Cybercriminal activity is rapidly migrating from darknet marketplaces to surface-accessible messaging platforms such as Telegram, where stolen financial data and personally identifiable information are distributed at an unprecedented scale. Existing monitoring approaches, designed for centralized underground forums, are ill-suited to the dynamic, ephemeral nature of these platforms, and current victim notification mechanisms operate on timescales of weeks or months, well after exposed credentials have been exploited. This dissertation addresses the problem of understanding and countering this illicit financial ecosystem, with the overarching goal of developing automated methodologies that advance both the theoretical foundations and practical capabilities needed to detect, analyze, and anticipate criminal activity on surface-accessible platforms.

Toward this goal, the dissertation presents three interconnected studies. The first combines machine learning-based image classification, optical character recognition, and automated parsing to extract and categorize fraudulent financial instruments circulating on Telegram, revealing criminal supply chain structures that mirror the sophistication of legitimate business ecosystems, extreme wealth concentration across credential categories, and systematic geographic targeting patterns correlated with neighborhood demographic characteristics. Building on this foundation, the second study develops a monitoring framework, grounded in an extension of Routine Activity Theory to two-stage cybercrimes, that integrates named entity recognition with geographic and institutional attribution to characterize victimization patterns, criminal targeting strategies, and the potential for substantially faster victim notification than current breach disclosure timelines allow. The third study addresses the problem of linguistic evasion by constructing a transformer-based natural language processing framework that quantifies semantic drift, volatility, and co-evolution of criminal vocabulary through incremental fine-tuning of contextual language models on temporally segmented corpora.

Collectively, this research demonstrates that criminal ecosystems on Telegram, while sophisticated and continuously adaptive, exhibit systematic patterns amenable to automated analysis. The dissertation advances criminological theory by extending Routine Activity Theory to surface-accessible platforms, introduces novel methodologies spanning computer vision, natural language processing, and transformer-based semantic change detection, and establishes foundations for predictive monitoring systems capable of anticipating rather than merely responding to evolving criminal threats.