By 
We may have expected one way or another new controversies following the Telegram saga. After the CEO’s arrest, announcement of privacy shift, culminating with reports of sharing data with law enforcement, everyone started asking: “Where will the bad actors go now that Telegram is compromised‘.
This article will focus on answering this question, but the answer might not be what you want to hear.
As with any question that is on a lot of people’s mind, news sites blogs and in general content creation sites race to answer. However, this raises deeper questions, debates and ramifications:
- Is privacy still a debatable right?
- Should we accept claims that only threat actors and extremists use privacy-focused apps?
- If we know where hackers move, why do attacks keep increasing instead of peaking?
How not to answer: Wired’s misguided take
Wired recently published an article focusing on SimpleX Chat, painting privacy features as problematic simply because they might attract unwanted users.
They ignored the app’s core purpose: protecting human rights defenders, journalists, and everyday users who value their privacy. The article cherry-picked information while overlooking how SimpleX’s design actually hinders large-scale coordination of malicious activities.
This entire ordeal feels a bit like a shakedown after a drug bust went haywire, or local gangs did things that stirred up the news. In search for quick response to the public’s demand for answers.
But instead of going for the top players, we just shake down what we already know is there, stirring up a hornet nest, and in return the ones that do get away just learn to hide even better.
The answer everyone’s waiting for: Signal?
Signal has also emerged as the go-to answer for secure messaging. But not really, emerged, it was here all along. And it’s a good answer but we are asking the wrong question.
So, where do hackers move now?
Photo by Ashutosh Sonwani.
Short answer: nowhere. They weren’t even there in first place.
Threat actors come in many forms. We can picture someone in a Guy Fawkes mask and hoodie. If we want to imagine the state-sponsored actors working in government buildings of autocracies, or just a regular bad guy that hacks for money, notoriety, or just because, that’s also a valid answer. We can imagine hacktivists that sometimes do a lot of damage for proving a point.
But here’s the reality: the most dangerous threat actors, those causing billions in damage or working for authoritarian governments, don’t announce their communication methods.
Why is that the case
We must first get one thing straight: most devices in our pockets or on ourselves, with internet and bluetooth access are flawed. This includes ones in our homes and extend to operating systems.
So asking what smartphone application the biggest and worst hackers in the world will move to is like asking where drug lord kingpins move when a couple of street dealing guys are arrested or when the drug house is raided.
So we need to give them some credit: They are as or even more sophisticated than our good guys who are writing various groundbreaking tech to keep us safe.
This begs a follow-up question: Do they even use smartphones? Probably not, or at least not how we use them for.
So, what does this hacker actually use?
Picture this: a laptop, nothing fancy. Most likely purchased with cash from a second-hand store. No traces, no records, just another machine among millions.
Our hacker might be running Linux (Kali being the most used), or interesting enough, a macOS. M1 MacBooks have been showing up more and more in hacking incidents.
But here’s where it gets interesting: More often than not, they’re working through what we call a zombie machine.
A zombie machine, if you haven’t heard the term, can even mean your computer. A zombie is a compromised computer which can be used for, among other things, being brought into a botnet. So overall, if your computer is compromised and becomes a zombie, that can mean that when you’re not looking, somebody can use it for malicious intent. This includes your processing power and your internet connection.
A botnet, as discussed earlier, is a network of computers or IoT devices that were hijacked.
Going back to the hacker’s description, when malicious stuff is being done, or simply just when wanting to access or communicate usually on the dark web, they more often than not hide their traces using these zombie machines.
If that is not complicated enough for law enforcement to track, they usually use VPNs and proxies to reroute the location and traffic even more. To add a cherry on top of it, of course even the browser will represent another layer of stripping data privacy and surveillance, either using Tor or similar tools.
This may sound strange, but also even the possibility of using a virtual machine instead of the bare operating system is commonly reported. To hide even further.
To summarize how many layers are typically involved:
-
- Physical machine (often purchased with cash)
- Virtual machine layer for isolation
- Security-focused OS (Kali Linux/macOS)
- Zombie machines for proxy
- Botnet infrastructure
- VPN/proxy chains
- Anonymizing browsers (Tor)
Additional operational security measures, to name a few:
- Different physical locations for each operation
- RAM-only operations (leaving no traces on disk)
- Custom keyboard layouts to avoid typing pattern analysis
But basically we don’t know
There is something like the ‘first rule of fight club’ in the dark web, that is never to use the surface web and non-onion links.
So expecting that an important hacker group posts on Twitter their latest attack, let’s say, is laughable at best.
Going all in on diverting and protecting traces to end up in Meta’s cloud forever is not something that a ‘real’ hacker would do. And if they do, they are the ones we hear about in news.
Because in a lot of times, even law enforcement admits, if they don’t make mistakes, they are untraceable, but as we already know, we humans do make mistakes.
Featured photo: Photo by Kevin Ku