IntSights Dark Web IM apps report

Despite not supporting end-to-end encryption, the Discord service is insanely popular among Dark Web cyber-criminals, nine times more popular than the second-ranked Telegram app, according to a report released this week by Dark Web threat intelligence firm IntSights.

The data in this report tracked and recorded all IM invites shared on popular Dark Web cyber-crime platforms between July 2016 and July 2017, in an effort to gauge IM usage among cyber-criminals.

IM usage among cyber-criminals increased 30 times

First and foremost, the study's results showed a whopping 30-times increase in IM app usage among cyber-criminals.

Your first thought would make you believe this was a result of the takedowns of three popular Dark Web marketplaces — AlphaBay, Hansa, and RAMP — but this is not so, as these takedowns took place in July, right at the end of the study's data collection period, having limited impact on the final result.

This shows that the Dark Web cyber-crime community moved toward IM applications on its own, unaffected by the lack of trading platforms, but choosing mobile apps due to their commodity.

Discord nine times more popular than second-ranked Telegram

Remarkable was the popularity of the Discord app among cyber-criminals, a service that bluntly refused to support end-to-end encryption, exposing crooks to law enforcement requests for user data.

"Discord’s popularity is surprising, given that it is one of the smaller mobile messaging app platforms with 45 million users," IntSights experts noted.

As the graphic below shows, Discord is not a current fad but was always a favorite among cyber-criminals during all the study's data collection period.

IntSights IM chart

For clarification, a similar report released by fellow cyber-security company Flashpoint in April doesn't even mention Discord, but this could be because of how the two companies collected data, with IntSight focusing on invite links to private or group chats.

Nonetheless, some of the details between the two reports coincide, such as the spike in ICQ's popularity this spring, spike also recorded by IntSights.

Tor's Android client is also widely adopted

Furthermore, IntSights also noted an increase in ORBot usage, Tor's Android mobile client, who's total installs grew from just over one million in 2014 to over ten million in 2016.

This suggests that while some criminals are moving towards unencrypted IM clients, they're still funneling their traffic through Tor when on mobile devices.

Mobile usage among crooks is so widespread that the Matanga Dark Web drugs marketplace has started offering a dedicated mobile app in July this year, a sign of the trend to come, where illegal marketplaces are also offering mobile apps, not only Dark Web portals.

Matanga mobile app

Image credits: IntSights