DarkGram: A Large-Scale Analysis of Cybercriminal Activity Channels on Telegram
Sayak Saha Roy, Elham Pourabbas Vafa, Kobra Khanmohammadi, Shirin Nilizadeh
TL;DR
This work presents the first large-scale analysis of Cybercriminal Activity Channels (CACs) on Telegram, leveraging DarkGram, a BERT-based classifier that achieves 96% accuracy to identify malicious posts across five CAC categories. By processing 53,605 posts from 339 CACs (covering 23.8M subscribers) between February and May 2024, the study reveals high risks for subscribers (28.1% phishing URLs and 38% malware in executables) and shows that CACs employ sophisticated engagement and monetization strategies, including giveaways and bots. DarkGram enables real-time detection of emerging CACs on Telegram and Facebook, leading to the takedown of 196 channels within three months and demonstrating a practical path for coordinated takedowns. The authors also provide an open-source dataset and framework to support ongoing research and defense, highlighting the persistent resilience and cross-platform dynamics of cybercriminal content across online ecosystems.
Abstract
We present the first large-scale analysis of 339 cybercriminal activity channels (CACs). Followed by over 23.8 million users, these channels share a wide array of malicious and unethical content with their subscribers, including compromised credentials, pirated software and media, social media manipulation tools, and blackhat hacking resources such as malware, exploit kits, and social engineering scams. To evaluate these channels, we developed DarkGram, a BERT-based framework that automatically identifies malicious posts from the CACs with an accuracy of 96%. Using DarkGram, we conducted a quantitative analysis of 53,605 posts shared on these channels between February and May 2024, revealing key characteristics of the content. While much of this content is distributed for free, channel administrators frequently employ strategies such as promotions and giveaways to engage users and boost the sales of premium cybercriminal content. Interestingly, these channels sometimes pose significant risks to their own subscribers. Notably, 28.1% of the links shared in these channels contained phishing attacks, and 38% of executable files were bundled with malware. Analyzing how subscribers consume and positively react to the shared content paints a dangerous picture of the perpetuation of cybercriminal content at scale. We also found that the CACs can evade scrutiny or platform takedowns by quickly migrating to new channels with minimal subscriber loss, highlighting the resilience of this ecosystem. To counteract this, we utilized DarkGram to detect emerging channels and reported malicious content to Telegram and affected organizations. This resulted in the takedown of 196 channels over three months. Our findings underscore the urgent need for coordinated efforts to combat the growing threats posed by these channels. To aid this effort, we open-source our dataset and the DarkGram framework.