2025-10-31 –, Main Hall
Threat actors are selling subscription-based access to "clouds" of stolen credentials over Telegram. This talk explores the structure and operations of several of these groups and their Telegram channels. We will also situate this scheme within the larger context of criminal goods and services for sale on messaging platforms.
Cybercriminals are hawking stolen credentials on Telegram, using a subscription-based model where clients pay for access to a trove of stolen information. From there, these credentials can be used for all manner of digital crime.
In this talk we’ll explore a slice of this ecosystem where cybercriminals sell access to “clouds” of stolen credentials (named so because the data is often hosted with cloud providers) by looking at a handful of these Telegram channels. We’ll dive into the structure, composition, and workings of these groups, as well as consider the ways in which Telegram is used as a platform for marketing and promotion of criminal goods and services.
As barriers to entry for cybercrime continue to fall and Telegram rises in importance as a facilitator of cybercrime, it is important to consider both the technologically sophisticated elements of this setup as well as the unsophisticated elements.
Liv Rowley is a Research Manager at Open Measures. Much of her current research focuses on threats and digital harms originating from fringe tech platforms. In previous roles, Liv has worked as a threat intelligence analyst in both the US and Europe, specializing in understanding threats from the cybercriminal underground as well as the Latin American cybercriminal space.