How to Conduct OSINT on Telegram

As social media sites crack down on what they deem as misinformation, users have flocked to a new ‘free speech’ platform: Telegram.

 Last year, total downloads for the instant messaging app topped 1.0 billion worldwide. And today, more than 900 million people use the service each month.

And for good reason.

 Prized for its privacy features, Telegram once attracted an eclectic mix of criminals, terrorists, political dissidents, hate groups, and internet malcontents. Though in recent years, the site has gone mainstream.

 Which raises the question, should security teams start paying attention to this platform? And if so, what are the best tools and techniques to conduct OSINT on Telegram?

 Let’s dive in.

What is Telegram?

 Dubai-based Telegram, an alt-tech instant messaging app co-founded by exiled Russian billionaire brothers Pavel and Nikolai Durov, closely resembles WhatsApp and Facebook Messenger.

 You can send files, create group conversations, and message other users. And after a long wait, developers introduced a group video calling function similar to Zoom.

 What distinguishes Telegram from other apps, however, comes down to the service’s extensive privacy features.

 Users can enable end-to-end encryption by activating Secret Chat mode. This function prevents anyone outside of a two-way conversation — be it a government, a company, hackers, or others — from reading your messages.

 Moreover, Telegram doesn't track or profile users for advertising. Instead, the app displays sponsored content only on public channels based on the topic of discussion.

 This approach allows Telegram to preserve user privacy while still serving up reasonably precise ads.

 "[...] no user data is mined or analyzed to display ads, and every user viewing a particular channel on Telegram sees the same sponsored messages," the company explains on its website.

 "We believe that everyone has the right to privacy, and technological platforms should respect that."

 Such a commitment to privacy has turned Telegram into a key tool for pro-democracy activists. Protestors have used the app to subvert repressive regimes in countries like Iran, Belarus, Thailand, and Hong Kong.

 More recently, Telegram has emerged as the go-to app for news following Russia's invasion of Ukraine. The site serves as a valuable resource for both refugees escaping the crisis and increasingly Russians looking for alternative news sources.

 And in the days following the attack on his country, Ukrainian president, Volodymyr Zelensky, used Telegram to publish a video message calling on his fellow citizens to resist the Russian assault.

 Group Chats also represent a popular feature.

 Rival messaging services typically limit the size of these groups to a few hundred members. But on Telegram, any user can create a gathering, called Channels, with hundreds of thousands of participants.

 This capacity allows channels to serve as a hub for a community or a one-way news source on a topic of interest. Subjects range from movies and video games to politics and cryptocurrencies.

 Most cities and countries have a dedicated Telegram channel – which can represent an outstanding source for news and commentary around local events.

Source: Telegram.com

Unfortunately, Telegram’s commitment to privacy has turned the site into a hub for criminal activity that now rivals the dark web.

 That has occurred for a few reasons.

For starters, accessing and safely navigating the dark web requires a high degree of technical sophistication. And rival groups can knock any site offline with a simple distributed denial of service (DDoS) attack.

By comparison, users can download the Telegram app straight from the Google or Apple App stores. That allows people, who may not have been able to access such content previously, to stumble into the online criminal underworld.

Operating on Telegram has many advantages for experienced criminals, too.

Outfits can set up an online marketplace with a few clicks of the mouse – no need to invest in a swath of expensive servers. For most products or services, sellers can access a much larger pool of buyers.

And because such communities exploit Telegram’s infrastructure, organizers don’t have to worry about DDoS attacks or other disruptions.

In terms of the type of products for sale in these underground marketplaces, researchers at Norton LifeLock reported criminals selling a wide variety of illegal goods.

Popular products included stolen gift cards, fake documents, bank account credentials, pharmaceutical drugs, hacking tools, stolen passports, and pirated software.

Counterfeit goods represented especially hot sellers on Telegram. Researchers discovered hundreds of accounts and groups selling knock-off products, including purses, electronics, luxury watches, and designer clothes.

Furthermore, Telegram’s limited moderation policies have turned the site into a haven for extremists and hate groups.

Users from these communities exploit the platform to dox targets, spread propaganda, publish disinformation, recruit new members, and network with peers.

How to Securely Set Up a Telegram Account

To start conducting OSINT on Telegram, you will need to set up an account.

Keep in mind that while the app has a reputation for privacy, missteps can reveal your identity to on-lookers.

So if your research takes you to some of the dodgier sections of the site, it makes sense to take extra precautions during the sign-up process.

For example:

• Buy a burner SIM card: You will need a phone number to create your Telegram account. That poses a problem for OSINT analysts, as it means others can connect a sock puppet profile back to you and your company. For this reason, it makes sense to buy a burner SIM card to receive your verification code.

• Use a VPN connection: Group members in some communities conduct counterespionage operations. This is often accomplished by encouraging visitors to click on bogus URLs, which reveal information like your browser, IP address, and keyboard type. When analyzed, this data could give away your location and identity. You can mitigate this risk by connecting to Telegram through a VPN service that disguises your country of origin.

• Register on the mobile app: If you set up a profile with a burner SIM card on a virtual machine, Telegram may flag your account. To avoid this issue, sign up on the mobile app. Then after creating your account, you can switch back to the desktop platform.

• Use a clean phone: After installation, Telegram will scan all contacts on your phone. And from time to time, the app may highlight your account to friends, family, and associates as a suggested contact. So to avoid this operational security risk, always use a clean phone reserved strictly for OSINT investigations.

• Review your privacy settings: Telegram has a swath of adjustable privacy settings. You can restrict who can see your full name, profile picture, account phone number, and when you last logged on. It’s also possible to limit who can contact you through direct messages and voice calls. Adjust these privacy settings based on your risk assessment and the needs of your particular investigation.
  

Telegram OSINT Tools and Techniques

Telegram’s intuitive interface makes the app easy to use and navigate. Still, it's sometimes hard to uncover relevant groups and channels.

To overcome this issue, we’ve highlighted a handful of OSINT tools and techniques that can be helpful when conducting investigations.

• eu: Tlgrm.eu/channels provides the most comprehensive directory of channels from across the platform. Enter the name of the group you’re looking for or some related keywords. If Tlgrm.eu has indexed the page, it will show up in the results.

• Lyzem: Lyzem is a search engine created specifically for Telegram. The tool allows you to search for conversations that mention specific key phrases. Analysts can also use Lyzem to uncover public channels, groups, and users. Useful for corporate analysts who work for organizations that forbid them from creating an account on the site.

• io: IntelX.io has a handy search engine for uncovering content on Telegram. Type a keyword or series of related phrases into the search bar. The query will then return related information from Telegram channels, users, groups, or bots.

• Google search for usernames: A simple Google query can often uncover usernames for people of interest. Enter ‘https://t.me/username into the search bar. If Google has indexed their page, it might pop up in the results.

• Google search for invite links: To join most channels on Telegram, you will need an invite link from an existing member. Thankfully, users often share these links on other forums or websites. You can uncover these invitations by searching Google for ‘https://t.me/joinchat/<hast value>. It’s also helpful to include a few keywords into the search query related to the types of channels and communities you want to find.

• db: Telegram Database allows users to search the platform for public channels, groups, or bots.
  
  

The Bottom Line for Conducting OSINT on Telegram

 Telegram’s raw size in and of itself makes it a valuable resource. And as other social networks keep cracking down on abusive practices, we expect the app’s influence will only grow from here.

 For researchers and analysts, that should make Telegram a go-to place for gathering open source intelligence.