Exodus from Deep Web Onion Websites to Telegram Channels

Threat actors, ransomware gangs, malware creators, and others are hastily exodus from the traditional dark web and deep web onion websites towards the illegal Telegram app channels. But do you know why these onion sites are moving towards these channels?

Suppose you don’t know, so you are at the right place. In this post, we will tell you why these sites move towards the telegram channels, how threat actors use these channels for criminal activities, which types of channels are migrating from the onion sites, and some other apps favored by the cyber criminals. But let us first know about the deep web and dark web onion websites.

What are Deep Web Onion Websites?

Deep Web Onion Websites

Onion websites on the deep and dark web use the .onion: the top domain rather than .com, .net, .gov, .INFO, etc. The onion websites are derived from a cryptographic key, use the TOR: the onion router software to encode their networks, and allow unidentified communication to hide IP address ownership and identifiers.

However, deep and dark web websites are not listed by regular search engines like Google, Bing, or Yahoo. Users can’t access Onion websites using Chrome, Firefox, Edge, and Opera browsers. In its place, users access onion sites on the Tor network using a special browser developed by the TOR project: Tor browser or any other special network configuration.

The onion domain name imitates that, like the coatings of an onion, the Tor browser holds layers of protection. Tor encrypts traffic via a global network of volunteer nodes that masks its user’s location, block trackers, block browser fingerprinting and does not accumulate records of their activity.

The anonymity of Onion sites is the main key to the deep and dark web. The most deep and dark web links are hosted on .onion domains because of the complex nature of the services they host. At the same time, onion websites may offer safe access to crypto wallets or anonymous email clients to help the users to dodge administration surveillance and restriction.

Below we have shared some best deep web and dark web onion websites.

  • The Hidden Wiki
  • Tor News
  • SecureDrop
  • Archive Today
  • DarkNetLive

Exodus of Deep Web Onion Websites to Telegram Channels

Serious offenders are deserting the top level of the dark web. Because of the relative affluence with which such criminal forums are accessible by law enforcement and security researchers. Plus, the current closure of the main criminal forums Hansa Market and Alpha Bay.

As per the research, serious criminals have migrated to the deeper closed forums of the deep and dark web. However, the substitute spot for these threat actors is not the Tor hidden forums but the Telegram application.

Telegram is the fastest messaging application released in 2013 with an encrypted messaging system. The app offers individual conversations and group chats. But its security strength and end-to-end encryption are what sets it apart. As an outcome, Telegram-presented chat groups have become a beneficial substitute for private dark and deep web forums.

However, telegram groups are known as channels that criminals use. Any threat actor who initiates the conversation can enjoy private end-to-end encrypted chats instead of the exposed threads seen in online forums. The advantages of the Exodus of threat actors from the deep web and dark web to Telegram are obvious: they are easy to work, link, and offer better obscurity.

Per our research, here is the list of the most popular channel on the Telegram app.

List of telegram channels used by threat actors
NamelanguageUsed for
Unsafe internetEnglishDatabase sharing channel
0x_dumpEnglishPrivate channel: leaks databases
Hades DatabaseEnglishSells data
LEAKS AGGREGATORRussianPrivate channel: share database
Global data marketChineseSells data
AresEnglishPrivate channel: Sold database

Cybercriminals’ Exodus from Onion Websites to Telegram – Reasons

People often consider what makes telegram users an appealing venue for cybercrime discussions. Apart from the popularity of the telegram app, one of the main reasons telegrams and other online messaging apps have made activities appealing to criminals is how quick and easy channels and rooms are set up.

However, if threat actors believe a channel has been infiltered, it can be deleted and replaced in a few clicks. Messaging applications have made it better for us to connect socially. It has also opened the door for thieves to steal from consumers and businesses without much alternative.

Here are some reasons threat actors migrate from deep and dark web onion sites to Telegram.

Increasing Law Enforcement Inquiries on Onion Sites

The onion sites on the deep web and dark web operate using the Tor hidden service protocol to protect their IP address on the internet. That allows these sites to host malicious and illegal content while resisting lawful action and capture.

The computer security and law enforcement communities find and monitor such illicit sites in the dark and deep web. They have an automatic organization that crawls and indexes content from onion sites into a large-scale data source to affluence the procedure. That is the main reason for the deep web and dark web exodus from deep web onion websites to the Telegram application.

User-Friendly Nature of Telegram

The messaging application Telegram is user-friendly, allowing both group conversation and channels. Furthermore, it is fast and has emojis, direct private chats, a phone app features. While also enabling P2P encrypted messaging that makes it particularly appealing to those who may be tired of the laborious setup required to make dark web forums or marketplace.

The user-friendly nature of Telegram is another reason for deep web and dark web onion websites’ exodus to this social messaging app.

Lack of Exit Scams

The biggest upside and downside of the dark web and deep web marketplace is that they act as a clearinghouse. That authenticates and finalizes the transaction ensuring the buyers and vendor honor their predetermined responsibilities.

There is 2 weeks hold on transactions normally in which the marketplace holds onto cryptocurrency. And the buyer can request recourse if they are scammed. However, the challenge is that, in many cases, marketplaces owner may hold millions of dollars in crypto at any given time. That creates a strong incentive to exit scams and steal the money being held.

Perceived Anonymity

Law enforcement organizations monitor the TOR marketplace, forums, and sites. When users post on a form or marketplace, they know that the listing will likely be seen by dozens of law enforcement agencies and many others by enterprise security teams.

On the other hand, Telegram offers alleged anonymity, given the thousands of channels concentrating on cybercrime. The absence of IP tracking accessible to the sanctuary and Law enforcement experts, and the looking brief nature of messages.

While, anonymity delivers a benign place for threat actors to participate in their fraudulent activities without the terror of revenge of being trapped.

Wide Open Feature of Telegram

This application is an international messaging platform, so connecting with someone in a country or region can be easier. It lets the threat actors confer with others worldwide without worrying about their identity. That is another prominent reason that causes the threat actors’ exodus from the deep web and dark web onion websites to telegram channels.

How Threat Actors Use Telegram

How Threat Actors Use Telegram

The threat actors seek advanced ways to sell leak credentials, oblige financial and marketing frauds and allot malware. While Telegram has made that prospect easier and made new channels focused on fraud stealer logs, leaked credentials, refunding, and other crimes. It allows a decentralized and rigid monitoring forum for cybercriminals.

Here we have described some examples of how the threat actors use Telegram for illegal purposes.

Offer Illegal Jobs on Telegram

Three telegram channels were found in Russia: Dark Job, Dark Work, and Black Markets. The dark jobs employee staffs for illegal jobs that are graded white, grey, and black. White contains little danger; grey is for greater illegality and difficulty, and black is for danger with illegal risks.

People using the Telegram app can join this channel, post advertisements, and apply for jobs anonymously. Further, the similar principle was functional to other channels; some already have thousands of subscribers.

However, this is worrying considering the accessibility of channels and promises of high salaries to those who might otherwise refrain or have no way to reach these markets. Simply put, the Exodus of criminals from the deep and dark web onion websites to Telegram might grow society’s overall lawbreaking level.

Leak Data

A channel called Insiders fascinates authorized employees with resentment. Or want extra funds to sell private access to cooperate networks anonymously via Telegram. The cybercriminal takes advantage of these employees to get insider data inaccessible to the public.

The data could be used for personal determination or sold or to conduct cyber-attacks from inside the corporation. It would hence remove the productivity of some security solutions because having someone on the inside is an influential tool.

The leaking data is up-to-the-minute on the dark job channel of Telegram. An advertisement is seeking employment at the western union or MoneyGram with access to certain systems that offer payment of $1000 daily.

Promoting Crypto Miners

Telegram’s channel Dark Work is more geared toward criminal projects than employment. In a conversation, someone wanted a dark project: Crypto running on all systems from Windows XP to 10. Also, avoid the Top AV, especially Avast and Defender. At the same time, the criminal tycoons can outsource the complete project without knowing anything about tech and not even their suppliers.

Furthermore, the dark market channel on Telegram is a marketplace where users text to help stealthy crypto miners that will run without the victim’s knowledge in exchange for 600 rubles. Or even screenshots and passwords in exchange for 1000 rubles. That makes Telegram analogous to deep and dark web marketplaces but easier to use and more secure.

Types of Telegram Channels that are Exodus from Onion Websites

There are different types of channels that users search on the Telegram platform. Some of these channels are legal, and others are evil. The illicit type of channels can be found on the app assortment, from financial fraud to radical organizations collaborating with their up-to-date extremist activists and content.

Below are several of the most common illegal channels found on the telegram app that are exodus from the deep web and dark web onion sites.


Credentials are among the most commonly found illegal activities on the Telegram app. It is basically the practice of theft credit card data from victims via numerous methods, including phishing, scanning, and data breaches.

Criminals will then sell the data within the telegram channel for a small fee. Carding is well-paid, profitable, and popular among these illegal communities because of the application’s ease of use and availability.

However, more seasoned hackers can sell their payload from a data breach or numerous successful phishing attacks to others. For instance, if a hacker can steal data from a huge group of victims, they can sell it for a minor profit.

Many threat actors can also service and program bots to post credit card data across multiple channels, increasing profitability. In addition, these channels can also let criminals straightforwardly share, cooperate and sell carding tools and guides. And training to service other malicious users and conduct their systems effectively.

Botnets Channels of Telegram Exodus from Deep Web Onion Websites

Botnets have been used on Telegram’s illegitimate channels for numerous reasons. Often botnets contain a network of negotiated devices measured and directed by federal servers.

The admins of these botnets’ channels, known as botmasters, can perform many bouts against targets. That includes DDoS attacks, phishing attacks, spamming, credential stuffing, and other malicious activities.

However, Botnets are striking to threat actors to produce more anonymity and let growth grasp flexibility with the infected devices when arranged aptly. Many botmasters frequently vend other botnets within illegitimate telegram channels to support other criminals in growing their attack routes.

Telegram Combolists Channels

Another common channel used on telegram channels is Combolists. which have curated lists of stolen usernames, passwords, security queries, and other identifying data that criminals use to attempt account seizure spells. Combolists often supplied, shared, or traded on telegram channels in large data sets that let the offenders get the data in comprehensively.

However, Combolists can be profitable to obtain on telegram channels as they can offer cybercriminals access to illegal access services to deportment further spells or establishments. They also offer a huge amount of easy supply in bulk and return on the procurement or trade given if some users cannot access it.

Bank Account Login Channels Exodus from Onion Websites to Telegram

Bank account logins are another illegal activity seen on many of the telegram channels found on the application. Analogous to carding, selling victim bank account data in Telegram can intensify criminals’ expenditures.

Criminals selling bank account logins will find this malicious activity in high demand and at low risk of getting trapped by law enforcement experts. That is equal to the seller successfully profiting from the shipment. Many threat actors will get the data from phishing attacks or via large data breach batches attained from hacking.

Selling bank account logins on illegitimate telegram channels is also not restricted to bank account info. Some of the illegal telegram channels also offered account logins for payment apps. Channel users can also buy account logins for other apps and streaming services.


The telegram app hosted illegal channels linking threat actors globally selling stolen data for a few years. These channels are made up of hackers that join together to conduct distributed denial of service (DDOS) attacks. At the same time, they may not sell victim data like on the illegal channels that conduct carding or sell bank logins. However, these channels can still be dangerous to organizations worldwide.

The sanctuary and obscurity of Telegram messaging within channels. It can let multiple parties participate in active attacks against nation-states, organizations, and businesses more effectively. These DDoS illegal telegram channels let hackers also utilize bots to aid in arranging their attacks.

Stealer Logs Telegram Channels Exodus from Deep Web Onion Websites

Stealer logs channels on Telegram contain passwords, usernames, credentials, credit card numbers, crypto wallet data, and other relevant data. These types of data have been collected via malware disruption from the victims of infected devices. Further, these logs are sold and distributed to other criminals for malicious use, including conducting attacks against organizations.

The stealer log channel on Telegram comes in 2 types that are;

  • Open Access channels: These stealer log channels of Telegram regularly distribute megabyte-gigabyte-sized files that contain hundreds of thousands of individual stealer logs. These can be seen as an extended advertisement for private invite-only log channels and a way for the vendors to prove that the logs they offer have high quality and contain valuable credentials.
  • VIP channels: these channels offer a limited number of cybercriminals to access premium logs which are supposedly directly from the secure and untouched by other criminals. Accessing price of these channels starts from $200 to $400 a month, compensated in Monero (MNR).

Hacktivism Telegram Channels Exodus from Onion Websites

Hacktivism channels have grown on telegram apps that offer access between multiple hackers for the past few years. These groups are used to communicate, recruit, and share resources and tools with other hackers to join their cases.

Moreover, the hacktivism in Telegram channels increases the attack vector and breach, causing more damage to targets. That allows rapid data dissemination and radicalization among groups looking to share, train and recruit more hackers to join their cause. Then cybercriminals create more attacks against targeted organizations and businesses to the possibility of cross-border attacks for different countries and hacker groups.

Other Apps Ideal for Cybercriminals

Like Telegram, other apps are exodus from the deep and dark web onion websites, including Discord, Jabber, Tox, and Wickr Me. These apps have features and characteristics but offer some secrecy and protection that cybercriminals find tempting.


The Discord app that gamers use to interact with one another. It has become a popular platform for threat actors who use it to communicate and organize actions, like disturbing malicious files and conducting illegal activities. This app is geared more toward gaming and requires users to join a server to connect with others. It lets up to 500000 users connect simultaneously, making it a good choice for larger groups.


Jabber uses a TCP connection to transfer data, letting the user connect with different clients in real-time. However, it is a popular tool amid Russian-speaking hackers. The notorious XSS and Exploit forums have semi-private Jabber servers letting official members use the messenger without logging and solid confidentiality.

Wicker Me

The Wicker Me app, owned by AWS, is popular because of its encrypted feature. Threat actors can communicate with this app and delete their conversations, leaving no evidence behind. According to law enforcement experts, the app has become a popular site for sharing pictures of child exploitation.


Tox is a decentralized, encrypted messaging service that doesn’t require registration. Or the submission of personal data like a phone number or emails. Tox encrypted data using peer-to-peer tech and the NaCl library; users are identifiable by a Tox ID. Voice messaging and screenshot capture are accessible to Tox clients.

Furthermore, contacts may be added by delivering their Tox ID or QR code. One result of Tox P2P architecture is that Tox contacts can see each other IP address. But a non-friend user can’t straightforwardly see a Tox user’s IP address via only their Tox ID.

Wrapping Up

Threat actors use telegram app channels to exchange data tips, tricks, and malicious tools like password-stealing trojan keyloggers and ransomware for criminal activities. However, these channels of the Telegram app are exodus from the deep web and dark web onion websites.

So, in this post, we describe the details of why the Onion sites moved to the Telegram app for criminal activities and how threat actors use these channels. If you want to know about this migration of onion sites, let us know in the comment box.

Leave a Comment