How Telegram Turbocharges Organised Crime
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Airlock Digital.
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.
A new report highlights the need to crack down on Telegram’s role as a massive enabler of transnational criminal organisations. It says Telegram is used to facilitate criminal activity ranging from cyber-enabled fraud and illegal gambling to money laundering and criminal marketplaces that sell malware, stolen data and even murder for hire.
The report, authored by the UN Office on Drugs and Crime, examined the criminal adoption of technology and described the rapid evolution of the criminal ecosystem in Southeast Asia.
It noted criminal groups started out running illegal or under-regulated gambling facilities, particularly in weakly governed regions including locations in Myanmar. These groups developed money laundering capabilities to handle the cash their activities generated.
The rise of online gambling, particularly since the pandemic, resulted in huge cash inflows to many groups. Some criminal networks also involved themselves in synthetic drug manufacturing and trafficking. The billions of dollars involved in these activities "attracted new criminal networks, innovators, and specialist service providers to enter illicit markets while simultaneously driving demand for sophisticated new channels to be created".
Per the report:
Criminals are no longer required to handle their own money laundering, coding malware, or stealing sensitive personal information to profile potential victims or obtain initial access for their attacks themselves. Instead, these key components can be purchased from service providers in underground markets and forums, often at very accessible prices.
Telegram acts as a communication fabric for this criminal ecosystem:
Several platforms controlled by powerful and influential regional criminal networks have come to dominate the illicit economy, particularly on Telegram, representing key venues where criminals and service providers congregate, connect, and conduct business online, fueling the growth of the regional illicit economy.
Organised crime groups developed large criminal marketplaces on Telegram.
Currently, the largest of these is called Telegram Marketplace 1 or TM1 in the report. It is a predominantly Chinese-language platform with over 820,000 users and is controlled by a "powerful and influential conglomerate" referred to as Business Group 1 or BG1. The report says that the group maintains TM1 and "serves as a guarantor and escrow provider for all transactions to prevent fraud within the illicit economy".
A wide range of criminal services are offered on TM1:
…most active merchants can be observed explicitly targeting cyber-enabled fraud operators, with the largest proportion of merchants focused on international underground banking and laundering services. This includes hundreds of motorcade [money laundering] teams specialising in organised money muling and shell company registration in various jurisdictions, as well as solutions for unblocking frozen funds and obtaining large numbers of pre-registered point-of-sale terminals. Other service categories include vendors dedicated to malicious software development including fraudulent investment apps and scam kits, data theft and hacking, as well as vendors engaged in citizenship-by-investment and identity transfer schemes, prostitution, murder-for-hire, procurement and distribution of telecommunication equipment, and deep fake software development and installation. It has recently also established groups dedicating to hacking activities and has exhibited a notable increase in groups and vendors focusing specifically on Japanese and Korean language cyber-enabled fraud activity, as well as the sale of "first hand" registered bank accounts at major western financial institutions in countries including Canada, the United States, and various European countries.
Cryptocurrencies also play a role in the rise of these criminal networks. Blockchain analysis companies said that BG1 had processed more than USD$49bn in cryptocurrency transactions since 2021. While a proportion of these transactions may be legal, this figure provides some guidance as to the scale of these enterprises. As per the report:
The growing adoption of cryptocurrency within Southeast Asia's illicit economy has served as an important catalyst for cyber-enabled fraud operators based in the region to expand globally. This is due to the ease with which rapid cross-border transactions can take place, widespread misinformation and low levels of understanding about how cryptocurrency functions, and, in some cases, the breakdown of cross-border law enforcement cooperation, investigation, case intake, and asset recovery.
Powerful transnational criminal networks have developed a range of sophisticated mechanisms, structures, and techniques to launder stolen funds, particularly using stablecoins — or cryptocurrencies pegged to and backed by fiat currencies like the U.S. dollar — which have become popular in East and Southeast Asia compared to other regions.
The report also covers the increasing use of deepfake or generative AI technologies. These are increasingly used for "social engineering in fraud schemes, deceptive recruitment campaigns (i.e. recruitment of victims of trafficking for forced criminality), disinformation, and money laundering by services specialising in bypassing KYC measures". (Know Your Customer bypasses could include impersonating someone using voice or face swap technologies). These deepfake technologies are provided on Telegram marketplaces.
We have previously covered the vast human misery that some of these criminal groups cause by scamming victims and trafficking people as forced labour. This is a complex problem with no magic bullet solution, but we are struck by how often Telegram appears as an enabler.
After his arrest in Paris in August, Telegram's CEO Pavel Durov said the app would disclose the phone numbers and IP addresses of its users in response to valid legal requests. This might be a win for police when it comes to individual crimes, but it will achieve next to nothing when it comes to tackling large scale organised crime marketplaces that contain hundreds of thousands of buyers and sellers.
There is an opportunity here to force Telegram to reconsider its takedown policies for criminal marketplaces. We hope someone seizes it.
China Wants to Watch the Watchers
US officials have raised the spectre of Chinese hackers using American lawful intercept systems to uncover its counterintelligence efforts. This incident is being seized upon by privacy advocates to argue against the use of mandated backdoors.
This week The Washington Post reported that a recent PRC breach of US telecommunications companies was likely aimed in part at discovering which Chinese espionage assets were the target of American surveillance.
The breaches, which were first reported in late September, were carried out by a group Microsoft has dubbed 'Salt Typhoon'. The group successfully penetrated at least three of the US's largest internet service providers: Verizon, AT&T and Lumen.
The Washington Post reports officials have linked Salt Typhoon to China's Ministry of State Security (see this Between Three Nerds podcast discussing the MSS), although there has not been a government attribution statement.
Officials said there was "some indication" that telcos' lawful intercept systems were targeted. These systems provide official access to otherwise private communications when authorised by a court order or equivalent. They are widely deployed around the world and ETSI standards cover their technical aspects.
By compromising these systems, Salt Typhoon could potentially find out who the US government had under surveillance and therefore identify any Chinese espionage assets under investigation.
A counter-counter-intelligence operation, if you will.
This incident is being cited by various advocates as proof that, in the words of the EFF, "there is no such thing as a security backdoor that is only for the 'good guys'".
The implicit argument of those opposing lawful intercept is that any malicious use means that lawful access schemes should never be used.
That can't be right. Any system has benefits and costs and should be justified (or not) on the net benefit. In the US, the 2023 Wiretap Report indicates that data from lawful intercept was involved in the arrest of 5,530 people and in the conviction of 456 (with likely more to come as court cases end).
The Wiretap Report is authored by the US court system, so on the benefit side of the equation add lawful intercepts used for intelligence and counter-espionage purposes.
How do you weigh those benefits against a potential Chinese operation? We suspect that although this incident harms US national security, fighting crime domestically is even more important.
Watch Adam Boileau and Tom Uren discuss this edition of the newsletter:
Three Reasons to Be Cheerful This Week:
- International ransomware guidance: The International Counter Ransomware Initiative (CRI) appears to be making progress and this week published its guidance to organisations about how to respond to ransomware attacks. It's short, readable and makes a lot of sense.
- Over 100 FSB domains seized: The FBI and Microsoft seized more than 100 domains used in a Russian Federal Security Service (FSB) spear phishing campaign. One of the reasons Microsoft is able to seize domains is because the campaign impersonated its brands while targeting its customers. The action was filed jointly with the NGO-ISAC, a membership cybersecurity organisation for non-profits. Some members had their trademarks infringed in spear phishing messages which sometimes impersonated an employee of an NGO-ISAC member organisation.
- Russia cracks down on money laundering: Last week Russian authorities announced the arrest of nearly 100 people in relation to cryptocurrency money laundering. The action occurred just a week after Sergey Ivanov, one of the individuals arrested, was named in US sanctions action. Risky Business News has more coverage at the bottom of this newsletter.
Sponsor Section
In this Risky Business News sponsor interview, Catalin Cimpanu talks with Airlock Digital founders Daniel Schell and David Cottingham about other things Microsoft can do to secure and harden Windows.
Shorts
North Korea Swamps the Crypto Industry
CoinDesk has a remarkably entertaining account of its investigation which found that more than a dozen blockchain firms had inadvertently hired North Korean IT workers. Per CoinDesk:
In many cases, North Korean workers conducted their work just like typical employees; so the employers mostly got what they paid for, in a sense. But CoinDesk found evidence of workers subsequently funnelling their wages to blockchain addresses linked to the North Korean government.
CoinDesk's investigation also revealed several instances where crypto projects that employed DPRK IT workers later fell victim to hacks. In some of those cases, CoinDesk was able to link the heists directly to suspected DPRK IT workers on a firm's payroll.
One firm, Truflation, found that five people, more than a third of its entire team, were North Korean.
Cluster, a decentralised finance startup, fired two developers after being tipped off that the pair were linked to North Korea. Its founder, known as z3n, told CoinDesk that there were some "clear red flags".
"Every two weeks they changed their payment address, and every month or so they would change their Discord name or Telegram name", z3n said.
All The Things Invading Your Privacy
A rash of stories this week describe devices capturing data about you in your home or car including voice and photo or video recordings
- Chinese Ecovacs robot vacuums are using photos, videos and audio recordings from inside your house to train the company's AI models.
- Smart TVs track your viewing habits by taking snapshots of what you are watching.
- Cars collect and share voice and video with third parties.
The common thread in all these stories is that information contained in privacy policies is opaque and hard to interpret. When it comes to that kind of data collection and sharing — the creepy kind, that is — privacy policies should be crystal clear and sharing should require an explicit opt-in.
Risky Biz Talks
You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).
In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about 'cyber persistence theory'. They cover what it is, why it is increasingly popular amongst America's allies, why we think the theory is right and also cover some critiques of the theory.
They refer to the article 'America’s allies are shifting: Cyberspace is about persistence, not deterrence' in CyberScoop.
From Risky Biz News:
EU adopts new sanctions framework to cover Russia's cyber warfare and disinformation: The European Council adopted on Tuesday a new sanctions framework designed to counter Russia's hybrid attacks against EU member states.
The new framework expands the type of actions the EU can leverage sanctions against the Russian government, organisations, and individuals involved in the Kremlin's ever-increasing aggression.
It's been expanded to cover:
- The use of coordinated disinformation, foreign information manipulation and interference (FIMI);
- Malicious cyber activities;
- The undermining of electoral processes and the functioning of democratic institutions;
- Threats and sabotage of economic activities, services of public interest, and critical infrastructure;
- And the instrumentalization of migrants.
[more on Risky Business News]
Smart TVs take snapshots of what you watch: LG and Samsung smart TVs are shipping with intrusive technology that takes snapshots of the screen in order to track what users are watching.
The technology is named "Automatic Content Recognition" (ACR) and was pioneered in the early 2010s by Shazam.
It was initially offered via software libraries and SDKs, and was found only in a few apps, such as Netflix, Hulu, and others. However, over the past few years, ACR tracking tech has slowly crept into the core firmware of almost all modern-day smart TVs—making it almost impossible to avoid if you've bought a recent TV.
In a research paper published at the start of September, a team of academics from the US, the UK, and Spain has looked at how ACR works on LG and Samsung smart TVs.
[more on Risky Business News]
Russia arrests Cryptex founder a week after US sanctions: Russian authorities have arrested 96 individuals linked to the Cryptex cryptocurrency exchange, the UAPS anonymous money transfer system, and 33 other illegal payment systems.
The arrests took place following house searches at 148 locations across 14 Russian regions in what Russian media has called one of the country's largest crackdowns against cybercrime and cryptocurrency gangs.
According to Russian news agency Interfax, one of the detained suspects was identified as Sergey Ivanov, the administrator of Cryptex and UAPS.
Ivanov's arrest comes a week after US authorities charged and sanctioned him for running the same platforms and facilitating a large-scale money laundering business for cybercrime operations.
[more on Risky Business News]