Cybercriminals are hawking stolen credentials on Telegram, using a subscription-based model where clients pay for access to a trove of stolen information. From there, these credentials can be used for all manner of digital crime.

In this talk we’ll explore a slice of this ecosystem where cybercriminals sell access to “clouds” of stolen credentials (named so because the data is often hosted with cloud providers) by looking at a handful of these Telegram channels. We’ll dive into the structure, composition, and workings of these groups, as well as consider the ways in which Telegram is used as a platform for marketing and promotion of criminal goods and services.

As barriers to entry for cybercrime continue to fall and Telegram rises in importance as a facilitator of cybercrime, it is important to consider both the technologically sophisticated elements of this setup as well as the unsophisticated elements.