Telegram is currently one of the most important communications apps from the perspective of an online investigator. The service continues to gain huge popularity and, what usually follows when that happens, illegal activity is also on the rise.
One of the most notable developments of recent years with Telegram has been the fact that it now practically rivals (or outpaces, in some cases) the darkweb when it comes to accessibility and the amount of illicit entities operating on it. There are thousands of individual users that could be classed as shady; there are whole organised groups where one can access illegal content and services, or purchase goods (see the Televend service I previously mentioned here).
The above effects are compounded by automation, with many Telegram communities swarming with bots, employed by nefarious actors of varying degree of sophistication and capabilities – from spammers, phishers and investment fraudsters to APTs and even state sponsored actors.
The threat actor migration from darkweb .onion domains to Telegram could be observed particularly during the Covid-19 pandemic. The dominant types of illegal activities on Telegram included hacking and malware, but it was hard not to notice the emergent trend of data breaches and leaks channels, created in particular in the aftermath of rising ransomware attacks.
On top of all that, Telegram harbours other threats, many of them non-tech related: hate groups of various provenance, right wing extremists, terror funding campaigns, state propaganda and scammers of just about any imaginable type.
Interestingly, Telegram itself has a number of vectors of attack (or at least privacy deficiencies) that I’m going to focus on below.
Telegram privacy concerns
- Phone numbers and other data associated with a Telegram account is regularly collected and stored – see the frequently surfacing in-app questions about your phone number being up to date. Also, any time one of your contacts joins the app, you get a notification (and so does everybody else who is on Telegram and has the newly joined person in their contacts).
- Telegram employs encryption of data in transit (between the server and the end user) but not encryption of data at rest – messages that were already sent are stored unencrypted on Telegram cloud servers, where they can theoretically be accessed by Telegram employees or unintentionally released as plain text in the event of a data breach.
- The same goes for groups and channels on Telegram, no matter if they are public or non public. Anything shared there, including files, multimedia, etc – none of it is really private.
- For when it does encrypt content, Telegram uses MTProto, which is its own encryption protocol that is also used by… well, nobody else. While nothing worrisome has been reported to date (MTProto is open source, after all), this can potentially be problematic, as security flaws in proprietary / obscure protocols are known to be harder to detect than in something that is widely used.
If you care about privacy and security on Telegram, the only way to achieve them is to use Secret Chats.
Secret chats use end-to-end encryption. This means that all data is encrypted with a key that only you and the recipient know. There is no way for us or anybody else without direct access to your device to learn what content is being sent in those messages. We do not store your secret chats on our servers. We also do not keep any logs for messages in secret chats, so after a short period of time we no longer know who or when you messaged via secret chats. For the same reasons secret chats are not available in the cloud — you can only access those messages from the device they were sent to or from (source).
Features of Secret Chats:
- End to end encrypted
- They reside on the device as opposed to the Telegram servers
- You can enable disappearing messages
- Messages cannot be forwarded
- If a screenshot is taken by one user, the other chat participant is alerted to this fact
NOTE: Telegram’s Secret Chat feature is on mobile app only and is not supported on the desktop app!
Telegram privacy tips
- Location privacy – ensure the ‘People Nearby’ feature is turned off (go to Contacts > Find People Nearby). This feature should be turned off by default – unless you switched it for whatever reason.
- Phone number privacy – go to Telegram settings > Privacy and Security > Phone Number. From there, select Who Can See My Phone number > Nobody.
- Online status privacy – go to Telegram settings > Privacy and Security > Last Seen & Online. From there, select Nobody to appear permanently offline to other users.
- Profile photo privacy – go to Telegram settings > Privacy and Security > Profile Photo. From there, select My Contacts (there is no option to hide it from everybody in this case).
- Phone call privacy – go to Telegram settings > Privacy and Security > Calls. From there, select Nobody. This means nobody can call you now using Telegram.
- Message privacy – go to Telegram settings > Privacy and Security > Forwarded Messages. From there, select Nobody (note that below you can add individual exceptions to override this rule).
- Group addition privacy – go to Telegram settings > Privacy and Security > Groups & Channels. From there, select My Contacts. This will prevent random users from adding you to groups and channels.
- 2 Factor Authentication – go to Telegram settings > Privacy and Security > Two-Step Verification.
- Additional security – for the extra security minded / paranoid individuals, there are two extra features that can be leveraged:
- 1) Disabling the Background Download option in the Data and Storage settings – this will stop the app from automatically downloading media files, giving you better control with regards to deciding what files you want to download and from whom;
- 2) Enabling the Link Preview setting – go to Telegram settings > Privacy and Security > Data Settings > Link Previews. This will allow you – nomen omen – to preview links before clicking on them.
This concludes the privacy section – now onto the OSINT part.
NOTE: It is highly recommended to install a desktop app for Telegram in order to conduct OSINT. Here is the official link to the download page. This simplifies searching and allows to operate on URLs outside of the constrained mobile app environment – for instance, when trying to obtain a channel / group identifier, when downloading content to storage media, etc.
The chat export function is limited to the desktop version of Telegram only. It can be found by opening the chat of interest on the desktop app and clicking the three dots icon it the top right corner.
Note how you can select what your chat export preferences are – as well as pick the size limit for the downloaded files (current maximum size is 4GB).
Telegram search engines
- Commentgram – a Google custom search engine for Telegram comments in channels.
- Lyzem – advertised as “an independent search engine created specifically for Telegram and Telegraph platforms”. Solid tools for searching keywords, channels and publicly available groups. Contains an integrated service that allows users to index posts – the @IndexPost_bot.
- Telegago – a dedicated Google custom search engine for Telegram.
- Telemetr – Telegram channels catalog in the Russian language.
- Telemetrio – huge list of Telegram channels ordered by rating, popularity, country, etc.
- TgramSearch – another search list in the Russian language.
- TGStat – contains a large selection of searchable catalogs and metrics for channels from a specific country.
- Tlgrm EU – list of various channels grouped by their category. This site maintains a directory of channels that users can add to after completing a form.
- CSE from Osintme – my own Google custom search engine for Telegram.
- Other CSEs for Telegram – custom built search engines like the above mentioned my one or Telegago are many, yet they might all slightly differ with the search results, based on the sources they index and also on how up to date those sources are. Here is another example of a solid Telegram CSE (author unknown).
Open source tools for Telegram OSINT
Descriptions of the tools are provided within the links. The usual caveats apply – open source tools might give varied results, depending on various factors such as recent changes to privacy settings, tool updates or the level of continuous development / lack of development by the tool’s creator.
OSINT channels on Telegram
Whether you’re after OSINT updates, news, techniques or general OSINT practitioner knowledge, you’re bound to find what you’re looking for in one of these channels.
Note that these are general OSINT channels and not Telegram OSINT specific ones.
Additional sources of knowledge
Existing resources and Telegram related content from the wider OSINT community:
- Leveraging Telegram for OSINT purposes – a presentation by Nico “Dutch_Osintguy” Dekens.
- Telegram OSINT Basics – blog post by hatless1der.
- Telegram Chats & Media – an overview of search techniques by Osint Combine.
- Browser-Based Instant Messaging Apps OSINT Tips & Techniques – by Skopenow.
- How to Get Data From Telegram Using Python – by Amir Yousefi.
- How to Archive Telegram Content to Document Russia’s Invasion of Ukraine – from Bellingcat.
- Awesome Telegram OSINT – a dedicated Telegram OSINT repository on Github.
- Geolocating Telegram users with Telepathy – an article and a video by Jordan Wildon.