Roy Ricaldi will present the DefMal webinar entitled :

Hunting CTI on Telegram: Towards Effective Cybercriminal Community Discovery

Telegram has become a central coordination and vast distribution hub for cybercriminal activity, offering anonymity, scalability, and low entry barriers that make it both attractive to offenders and difficult for analysts to monitor. As a result, Cyber Threat Intelligence (CTI) teams require updated methods to track these illicit communities, but little is known about how different discovery strategies perform or what their outcomes reveal about the broader ecosystem. We present TeleHUNT, a modular, language-model–driven tool for cybercriminal community discovery on Telegram. We employ TeleHUNT to classify discovered communities into six market segments (cyberattacks, digital piracy, infrastructure, fraud tools, personal data, and tutorials) and evaluate the efficiency, accessibility, and saturation produced by different tool configurations, and reframe discovery performance into insights about the ecosystem. Using both open web and dark web seeds to snowball on, we collected 6,022 communities, 172,385,463 messages, and 2,392,741 unique users. After testing 28 configurations, we found that link-based strategies maximized coverage but suffered high noise, while forward-based methods achieved near-perfect precision with limited reach. Saturation modeling shows highly interconnected growth in market segments dedicated to fraud tools and cyberattacks, with other segments plateauing quickly. Further, while open web seeds yield more communities, combining both open and dark web seeding is best for maximum coverage. With these insights, TeleHUNT enables effective CTI collection and structural analysis of Telegram’s cybercrime economy.

Speaker Bio:

Roy Ricaldi is a PhD candidate in Cybercrime at Eindhoven University of Technology, where his research advances cybersecurity through threat analysis and the study of evolving cybercriminal ecosystems. His work examines the organization, capabilities, and behaviors of offenders across illicit online economies, identifying how threats emerge and propagate. His recent publications include studies on trust signals to support trade in Telegram’s cybercrime economy, migratory decisions within underground networks, and attacker actions on honeypot platforms. By combining artificial intelligence, quantitative monitoring tools, and qualitative methods, he develops frameworks to enhance threat intelligence and strengthen defenses against emerging cyber risks.