This week, the Dutch national police shut down the criminal messaging service Exclu in conjunction with a sweeping crackdown that included 79 searches and 42 arrests in the Netherlands, Germany, and Belgium. The shutdown highlights the efforts authorities are putting into disrupting the use of messaging apps in the cybercriminal ecosystem. This particular service was unique in that it was exclusively the domain of cybercriminals and drug dealers, but it offers a glimpse into the evolving communication methods of the cybercrime in 2023.
Over the last year, experts have increasingly found that cybercriminals are moving away from Dark Web forums in favor of messaging apps and encrypted communications channels. And more broadly, security analysts and researchers have released details showing how legitimate platforms like Telegram, WhatsApp, and Discord are becoming a hotbed of criminal activity — not only for cybercriminal communications but also for a wide range of scams and exploit campaigns.
According to Dutch authorities, the action against Exclu, its creators, and its users was the culmination of an investigation that took nearly two years. The authorities estimated the app had about 3,000 users, those who utilized Exclu on smartphones through a licensing scheme for about €800 (approximately US $857) every six months. In exchange, they got access to a highly secure, encrypted platform that enabled them to privately exchange messages, photos, notes, chats, and other information to support their criminal activity.
Police in the Netherlands said they worked closely with different agencies across Europe, including Eurojust, Europol, and police forces in Italy, Sweden, France, and Germany. Dutch authorities particularly thanked the German Landeskriminalamt (LKA) Rheinland-Pfalz for its early investigations in June 2020 that first brought Exclu to their attention and provided key evidence for investigation. They say the longtime operation was able to crack Exclu using both hacking methods and traditional police investigative work.
The crackdown follows relatively closely on the heels of similar shutdowns of services like Sky ECC and EncroChat.
The Messaging App Migration
Many cybercriminals aren't resorting to private criminal messaging networks Exclu when they can just as easily (and cheaply) use and abuse legitimate messaging apps like Telegram, WhatsApp, and Discord.
Just last week, analysts with threat intelligence firm Flare ranked Telegram as one of the top illicit sources to monitor for cybercriminal activity in 2023. They report that cybercriminals are starting to utilize Telegram Groups as an extension of the reach of Dark Web forums for its anonymity and encrypted communications.
"Telegram has no traditional admins monitoring its groups and one-to-one chats, which is attractive for anonymity. Threat actors can also hide their phone numbers on the service," according to Flare's analysis in a recent blog post. "Telegram offers end-to-end encryption for messages by default, which helps to avoid potential man-in-the-middle attacks that can snoop on messages in transit. Dark Web forums and marketplaces also have an encryption option but threat actors need to use something like Pretty Good Privacy (PGP) to ensure encryption, which is less convenient."
This echoes similar research out last summer by Intel 471, which noted that the cybercriminal groups it was observing were leaning toward Telegram as the preferred method of anonymous communication compared to in-forum messaging services.
"Of the cybercriminal groups Intel 471 has observed, Telegram is considered the preferred method of anonymous communication as opposed to in-forum messaging services monitored by administrators. Telegram provides actors with near real-time, encrypted communication if both parties are online simultaneously, whereas in-forum messaging requires waiting for unencrypted mail notifications," Intel471's researchers wrote. "This lag time, along with other security risks associated with forum communications, regularly encourage actors to provide other contact details in forum advertisements, such as email addresses and Telegram IDs."
This finding came directly on the heels of another one from these researchers, which pointed out that Telegram and Discord aren't just for communiques — they're also being hijacked to launch an array of cyberattacks. More recently, KELA researchers reported that Telegram in particular is being used to sell and leak stolen data, use it as a channel for selling other illegal products, publicize information about their attacks, and build bots to bolster their infrastructure that launches attacks and exfiltrates data.
The Telegram bot problem has particularly been growing in its profile on security analyst radars.
"Telegram bots have become a popular choice for threat actors as they are a low-cost or free, single-pane-of-glass solution," says Joe Gallop, intelligence analysis manager at Cofense, who points to his firm's recent report that noted that the use of Telegram bots as exfiltration destinations for phished information exploded by more than 800% between 2021 and 2022. "Telegram bots are easy to set up in private and group chats, are compatible with a wide range of programming languages, and are easy to integrate into malicious media such as malware or credential phishing kits."