Last updated on August 28, 2022
A while back I posted a companion blog that was mostly a list of links from a talk I did on Telegram OSINT at the 2022 National Child Protection Task Force conference. The idea behind the talk was approaching Telegram for an OSINT investigation in the lowest-barrier ways possible, meaning not having an actual account on the platform, and utilizing a web browser rather than using the app on a mobile device. Is that you?
Many investigators either can’t get an account on Telegram (it does require a phone number) or only utilize a web browser for their investigative work, and while it’s not the most revealing approach… there are still plenty of things you can do to research Telegram “from the outside” and I’ve listed 5 big ones here. This should help get you started if Telegram is new to you or you find yourself restricted in your access.
A very quick primer on Telegram for the non-users… At the core of its purpose, it is simply an app for messaging and disseminating information. That can (most often) be from user to user, from user to an audience via a Channel, or from multiple users in a Group amongst each other. There are other features and nuances, but this is what you’ll find at the core.
Now let’s get down to some OSINT business…
- Dorks! (Advanced Search Operators)
Whether you’re looking for Users, Bots, Channels, Groups, or something else… Good ole’ fashioned Dorks are your best friend. All you really need to know is the Telegram URL structure to craft your site-specific search, and some key words of interest. You’ll find Telegram content indexed by Google and other search engines in a couple common domains: t.me and telegram.me, which you can ask your search engine of choice to limit their results to when querying your little heart away. For example:
In Google, Bing, and DuckDuckGo –> site:t.me cryptocurrency
In Yandex –> url:t.me cryptocurrency
Each of these searches will return results in the respective search engines that have been indexed specifically from t.me URLs and have the word cryptocurrency on the page. Changing t.me to telegram.me would provide you with results found under the telegram.me domain name. I show several variations because there’s ALWAYS a chance that what you’re looking for may not be in the first place you look, so keep flipping those rocks!
When you think about the kinds of things people share in the bio or description section of their profiles, you may not be surprised to know that I’ve found names, emails, phone numbers, crypto wallets, websites, links to other socials, and many other potentially useful things. Get creative with what you seek!
There are several Google Custom Search Engines (CSEs) that are pre-built to search for Telegram content specifically and return them in an easy to navigate result. These are some of my favorite, and there are more in the prior blog post:
CSE “Telegago”:
https://cse.google.com/cse?q=%2B&cx=006368593537057042503%3Aefxu7xprihg
CSE by Francesco Poldi:
https://cse.google.com/cse?cx=004805129374225513871%3Ap8lhfo0g3hg
CSE “Commentgram”:
https://cse.google.com/cse?cx=006368593537057042503:ig4r3rz35qi#gsc.tab=0
- View Full Description
OK, this is a fun one. Probably my favorite one. When you find yourself on a profile of interest, or perhaps a private group page that you can’t join, and you’re only collecting/analyzing what you can see from the public description… do you realize that there might actually be more than meets the eye? Have a look at this example:
So if you’ve reviewed the photo and just said to yourself “Griffin, you moron, everyone on planet earth already knows how to get the rest of that linked profile followed by the 3 dots. This is the most worthless advice you’ve ever given me!” First of all… I’ve no doubt given way worse advice that this, even just today. Second of all… of course that’s not the thing!
The amount of information that can be in one of those descriptions is much bigger than what you can see in the browser, and there’s actually a decent chance that you’re missing out on something useful, even beyond the obvious. But how do you get to the rest? You right click, right click, right click your way to victory™ of course!
Right click on and inspect the element which contains that text, and have a look at what’s in the code. As you hover over the different elements in the inspector, you might notice that the corresponding parts of the page are being highlighted, making it easier to find the piece you’re looking for. You may have to click on some of those little triangles to expand the drop-down details, but eventually you’ll find the element for “tgme_page_description” just like below:
Boom! What was previously unseen is now perfectly available to your investigative curiosity. Say it with me… MOAR WORDS! Yep, there’s more words than what you could see or even what you thought you were going to see. Much more in fact!
What if I told you I had an example where you’ve landed on a private group, and hidden on the page are their Instagram account, their Facebook account, and their custom bit.ly join-group link?? (that’s the kind of thing they probably post around the internet on other platforms you may wish to find them by the way) Well, of course it’s true:
So now you see that there may be more than meets the eye, and that’s very exciting, but I can literally hear some of you while I’m typing this saying to yourselves “Inspecting elements? Code? What do I look like, that guy from Mr. Robot?” Never fear! My good friend and fellow OSINT smart-guy webbreacher crafted a simple one-liner bookmarklet to make viewing the contents of this element as simple as the push of a button. Literally!
All you do is copy the following text, go into your browser bookmarks, create a new bookmark, and paste the text where you would normally put the URL for a bookmark and save. Give it a name you will remember and ba-da-bing:
javascript:(function()%7Bvar a %3D document.getElementsByClassName('tgme_page_description')%5B0%5D%3B alert(a.innerText)%7D)()So now, when you’re on a Telegram profile, like the one above at https://t.me/joinchat/C-bhhEwufsxZaUsv0TiSdA, you just click that bookmarklet in your bookmarks bar and there you go! The element pops up on your screen for easy viewing like so:
- Channel Preview URL Edits
When you preview a channel by clicking on the option available on the channel page you’ve located, if you’re lucky, you’ll find yourself in a sea of messages, beginning with the most recent. Exciting, right? Well, we all know that even the dumbest of us are smarter today than we were yesterday, so when was the most likely time that someone in a Telegram channel made an opsec mistake and leaked useful information? The beginning of course! So let’s say you’ve landed yourself here, alllllll the way at message #6,692 (see URL):
As you can see, the URL you’re starting on is t.me/areaofhacking/s/6692. Now, it’s obvious to you astute readers at home that changing that number on the end will immediately take you to a different post, but here’s a quick edit you can make to help in breaking down your research and review into manageable bites:
t.me/areaofhacking?before=100
This gives you the first 100 channel messages starting at 100, 500, 1000… what ever number you stick on the end. Great for when you have to break your review down into parts as you go on beer runs throughout the course of the day.
- Getting The Exact Date & Time
When previewing a channel or (while logged in) looking at a specific message, you may need to find the exact date and time it was posted. Down in the lower right corner of the message you’ll see (while previewing a channel for example) a time. If you click that time, you’ll be taken to a static URL for that particular message, where you will then find the date added, like below:
Now, this isn’t EXACT, as you are no doubt ready to tell me… and when it comes to details, you and I are very concerned with being exact, so we’re going to dig deeper. Once again, we’re going to right click our way to victory and by right clicking on the time/date stamp & choosing inspect, we’ll be looking at the element “tgme_widget_message_date”, something like this:
If you’re paying close attention, which of course I know you are, you’ve noticed that there are 2 different times there. This may seem confusing, but never fear! The first time is in UTC, and the second time is translated to your (suspected) local time. If you’re doing things to obscure your machine, browser, location, etc… well that 2nd time may not be accurate, but you can always bet on UTC to be correct, which is exactly why Al Gore invented it!
- Using Archives
Last tip for ya here, and it just might be the one that makes or breaks your next Telegram investigation. Don’t forget about the archives! When you find yourself reviewing Telegram content, you might just be surprised to find that the channel you’re reviewing has been archived in the past using everybody’s 2 favorite archive (yes, I know there are others) sites- archive.org and archive.ph (or archive.today or archive.is or whatever the hell tld they’re using at the moment). Each one of those sites will allow you to search for the Telegram URL you’re interested in and see what’s in their archives. Don’t forget about trying t.me and telegram.me when you search!
One final little bonus tip along the same lines… Try checking the Google cache version of a page to see if it may have been recently changed. Here’s an example of a user who has no text content in their bio, but a quick search using either a cache: search operator followed by their URL or by clicking the 3 little dots next to them in Google search results to view the Cache button shows us that the bio recently had some text in it after all, and that was captured by Google before it was changed! See the side-by-side comparison:
Well, I said 5 tips and we got through 5 tips. I hope you picked up something new, or perhaps picked up an idea you can try elsewhere in your investigative work, even if it’s not in Telegram! Some of things things are concepts that are useful across a wide variety of investigative work. Remember, nothing beats relentless curiosity, so keep looking and keep flipping over those rocks!