Cyber criminals and hacktivist groups are increasingly using the Telegram messaging app to coordinate their activities, leak data, and spread disinformation, as the Russia-Ukraine conflict enters its eighth day.
A new analysis by Israeli cybersecurity company Check Point Research has found that "user volume grew a hundred folds daily on Telegram related groups, peaking at 200,000 per group."
Prominent among the groups are anti-Russian cyber attack groups, including the Ukraine government-backed IT Army, which has urged its more 270,000 members to conduct distributed denial-of-service (DDoS) attacks against Russian entities.
Other hacktivist-oriented Telegram groups used to coordinate the attacks on Russian targets via DDoS, SMS or call-based attacks are Anna_ and Mark_, Check Point researchers noted.
That said, there may be more to these attacks than meets the eye. "It seems that many of the hacktivist groups are more focused on building self-reputation and receiving credit for supporting Ukraine or Russia, than to cause real damage to the countries," the researchers said.
Furthermore, cyber criminals are looking to capitalize on the conflict through Telegram groups containing tens of thousands of users that aim to "raise funds for Ukraine" and broadcast unverified news reports in an attempt to circumvent mainstream media.
Telegram, for its part, said it may potentially consider partially or fully restricting certain channels so as to prevent malicious actors from abusing the platform to "deepen conflicts."
The messaging app, which has over 500 million active users, has been used for black market activities in the past. In September 2021, more than 10,000 vendors were uncovered selling counterfeit COVID-19 vaccine certificates pertaining to over 25 countries for anywhere between $85 and $200, with some Telegram groups peaking at a follower size as large as 300,000.
The spike in the use of Telegram in Ukraine hasn't escaped the notice of Moxie Marlinspike, the founder of privacy-oriented messaging Signal, who called the former's "decade of misleading marketing" for making most people in the country believe "it's an encrypted app."
"The reality is the opposite – Telegram is by default a cloud database with a plaintext copy of every message everyone has ever sent/received," Marlinspike tweeted last week. "Every message, photo, video, document sent/received for the past 10 years; all contacts, group memberships, etc are all available to anyone with access to that database."