Uncovering the Trust Signals Supporting Telegram’s Cybercrime Economy

Abstract

Telegram has become a central hub for cybercriminal activity, favored for its perceived privacy, user anonymity, ease of use, and the many features it offers. Unlike traditional markets on underground forums Telegram lacks many structural elements of trust, such as stable identities and reputation within a community. This raises important questions about whether and how trust is built in these newer, more fluid marketplace environments. In our work, we characterize the Telegram cybercrime ecosystem by identifying key market segments and developing a framework of trust-building mechanisms that support trade within those segments. We apply this framework at scale across 1,116,071 messages from 167 Telegram cybercriminal communities. Our analysis shows that although trust signals are fewer than on forums and are often sparsely distributed, cybercriminals on Telegram still actively signal trust using various strategies, from proof-of-delivery and vouching messages to pinned rules and automated bots. To estimate how frequently these signals are actually encountered by users, we implement a Monte Carlo simulation that models cybercriminal browsing behavior across different market segments. Our results reveal that users in different segments are exposed to different levels and type of trust signaling, and that exposure varies significantly with time. Together, our findings suggest that Telegram differs substantially from cybercriminal forums in supporting cybercriminal activities, offering a fragmented but evolving economic ecosystem for threat actors to operate in.