Criminal marketplaces¶

The infrastructure supporting cybercrime includes dedicated marketplaces where stolen data, malware, and access credentials are bought and sold. The landscape has shifted over time as law enforcement has taken down prominent Dark Web markets; the response has been fragmentation and migration to more accessible platforms.

The current picture¶

Telegram channels have become a significant venue for trading stolen data and crimeware. The platform’s accessibility, relative to Tor-based markets, has made it attractive to both operators and buyers. Enforcement actions against Telegram-based criminal groups have increased, but the low barrier to creating new channels means disruption is temporary.

Dark Web markets continue to operate alongside the Telegram ecosystem rather than having been replaced by it. Platforms like InTheBox (focused on mobile malware and overlay attacks), 2Easy, and Russian Market trade in stolen browser data, credentials, and access packages. Reviews, ratings, and dispute resolution mechanisms give these markets a degree of reliability that makes them function as genuine markets rather than simple scams.

What is available¶

Stolen credential packages, categorised by account type and verified status. Pre-configured malware builds with infrastructure included. Access to compromised systems sold by the session or as persistent access. Ransomware affiliate programmes. Identity documents.

The existence of markets with quality ratings and repeat sellers indicates that this is an established economic ecosystem, not a collection of isolated actors. The criminal infrastructure is, in most respects, more mature than defenders find comfortable to acknowledge.