Elisabet Balk didn’t think twice when she uploaded a selfie and a photo of her national ID card to verify a new social-media account. So it terrified her when she discovered the images were for sale on Telegram, the messaging app.
The Finnish beautician’s private data was part of a torrent of illegally obtained materials on criminals’ new marketplace of choice.
Telegram, whose chief executive Pavel Durov was detained in France last month, has become the premier internet platform to buy everything from hacked data and weapons to illicit drugs and child sexual abuse material, according to current and former law-enforcement officials and cybercrime researchers.
Telegram, part social network, part messaging app, is easy to use. All you need to open an account is a phone number and it says it has never disclosed user data to any third party. Based in Dubai, Telegram has taken a laissez-faire approach to moderating content.
French judicial authorities charged Durov with complicity in distributing child pornography, illegal drugs and hacking software on the app, which says it has almost one billion users. Authorities also charged him with refusing to cooperate with investigations into illegal activity on Telegram.
Durov said Thursday that Telegram wasn’t perfect, but neither was it a “sort of anarchic paradise.” He said Telegram was always open to dialogue with regulators.
Telegram’s Chief Operating Officer Mike Ravdonikas said exploding user numbers had caused “growing pains in content moderation,” which it was addressing. Telegram wasn’t designed for criminals but the overwhelming majority of lawful users, he said.
Telegram’s moderators take down millions of harmful posts a day, he said, and it actively combats illegal content, including the sale of private data and sharing of child sexual abuse material.
Identity thieves, pedophile rings and drug traffickers use Telegram as a shop window to sell their wares, according to researchers and chat records. A study this February by an international nonprofit found Telegram was the most widely-used app among offenders to view and share child-sex content.
The Telegram channel that posted Balk’s images launched two years ago and had about 3,000 subscribers.
Each day, it advertised a stream of passports, identity cards and selfies as “samples” for larger bundles, which swindlers could use to open bank accounts in victims’ names. To buy a full pack, the channel’s owner told members to contact them in a private chat. The channel was taken down after The Wall Street Journal asked Telegram questions about it for this article.
There are thousands of channels and groups on Telegram that offer stolen identities that can be used to open bank and investment accounts. Some claim to offer already created bank accounts created with stolen details. A channel called Bank Store Online listed accounts at over 60 banks and cryptocurrency exchanges for sale, ranging from $80 for a personal account to $1,800 for a business one. Payments were charged in crypto.
In Russia, where Durov launched Telegram in 2013, it is also the go-to platform where middlemen arrange deals that get around U.S. sanctions, such as smuggling in weapons parts, the Journal previously reported .
Several groups advertise the sale of drones and Starlinks—small antennas to access the satellite internet network run by Elon Musk ’s SpaceX—to Russian combat units in Ukraine. In February, Musk tweeted that no Starlinks had been directly or indirectly sold to Russia, to the best of the company’s knowledge.
“It’s ground zero for every illicit activity you can think of,” said Evan Kohlmann, founder of Cloudburst Technologies, which monitors cybercrime on Telegram and elsewhere, and a frequent adviser to U.S. agencies.
‘The next iteration’
Before Telegram’s ascent, criminals typically clustered in areas of the internet known as the darknet. These sites aren’t indexed by web browsers and are only accessible with specific software that cloaks users’ identities. Regular internet users rarely encounter them. A well-known example was the since-shuttered online black market Silk Road.
Darknet-market sites are slow, with clunky interfaces and servers vulnerable to law-enforcement takedowns. Telegram is fast and functional, with features that make it easy to buy and sell things directly on the app.
The platform’s utility has turbocharged several types of alleged criminal activities, particularly the sale of stolen personal data and child abuse material, researchers say.
Telegram marks “the next iteration” after the internet first enabled pedophiles to group together online, said Dan Sexton, chief technology officer at the Internet Watch Foundation, a British child sexual abuse hotline that collects data worldwide.
The IWF said it has found that newer websites selling child abuse material almost all direct people to Telegram to exchange financial details and make transactions.
Unlike other social-media companies such as Meta and Snap, Telegram doesn’t report child sexual abuse images to the IWF or its U.S. counterpart, the National Center for Missing and Exploited Children, both groups say. (Meta’s Instagram has also faced criticism about moderating such content.)
In talks with Telegram, the IWF has encouraged the company to become a member, which would give Telegram access to its vast database of tagged abuse images to stop offenders from sharing them further.
“We haven’t had any success,” Sexton said. Telegram said Friday it reached out to IWF to reopen discussions.
Ravdonikas, the Telegram executive, said images uploaded on Telegram are checked against the company’s database of child sexual abuse content, which it is working to expand with third-party data.
In late August, a section of Telegram’s website on reporting illegal content said that group chats were private and Telegram wouldn’t “process any requests related to them.” Ravdonikas said moderators can’t proactively check private group chats, which can have up to 200,000 members, but users can report content that is shared in them.
Personal data for sale
Personal data like Balk’s flows onto the black market through leaks and hacks. The 21-year-old, who lives just outside Helsinki, had uploaded the selfie and ID card image to verify an account on the adult social-media site OnlyFans. She said she was just messing around with some friends.
Her images appeared this February on Telegram when the channel, called Dock Services, posted them as part of a bundle of Finnish identities for sale, available for $8 apiece. Her portrait photo appeared to have been manipulated with an artificial-intelligence tool into a deepfake video that could fool banks’ online verification processes, allowing swindlers potentially to borrow funds or launder dirty money in her name, according to cybercrime researchers who followed her case.
“I am really scared right now,” Balk messaged another user who alerted her to the leak. “I didn’t know that this could happen to me.”
Balk’s photos were then resold elsewhere, including by the owner of another Telegram group, called “The Dragon Boi,” who bragged they were earning so much money from identity fraud that they had bought a Mercedes-Benz and a Rolex.
Balk filed a police report for identity theft in Finland. Officers later told her in a written decision, reviewed by the Journal, that they had suspended the investigation as they couldn’t identify any perpetrators. OnlyFans told Balk in an email it was reviewing any suspected data leaks.
A spokeswoman for London-based OnlyFans said it can’t comment on individual accounts, but its own systems weren’t compromised.
Without any action to remove her images, Balk still worries that criminals on Telegram are “selling my data over and over again.”
Write to Angus Berwick at angus.berwick@wsj.com and Ben Foldy at ben.foldy@wsj.com