Posted: 3 Min ReadNorton Labs

Encrypted Chat Apps Doubling as Illegal Marketplaces

Encrypted chat apps are gaining popularity worldwide due to their central premise of not sending user data to tech giants.

Some popular examples include WhatsApp, Telegram and Signal. These apps have also been adopted by businesses to securely communicate directly to their users. Additionally, these apps have been instrumental to subverting authoritarian regimes. For example, Telegram has been used by pro-democracy dissidents to organize protests in Hong Kong, and communicate amongst themselves in Russia, Belarus, Thailand, and Iran.

However, we’ve found that encrypted chat apps are also being used by criminals to sell illegal goods. Because content moderation is, by design, nearly impossible on these apps[1], they allow for an easy vector for dealers of illicit goods to communicate directly to customers without fear of law enforcement involvement. One example of this is Telegram, which provides especially strong anonymity protections, which are useful for dissidents, but can also be leveraged by criminals attempting to obscure their identities.

In our analysis, we found a wide variety of illegal goods are being sold on Telegram, including people’s personally identifiable information (PII), likely stolen gift cards, fake documents, pirated software, and tools to facilitate cybercrime such as distributed denial-of-service (DDoS) infrastructure. In recent months, we have also found several accounts dedicated to selling “COVID-19 vaccines,” targeting users in a variety of countries including the United States, China, India, Malaysia, and Russia.

Cybercriminals sell illegal goods for a variety of reasons. Sometimes, the goods are fake or counterfeit, leading to easy profits. In other cases, cybercriminals are trying to launder credit cards, or stolen gift cards, into money they can use.

Counterfeit Goods

Counterfeit goods are a popular product on Telegram. We found many accounts and groups dedicated to selling a wide variety of counterfeit goods, including luxury watches and purses, designer clothes, and high-end electronics. For example, you can find a counterfeit Rolex for as little as $69 USD.

COVID-19 Vaccines

In recent months, with people anxious to receive a COVID-19 vaccine, criminals have attempted to take advantage of this stress by selling what they claim are COVID-19 vaccines.

Gift Cards

Cybercriminals often launder ill-gotten gains such as stolen credit cards through the purchase and sale of gift cards. Other times, the gift cards are stolen directly through either a password leak or via vulnerabilities in the gift card provider’s website. Those gift cards are then sold at heavily discounted prices.

Fake Documents and Personal Information

Another popular genre of illicit goods on Telegram are fake documents and personal information. Fueled by major data breaches such as the one at Experian, data brokers have amassed a shocking amount of personal information including social security numbers, addresses, phone number, bank account numbers, and more.

Some accounts even strategically market their items for sale to coincide with newsworthy events. We found a vendor offering hacked GameStop accounts around the time of that GameStop stock’s growth drew worldwide attention.

Tools to Facilitate Cyber-Crime

Interestingly, we observed that cybercriminals are also selling a variety of tools and services, including rental of DDoS infrastructure. We also found accounts marketing cheats for a variety of games, and services marketing themselves for users in India, Europe, Russia, the Arab world, and North America.


Scammers, fraudsters and hucksters of illegal goods are usually ahead of the curve on the latest technologies to provide a good experience for their customers. Therefore, we often see these actors as early adopters of popular technologies (cybercriminals were also among the first to adopt cryptocurrencies such as BitCoin and Ethereum, which are now widely used by the general public for entirely legal purposes). This case is no different, and our research suggests that in the future, legitimate merchants may also adopt messaging apps and the peer-to-peer selling model they allow, similar to Telegram’s.

Innovations from Norton Labs are for research, evaluation, and consumer feedback purposes. NortonLifeLock does not give any warranties as to the suitability or usability of these prototypes and recommends safeguarding data and reviewing all terms and conditions before use.

Copyright © 2021 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries.

About the Author

Daniel Kats

Senior Principal Researcher

Daniel earned his Masters at the University of Toronto Systems & Networking Group. His research involves building machine learning systems for security, and the subtle impact of those systems on the people who use them.

About the Author

David Zhuang

Software Engineer

David is a software engineer in Toronto working at NortonLifelock. He has eight years of experience with web development, DevOps with strong interest in security. In his spare time, David enjoys reading and translating.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.