Telegram's Dark Side: Data Theft and Resale Rampant, Warn Experts
Cybersecurity experts have sounded the alarm on the growing use of Telegram by threat actors to facilitate illicit activities, with a particular emphasis on the exfiltration of stolen credentials. A recent analysis of 5 million logs, dating back to October 2024, has revealed a worrying trend in the use of this popular messaging platform for data theft and resale.
The study, focusing on logs exfiltrated by infostealer malware via Telegram's Bot API, has uncovered a wide range of sensitive data being compromised, including credentials for various services, screenshots, keylogs, clipboard data, cryptocurrency wallets, and autofill data. This data is then fed into 'autoshop' marketplaces, allowing other threat actors to access it for a small fee or even free of charge, bypassing initial stages of attacks or enabling 'credential stuffing' attempts.
The most infected countries, based on system IP addresses found in the logs, are the USA, Turkey, and Russia, followed by India and Germany. German companies have not been spared, with recent victims including a logistics company targeted by Lockbit ransomware in January 2025, a public transport company in Hannover affected in July 2025, and food industry firms such as Arla Foods and Vossko, both disrupted by cyberattacks in recent years.
Three main types of threat actors are leveraging stolen data: script-kiddies, initial access brokers (IABs), and highly skilled threat actors, including advanced persistent threats (APTs). The most prevalent infostealer families observed are SnakeKeylogger and AgentTesla, with a significant upward trend in Telegram usage in terms of volume and family diversity.
The increasing use of Telegram as an initial attack vector and data exfiltration server underscores the urgent need for companies to monitor underground markets and enhance their cybersecurity measures. By doing so, they can mitigate potential risks and protect sensitive data from falling into the wrong hands.
