The importance of Telegram data
While most Telegram data is benign in nature, some of it is not. Various groups—from mercenaries fighting in the war in Ukraine to fraudsters attempting to cash out a check—use the platform to communicate, transact, organize, and disseminate information, some of which may be relevant to an organization’s risk profile.
As a result, the instant messaging, voice, and video messaging service has become an increasingly popular—and often essential—source of information that can be used for open-source investigations that uncover a variety of cyber and physical threats that organizations in the public and private sectors should be actively monitoring in order to protect their assets.
The role of OSINT
Security and intelligence professionals, such as cyber threat intel analysts, look to open source data to gain a deeper and timely understanding of threats—from public safety and national security issues to workplace security, executive and brand risk, and fraud.
Let’s define open source intelligence, commonly referred to as OSINT. Open source intelligence is derived from publicly available information (PAI), such as government documents, public records, news sources, the surface web, and can also include social media platforms, messaging apps like Telegram, as well as data from illicit communities that are commonly associated with the so-called deep and dark web.
The role of Telegram
Nearly 10 percent of the global population—that’s more than 700 million people—relies on Telegram for their day-to-day communications, news consumption. It’s a global phenomenon of instant information and entertainment. It is also notable for its privacy protocols and end-to-end encryption between 1:1 parties.
While anybody could arguably conduct OSINT investigation, over time, Telegram’s popularity has made separating the signal from the noise much more difficult. The very best intelligence analysts are able to maneuver through a dense and complicated landscape that often requires expertise in a particular region, language, demographic, or topic in order to decipher relevant threats originating from various groups or channels. When threats are able to be located, validated, and reported, this is when the magic happens—and security teams can accomplish their missions of preventing or mitigating risk.
The uses of Telegram data in OSINT investigations can be applied to a wide range of security and intelligence missions, from identifying fraud and data leaks to gaining situational awareness of troop movements and public safety concerns.
One of the more recent and pressing use cases for Telegram and OSINT investigation is Russia’s ongoing invasion of Ukraine. In March, at the beginning of the full-scale invasion, we reported on the growing influence of Telegram—which was created in 2013 by Pavel Durov, a Russia-born tech entrepreneur who has, to a large extent, managed to withstand pressure from Russian authorities and keep Telegram free and clear of oversight.
While Telegram is not the only important social media and communications platform used by Russians to communicate about the war – e.g. pro-Kremlin influence campaigns are usually conducted on other social networks, such as VK and Odnoklassniki – its unique position as largely free of government interference has made it an obvious choice for both critics of the war to share information and organize, and for emerging nationalist voices whose position is not always aligned with the authorities.
In September, we reported on Russian mercenary groups and private military companies operating in Ukraine, including the “Russian Imperial Movement” (RIM), “Wagner Group,” and Task Force Rusich, which continues to rely on Telegram for organizational needs, including funding.
Telegram has also increasingly been used to aid cryptocurrency cashout operations via Telegram bots; to sell narcotics in an automated and decentralized manner, especially after the takedown of the Hydra darknet market in April 2022; and to buy and sell stolen credentials that can be used in other fraud operations.
Last year, after the US announced it would be permanently pulling troops out of Afghanistan, we also reported on images shared on Telegram by members of an unofficial pro-Iranian regime channel that showed evidence that Iran was allegedly purchasing US military hardware from the Afghan Taliban.
Telegram has become essential for corporate security missions:
- Executive protection. Using Telegram for open source investigations enables analysts to find conversations about high-profile personnel that could indicate risks related to information leaks, doxing, or physical threats.
- Physical security. Cyber intel analysts can look to Telegram in order to identify groups or individual threat actors who may pose a physical threat to a business, including an office or event space, or a situational risk, such as a gathering that could impede normal business operations.
OSINT investigations on Telegram can help organizations mitigate fraud-related threats by finding threat actors who are actively buying and selling stolen credit cards, credentials, fake documents, and other illicit goods.
National security and public safety
For the public sector, Telegram is a critical source of online information for understanding global conflicts, extremist activity, and trends and key topics in the public discourse. In 2020, for instance, Telegram enabled Belarusian citizens to organize—first to replace the government’s disastrous COVID-19 response with solidarity networks, then to protest against a rigged presidential election, and finally to maintain access to news amidst a brutal crackdown on the opposition movement.
Flashpoint, Telegram, and OSINT
To learn more about how Flashpoint can help you gain leverage Telegram for open source investigation and mitigate risk across your organizations, sign up for a free trial today.