On August 25, 2024, Pavel Durov, the founder and CEO of Telegram, was arrested in Paris on charges related to his platform allegedly being used for illegal activities. This arrest has sparked intense global debates surrounding online privacy, platform responsibility, and the legal culpability of service providers for the actions of their users. While many users of the platform and public figures have raised concerns about the arrest, there’s another group of Telegram users particularly affected—cybercriminals.

In recent years, Telegram has gained a reputation for being a hub for various cybercriminal activities, including the sale of illicit data, infostealer operations, ransomware dealings, and hacktivist movements. The platform’s anonymity features and community-building capabilities have made it a preferred space for cybercriminals. Following Durov’s arrest, cybercriminals using the platform have begun to express concerns and, in some cases, have launched cyberattacks in retaliation.

The Context of Durov’s Arrest

Pavel Durov’s arrest follows accusations that Telegram has become a haven for illicit activities. The charges against him relate to his platform being allegedly used for criminal purposes, and while Durov has been released on bail, the indictment has far-reaching consequences. The incident has reignited discussions about platform moderation, the responsibility of service providers, and whether online platforms should bear legal responsibility for the actions of their users.

The Charges

Durov faces six charges, all connected to illicit activity on Telegram. These charges focus on how the platform has been exploited for illegal actions, including the sale of stolen data and communication used for organizing illegal operations such as ransomware attacks.

Cybercriminals’ Reaction to Durov’s Arrest

Supporting Durov: Hacktivist Groups Respond

A significant number of cybercriminals have expressed support for Durov, with many hacktivist groups taking it a step further by launching attacks against French entities. These groups view Durov’s arrest as a direct threat to their operational infrastructure, as many rely on Telegram for both communication and conducting business.

For instance, a pro-Russian hacktivist group, the People’s Cyber Army of Russia, posted on Telegram their intention to launch a week-long attack on French websites. They rallied under the banner of #FreeDurov and encouraged other groups to join them. Their first target was the website of the French National Agency for the Safety of Medicines and Health Products (ANSM), which went offline after a Distributed Denial of Service (DDoS) attack.

Similarly, the UserSec group, which has historically collaborated with the People’s Cyber Army, also began their attack on French entities under the same #FreeDurov banner. UserSec announced DDoS attacks on several French government websites, including the National Court of France and the Paris tribunal.

Cybercriminal Campaigns

The #FreeDurov campaign has been widely adopted by multiple threat actors on Telegram. For example, a pro-Palestinian hacktivist group, RipperSec, launched attacks against French websites, including PriceBank, to express solidarity with Durov. RipperSec even forged alliances with other hacking groups to target French organizations.

While the #FreeDurov campaign continues to attract participants, it is not solely limited to hacktivist groups. Some individual cybercriminals have also decided to support Durov by investing in Telegram Stars, a digital product that helps monetize channels and bots on the platform. By investing in Telegram, these criminals aim to support the platform financially amid the CEO’s legal challenges.

Cybercriminal Concerns: What’s Next for Telegram?

While some threat actors are retaliating against France for Durov’s arrest, others are taking a more cautious approach. Many cybercriminals fear that Telegram’s security features could be compromised, especially if law enforcement seizes servers or gains access to communications. As a result, some users are pausing their activities on the platform, particularly those who store sensitive information such as stolen credit card details or personal identification data.

Alternative Platforms for Cybercriminals

Fearing heightened surveillance, some cybercriminals have started exploring alternative communication platforms. Forums have buzzed with discussions about shifting to more secure platforms like Tox, Session, and Jabber, which are known for providing end-to-end encryption and better anonymity features.

For instance, one cybercriminal group affiliated with Lapsus$—a well-known hacking collective—set up an XMPP-based communication channel as a backup. They shared this new channel link on their Telegram group, encouraging others to join them in case Telegram becomes too risky.

However, while some criminals are taking precautionary measures, there doesn’t seem to be a mass exodus from Telegram just yet. Telegram’s group and channel features, combined with its bot functionalities, make it an attractive platform for cybercriminals to organize and communicate with a wide range of potential buyers and collaborators. Until alternative platforms can replicate these features, it’s unlikely that criminals will abandon Telegram en masse.

The Future of Cybercriminal Activity on Telegram

Durov’s arrest has sparked concerns among both Telegram’s regular users and its more notorious users—cybercriminals. The platform has become integral to various cybercrime operations, allowing criminals to sell stolen data, advertise hacking services, and facilitate financial crimes. With the future of Telegram uncertain, it remains to be seen how the platform will evolve and whether it will tighten its moderation measures.

For now, the arrest has motivated many cybercriminals to take precautionary measures, from setting up alternative communication channels to deleting their sensitive Telegram archives. Others have rallied behind Durov and used the opportunity to launch cyberattacks on French government websites.

Potential Implications of Durov’s Arrest

1. Increased Moderation: If Telegram is forced to cooperate with authorities, it could lead to tighter regulations and increased monitoring of criminal activities.
2. Platform Migration: While unlikely in the short term, some cybercriminals may begin migrating to more secure platforms if Telegram’s reputation for anonymity is compromised.
3. Further Cyberattacks: In the immediate future, the #FreeDurov campaign is expected to result in additional cyberattacks against French organizations.

Conclusion

Pavel Durov’s arrest in August 2024 has caused significant reverberations in both the legitimate and criminal communities of Telegram. While the platform has long been associated with cybercrime, Durov’s legal troubles have prompted cybercriminals to take action, either by launching retaliatory attacks or by seeking more secure methods of communication. For now, Telegram remains an essential tool for cybercriminals, but Durov’s arrest could mark the beginning of significant changes to how these criminals operate.

FAQs

1. What charges are Pavel Durov facing?
   • Durov faces six charges related to Telegram being used for illegal activities, including the facilitation of cybercrime.
2. Why is Telegram popular among cybercriminals?
   • Telegram offers anonymity, the ability to form communities, and features like bots and channels that help cybercriminals communicate and conduct illicit transactions.
3. What is the #FreeDurov campaign?
   • The #FreeDurov campaign is a movement launched by cybercriminals and Durov supporters, advocating for his release through online protests and cyberattacks.
4. What alternative platforms are cybercriminals using?
   • Some cybercriminals are exploring platforms like Tox, Session, and Jabber, which offer more secure communication features than Telegram.
5. What is the future of cybercriminal activity on Telegram?
   • While some criminals are taking precautions, most are likely to continue using Telegram unless more significant changes occur in platform moderation or law enforcement access.

Click here, to know more about Seattle-Tacoma Airport IT systems down due to cyberattack.