- Confidential and Proprietary - Luminar Annual Threat Landscape Report Page 1 1 Executive Summary The following report investigates the rising popularity of Telegram among cybercriminals and analyzes the shift of cybercrime from Dark Web platforms to Telegram. We shall review the conventional cybercriminal platforms on the Dark Web (forums, marketplaces, and data leak sites) and compare them with the relatively new platforms emerging on Telegram, while providing historical background and technical overview. To explain this shift, we shall analyze the different possible factors which push cybercriminals from Dark Web platforms to Telegram. These include – among others – recent crackdowns by law enforcement authorities on prominent Dark Web platforms, as well as problems of accessibility, anonymity, and restrictions that users of such platforms face. Further down, we shall dive into the stats and examine this trend by analyzing an extensive dataset of cybercriminal activities collected from Dark Web platforms and Telegram groups and channels. Finally, we shall assess the possible implications of this shift on both cybercriminals and law enforcement authorities. 1.1 Dataset and Methodology The dataset used throughout this report has been collected from various platforms and consists of: + Billions of posts published on Telegram groups and channels. + Billions of posts published on Dark Web markets, forums, and automated stores. To narrow the scope, we have only taken data published since the beginning of 2019, extracted solely from Dark Web platforms and Telegram groups and channels containing cybercrime-related contents. Acknowledging our own limitations, it is important to note that the dataset cannot encompass the entirety of cybercrime-related content on these platforms. The above is especially true for Telegram and much less so for Dark Web platforms, as anyone, even those without special resources or technical knowledge, can open a Telegram group or channel and start sharing illegal materials. New channels and groups open daily with many of which hidden from sight. Whereas coverage of Dark Web Platforms is much more comprehensive, an all-encompassing collection from Telegram is virtually impossible. Nevertheless, based on the vast dataset we do possess, and after reviewing similar publications by our peers, we can assess with confidence that our Telegram dataset is representative, even if it is not fully comprehensive. Using the data collected from these two source types, we ran our own ontologies developed over the years to categorize the posts according to different themes. These themes range from the sale of breached databases and trade of credit card information to tailor-made DDoS attacks and hacking services on demand. However, in this report we focus on three themes. Due to the different nature of each source type, we used different ontologies in Dark Web and in Telegram to detect the same