Why have some criminals moved from Tor-based forums to Telegram and similar services?

The need for anonymity

The main issue with moving off of an anonymity network to Discord or Telegram is that they are not designed for anonymity. The Tor network is designed specifically to hide the origin of the communications. There is no single centralized entity which can be forced into disclosing logs, because no single Tor relay simultaneously knows both the contents of the messages and their origin. For things like Discord or Telegram, the mere participation in a criminal chat room can be incriminating even if the contents of the conversations themselves are kept private.

A criminal network requires a few things to continue to exist. If you assume that infiltration is a risk (e.g. that members of the group may be coerced into turning into a narc), then a requirement is that the pseudonyms of users cannot be tied to their real-life identity using any technical means. A service not designed with anonymity in mind will be vulnerable to infiltration. The only way to avoid this would be to access the chat service through an anonymity network like Tor anyway and register using an anonymous identity, e.g. with a throwaway online phone number. This requires consistently good opsec, and a single slip-up or misunderstanding can spell disaster.

Issues with Discord and Telegram

There are some specific problems with using Discord or Telegram, other than requiring a mobile number. Discord is not end-to-end encrypted, so the server itself can keep logs of both IP addresses and message contents along with the regular metadata. And Telegram, while it makes attempts to be secure, has been heavily criticized for providing very poor and amateur encryption. It would be possible to create real-time chat services that do not have these problems (such as IRC private messages using end-to-end encrypted OTR), but this on its own will not provide anonymity, which is necessary for a group (criminal or otherwise) trying to exist in an adversarial environment.

When using a non-anonymous service like this, an adversary can do many things. They can:

  • Learn a user's pseudonymous identity.

  • Learn a user's real identity.

  • Monitor the user's communications.

  • Detect access to the service at the level of the ISP.

All this is possible as soon as they know the group exists. If the service being used is designed correctly to be anonymous and uses properly-implemented end-to-end encryption, they can only:

  • Learn a user's pseudonymous identity, if they infiltrate the group.

  • Monitor the user's communications, if they infiltrate the group.

In this latter case, the only way things could go wrong is if one of the users made a fatal opsec mistake, giving away personal information which can be used to identify them. A lot of opsec is required for a criminal (or otherwise targeted) group to exist, and even when following sophisticated rules, a single mistake can bring down the group and reveal the identities of many individual members. A famous case is the Yardbird group, where the leader would require that everyone maintain high-quality opsec. Eventually the group's existence was revealed when one of the members was arrested on other charges. This allowed the group to be infiltrated, and in the end, the only people who are still free are the people who used Tor. Every VPN user was caught.

Why people do stupid things

People sometimes leave anonymity networks because they are, by necessity, rather slow. For someone used to high-speed internet, the latency caused by Tor may be an inconvenience. This can drive them to move to alternatives, even if these alternatives are less secure for their purposes. Fundamentally, there is no security downside to using a Tor-based messaging platform (whether a real-time chat system or a regular forum) compared to a non-Tor-based platform.

Consistent good opsec is among the biggest hurdles for any group existing in an adversarial environment. It is so easy for people to get fed up with a less convenient but secure solution such as Tor and break their opsec. For example, a Tor user who is the target of a criminal investigation could be linked to a honeypot site with content that they would find interesting. If the honeypot blocks Tor, a surprising amount of people will turn off Tor to visit it "just once", revealing their IP. The Snowden leaks also revealed the existence of NSA programs which would attempt a DoS attack (via TCP hijacking to inject an RST) against targeted Tor users, preventing them from using the service in hopes that they would get frustrated and move to a less-anonymous alternative.

There are some realities that you might not be aware of:

  • Telegram has a web portal
  • You could use one of the many "free temporary" phone number services to register to
  • some of Telegram's code is open, so it's not totally closed

So, with a VPN and a temporary SMS number, you can use Telegram with sufficient anonymity from services and end users.