How Telegram became the criminals’ preferred marketplace

The Finnish beautician's private data was part of a flood of illegally obtained materials on the criminals' new marketplace of choice.

Telegram, whose CEO Pavel Durov was arrested in France last month, has become the leading internet platform for purchasing everything from hacked data and weapons to illegal drugs and child sex abuse material, according to current and former police officials and cybercrime researchers.

Part social network, part messaging app, Telegram is easy to use. All you need to open an account is a phone number, and it says it has never shared user data with third parties. Based in Dubai, Telegram takes a laissez-faire approach to content moderation.

French judicial authorities have accused Durov of complicity in the distribution of child pornography, illegal drugs and hacking software on the app, which claims to have nearly a billion users. Authorities have also accused him of refusing to cooperate with investigations into illegal activities on Telegram.

Durov said Thursday that Telegram is not perfect, but neither is it “some kind of anarchic paradise.” He said Telegram is always open to dialogue with regulators.

Mike Ravdonikas, Telegram's chief operating officer, said exploding user numbers had caused “growing content moderation problems” that were now being addressed. Telegram was not designed for criminals but for the overwhelming majority of legitimate users, he said.

Telegram moderators delete millions of offensive posts every day, he said, adding that the company is actively cracking down on illegal content, including the sale of private data and the sharing of child sexual abuse material.

Identity thieves, pedophile rings and drug traffickers use Telegram as a storefront to sell their wares, researchers and chat logs show. A study by an international nonprofit organization in February found that Telegram is the app most commonly used by perpetrators to view and share child pornography content.

The Telegram channel where Balk's pictures were published was launched two years ago and had about 3,000 subscribers.

Each day, a series of passports, IDs and selfies were offered as “examples” of larger packages that scammers could use to open bank accounts in victims' names. To purchase a complete package, the channel owner asked members to contact him in a private chat. The channel was deleted after The Wall Street Journal Telegram asked questions about it for this article.

There are thousands of channels and groups on Telegram offering stolen identities that can be used to open bank and investment accounts. Some claim to offer pre-created bank accounts created using stolen data. One channel called Bank Store Online offered accounts at over 60 banks and cryptocurrency exchanges for sale, ranging from $80 for a personal account to $1,800 for a business account. Payments were settled in cryptocurrencies.

In Russia, where Durov launched Telegram in 2013, it is also the platform of choice for middlemen to conduct deals that circumvent U.S. sanctions, such as smuggling weapons parts, the Wall Street Journal previously reported.

Several groups are promoting the sale of drones and Starlinks – small antennas for accessing Elon Musk's SpaceX's satellite internet network – to Russian combat units in Ukraine. In February, Musk tweeted that, to the best of the company's knowledge, no Starlinks had been sold directly or indirectly to Russia.

“It's ground zero for every possible illegal activity,” says Evan Kohlmann, founder of Cloudburst Technologies, which monitors cybercrime on Telegram and elsewhere and frequently advises U.S. authorities.

“The next iteration”

Before the rise of Telegram, criminals typically focused on areas of the internet known as the dark web. These sites are not indexed by web browsers and are only accessible with special software that obscures users' identities. Regular internet users rarely come across them. One well-known example was the now-closed online black market Silk Road.

Darknet marketplaces are slow, have cumbersome interfaces, and servers that are vulnerable to shutdowns by law enforcement. Telegram is fast and functional, with features that make it easy to buy and sell things directly from the app.

The platform's utility has given rise to several suspected criminal activities, particularly the sale of stolen personal information and child abuse images, researchers say.

Telegram represents “the next iteration” after the internet first enabled pedophiles to group together online, said Dan Sexton, chief technology officer of the Internet Watch Foundation, a British child sexual abuse hotline that collects data worldwide.

The IWF said it found that newer websites selling child abuse material almost exclusively direct users to Telegram to exchange financial data and conduct transactions.

Unlike other social media companies like Meta and Snap, Telegram does not report images of child sexual abuse to the IWF or its U.S. counterpart, the National Center for Missing and Exploited Children, both organizations say. (Meta's Instagram has also been criticized for moderating such content.)

In discussions with Telegram, the IWF has encouraged the company to join, which would give Telegram access to its extensive database of tagged images of abuse and could prevent perpetrators from sharing them.

“We have not been successful,” Sexton said. Telegram said on Friday that it had approached the IMF to resume talks.

Ravdonikas, the Telegram manager, said images uploaded to Telegram are checked against the company's database of child sexual abuse content, and the company is working to expand that database with data from third parties.

In late August, a section of Telegram's website for reporting illegal content said that group chats were private and Telegram would “not process requests” regarding them. Ravdonikas said moderators could not proactively review private group chats, which can have up to 200,000 members, but users could report content shared there.

Selling personal data

Personal data like Balk's ends up on the black market through leaks and hacks. The 21-year-old, who lives just outside Helsinki, had uploaded the selfie and ID photo to verify an account on the adult social media site OnlyFans. She said she was just playing around with a few friends.

Her images surfaced on Telegram this February when the channel called Dock Services posted them for sale as part of a package of Finnish identities available for $8 a piece. Her portrait photo appeared to have been manipulated into a deepfake video using an artificial intelligence tool that could fool banks' online verification processes, potentially allowing fraudsters to borrow money or launder dirty money in her name, according to cybercrime researchers who followed her case.

“I'm really scared right now,” Balk wrote to another user who alerted her to the leak. “I didn't know this could happen to me.”

Balk's photos were then resold elsewhere, including by the owner of another Telegram group called “The Dragon Boi,” who boasted that they made enough money from identity fraud to buy a Mercedes-Benz and a Rolex.

Balk filed a police report for identity theft in Finland. Officials later told her in a written decision seen by the Journal that they had closed the investigation because they could not identify any perpetrators. OnlyFans told Balk in an email that they would investigate any suspected data leaks.

A spokeswoman for London-based OnlyFans said it could not comment on individual accounts but that its systems had not been compromised.

Even though Balk is not taking action to remove her images, she remains concerned that criminals on Telegram “keep selling my data.”

Write to Angus Berwick at [email protected] and Ben Foldy at [email protected]