We present the first large-scale analysis of 339 cybercriminal activity channels (CACs). Followed by over 23.8 million users, these channels share a wide array of malicious and unethical content with their subscribers, including compromised credentials, pirated software and media, social media manipulation tools, and blackhat hacking resources such as malware, exploit kits, and social engineering scams. To evaluate these channels, we developed DarkGram, a BERT-based framework that automatically identifies malicious posts from the CACs with an accuracy of 96%. Using DarkGram, we conducted a quantitative analysis of 53,605 posts shared on these channels between February and May 2024, revealing key characteristics of the content. While much of this content is distributed for free, channel administrators frequently employ strategies such as promotions and giveaways to engage users and boost the sales of premium cybercriminal content. Interestingly, these channels sometimes pose significant risks to their own subscribers. Notably, 28.1% of the links shared in these channels contained phishing attacks, and 38% of executable files were bundled with malware. Analyzing how subscribers consume and positively react to the shared content paints a dangerous picture of the perpetuation of cybercriminal content at scale. We also found that the CACs can evade scrutiny or platform takedowns by quickly migrating to new channels with minimal subscriber loss, highlighting the resilience of this ecosystem. To counteract this, we utilized DarkGram to detect emerging channels and reported malicious content to Telegram and affected organizations. This resulted in the takedown of 196 channels over three months. Our findings underscore the urgent need for coordinated efforts to combat the growing threats posed by these channels. To aid this effort, we open-source our dataset and the DarkGram framework.

翻译：我们首次对339个网络犯罪活动频道进行了大规模分析。这些频道拥有超过2380万用户，向其订阅者分享各类恶意及不道德内容，包括泄露的凭证、盗版软件与媒体、社交媒体操纵工具，以及黑帽黑客资源（如恶意软件、漏洞利用工具包和社会工程诈骗）。为评估这些频道，我们开发了DarkGram——一个基于BERT的框架，能以96%的准确率自动识别网络犯罪活动频道中的恶意帖子。利用DarkGram，我们对2024年2月至5月期间在这些频道分享的53,605条帖子进行了定量分析，揭示了内容的关键特征。尽管大部分内容免费分发，但频道管理员常采用促销和赠品等策略吸引用户，以提升高级网络犯罪内容的销量。值得注意的是，这些频道有时对其订阅者构成重大风险：其中28.1%的共享链接包含钓鱼攻击，38%的可执行文件捆绑了恶意软件。通过分析订阅者如何消费并对共享内容作出积极反馈，我们描绘出网络犯罪内容大规模持续传播的危险图景。研究还发现，这些频道能通过快速迁移至新频道（订阅者流失极少）来规避审查或平台封禁，凸显了该生态系统的韧性。为应对此问题，我们利用DarkGram检测新兴频道，并向Telegram及相关受影响组织举报恶意内容，最终在三个月内促成196个频道被取缔。我们的研究结果强调，亟需协同努力以应对这些频道日益增长的威胁。为此，我们开源了数据集及DarkGram框架。