OSINT Methodology: How to Investigate Illegal Content in Telegram Chats
Tips for cybercrime investigators
Intro
In this article, I will share a brief methodology on how to investigate the distribution of illegal content on Telegram for cybercrime investigators.
This is a new format of posts for me. As an OSINT investigator and tool developer, I’ve always understood the value of showing users how exactly an OSINT tool works and how to use it. However, I’ve often seen that technical explanations give way to simpler and sometimes even marketing-oriented materials. Why? Because they present reaching the end goal in a more understandable, sometimes simplified form, this provides more clarity for many people and thus provides more value.
Feel free to share feedback in comments on what can be improved and what additional information should be included. Also, don’t forget to like and repost if you want me to make such articles regularly!
Example: Anti-Drug Trafficking
An investigation graph built in SL Crimewall
The Telegram ecosystem contains a significant number of chats with illegal content. These chats are frequently deleted and new ones appear, making them difficult to access and monitor. However, for investigations, it is critically important to know how to find them.
My experience shows that one of the most effective methodologies is as follows:
Start with Geolocation Search: Many Telegram groups are linked to specific locations, e.g. for local drug sales
Identify Group Admins: The accounts of admins will be visible even when group members are hidden.
Find Other Groups Admins Belong To: This is easy to do with archived data from similar chats.
Analyze Messages and Members: Study other groups to understand a group structure and identify active members. Don’t forget that reactions to messages are also a useful source of information!
Extract Phone Numbers: Reveal the real identifiers of those involved in illegal activities.
While steps 1, 2, and 4 are usually straightforward, steps 3 and 5 require additional tools. These often involve tools that have gathered a database of chats, accounts, and phone numbers. My personal favourites are @tgscan_clone_robot, @ChatSearchRobot, @tgdb_bot, and @SangMata_beta_bot.
Example: Counter-Terrorism
An investigation graph built in SL Crimewall
Open Telegram channels and chats of this type are relatively quickly removed. Nevertheless, they constantly reappear and need to be monitored. In addition to common infiltration practices, I can share a few tips that can help identify even the members of channels (which, as you should know, do not disclose their subscribers by definition).
Study Channel Comments: If there are comments, it means that a discussion chat is connected to this channel. Using Telegram’s standard functionality, you can access this chat and study it.
Analyze Messages and Members in the Discussion Chat: Logically, people joining such chat are often subscribers of the channel. However, it’s important to note that members can write in the chat separately, so their messages might not appear in the comments. By studying the chat members and their messages, you will gather much more information than from the comments.
Identify Group Admins: Again, the accounts of admins will be visible even when group members are hidden: this can be used to identify other chats that need to be monitored.
Find Other Groups Or Other Channels: Don’t forget that for open channels, Telegram allows you to find similar channels with overlapping subscribers, which can be extremely useful for studying the group’s structure (and I’ve made a tool for it).
Extract Phone Numbers: Reveal the real identifiers of those involved in illegal activities. Again, this step can be challenging, but depending on your region of interest, there are various tools (including pivots in social networks through various SOCMINT techniques) that can help you obtain this information.
Outro
These are just two simplified instructions on how to investigate the distribution of illegal content on Telegram. In my work, I constantly encounter similar cases and help many people investigate them, both through consultation and by improving tools.
If you like this format, please like and share this post—I’ll know that it’s genuinely useful. If you don’t like it, just do nothing :)
But If you want to know how I and the tools I help develop can assist you as quickly as possible, leave a request at the link below, and I will do my best to assist you.
Thanks for reading!
Hey thank you so much for this! As someone who started programming to create something that hopefully helps the world, this article scopes in the ambition. Its also comforting to see that it is plausible.
And that... is all I need.
Breathtaking article. Let me know if you’d like to collaborate on the software and research side of things.