cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Telegram exploited by cyber criminals and hacktivists during Russia-Ukraine conflict

Check Point Research (CPR) has been monitoring activities occurring on Telegram observed from around the current conflict after Russia attacked Ukraine.

user iconReporter
Fri, 04 Mar 2022
expand image

Telegram has become a digital forefront for cyber attacks, fraud and news feeds with cyber criminals and hacktivists leveraging the messaging app for conflict-related activities.

CPR has documented a six-fold increase in Telegram groups themed on the war on the day Russia invaded Ukraine.

Check Points threat intelligence arm, has been closely monitoring Telegram throughout the current Russia-Ukraine conflict, and has characterised these groups:

  • Flash news and updates (71 per cent of groups observed)
  • Hacking\hacktivist groups targeting Russia (23 per cent)
  • Ukraine donation requests (4 per cent)
  • Other subjects relating to the conflict, some non-active and have no users (2 per cent)
  • Characteristics and examples of Group A: Flash news/updates

Telegram has become a digital forefront of the conflict, where people are choosing sides online, according to Oded Vanunu, head of products vulnerabilities research at Check Point Software.

"We’re seeing people from all corners of the world organising themselves and resources to support either Russia or Ukraine."

"Some groups are coordinating cyber attacks to target Russia.

"Other groups are serving as information and news hubs to report a raw side of the war and other groups are requesting funds to either support Ukraine or commit fraud," Vanunu said.

Key Characteristics:

  • Very active
  • Thousands of messages a day, 24/7
  • Report unedited, non-censored feeds from war zones
  • Share unverified and possible misinformation


Figure 1. Live news channel: "Russia vs. Ukraine Live news" with over 110,000 users on Telegram.

Figure 2. Ukraine war report channel, with over 20,000 users on Telegram.

Characteristics and examples of Group B: Hacktivists targeting Russia:

Key Characteristics:

  • Comprised of hackers, IT professionals and other "IT fans"
  • Groups are used to coordinate attacks and decide targets
  • Groups assist each other in executing attacks and sharing results
  • Some groups consist of over 250,000 users
  • DDoS is the most common attack request, followed by SMS and call-based attacks


Figure 3. A shoutout for SMS and call-based attacks on Russian targets.

Figure 4. The "Mark" group is calling users to attack Russian websites, providing URLs.

Characteristics and examples of Group C: Donations Scams

Key Characteristics:

  • Most donations ask for cryptocurrency
  • Groups have tens of thousands of users
  • Many groups are suspicious and likely fraudulent


Figure 5. Group raising funds through bitcoin and Ethereum accounts – Over 20,000 users.

Figure 6. Ukraine donation support group on Telegram.

Cyber safety tips for Telegram users

According to CPR analysts, don’t click on links that have origins that are unfamiliar to you, especially in times of crisis and extreme circumstances.

Criminals might leverage and exploit the situation to try and steal credentials, private details and other personal information by sending out malware or phishing links.

In addition, beware of suspicious requests. If a message from an unknown source makes a request or a demand that seems unusual or suspicious, this might be evidence that it is part of a phishing attack.

Think twice before sending money. Sending money to unknown sources requesting assistance may often result in fraud. Beware with whom you are communicating and what kind of information you are being asked to provide. Social media messages are not the platforms for large financial transactions, especially to unrecognised sources.

Verify your sources. Consume news feeds and seek the "truth" from reliable sources that you can trust.

According to Vanunu, CPR analysts are sharing what it has seen on Telegram and initial observations with updated information to follow.

"I strongly recommend people to watch their Telegram activity closely and the types of people you may come in contact with."

"There’s a side on Telegram looking to take advantage of supporters of either Ukraine or Russia.

"We’ll continue to monitor Telegram activity in the weeks ahead," Vanunu concluded.

[Related: ICS vulnerability reports double, accelerate in 2021]

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.