippines. Besides the illegal gambling activities, the industry provides hackers with a ripe and huge base for stealing data and credit card information.
The E-commerce industry in China is truly staggering and unparalleled and with that comes unique cyber challenges. This time it is not only personal data and banking information to be used by the hacker. It carries with it huge commercial value. Many Chinese Telegram actors will offer services to attack rival E-commerce shops by using attacks such as DDoS to hamper competition, extract data about their competitors’ costumers and gain an edge in this ultra-competitive environment.
Shadow banking, aka unregulated loans that do not involve any banks or formal organizations, is a trillion dollar industry that was of late scrutinized and cracked down by the Chinese government because of the risk it poses on the overall macro- economic factors of the Chinese economy. Telegram offers a home to many Chinese informal lenders, agents and loan sharks, offering illegal high-interest short term loans.
In the picture below – Sixgill’s threat intelligence platform monitoring a Chinese drug dealer on Telegram: