Telegram is a popular messaging and social networking platform offers a variety of features within its channels, which includes text, voice, and video communication. This broad spectrum of tools presents both legitimate and potentially malicious uses.
With Telegram, it's not just text and voice, but also video calls, that can be used for large-scale coordination and communication. This ability to hold conference group video calls can be leveraged by threat actors, providing them with new avenues to communicate and coordinate their activities at scale. When we look at the de-platforming that occurred after the US Capitol Riots, and having an unmoderated platform, this can present risks for ground-swell to take hold without any ability to remove inappropriate content.
The use of alternative tech platforms for propagating questionable content is not a novel concept. However, Telegram's video chat feature could present an added risk, enabling groups to cultivate a following within closed or open channels and utilise more immediate, emotive tactics to coordinate or energise followers, amplified further by real-time feedback.
This article pivots on two key objectives: demonstrating how to extract media directly from channels and understanding the workings of the video call feature.
Note: This article assumes readers' capability to directly access Telegram for native collection using a persona or account. Here, it's crucial to apply appropriate operational security considerations. While numerous resources facilitate non-native Telegram searching and exploitation, this piece focuses more on direct channel monitoring.
Clients
There are several ways to access Telegram for native viewing:
Mobile app
Desktop client
Web client
Of course, there are plenty of bespoke services, websites and databases. This article is focused on native access for source validation and verification.
Web client:
If the priority is speed and efficiency, the web client for Telegram is a viable option. To get started, visit https://web.telegram.org and log in with your account. If you don't have an account, you will require to download the application onto a mobile device first (unattributed, of course) and use a mobile number (again, we recommend not linking this to your personal phone) to create a profile.
Upon logging in, you'll notice a new version of the client is available, redirecting you to https://web.telegram.org/k/. If you wish to explore other versions of the web client, simply replace the '/k/' with '/z/' or add '/?legacy=1' at the end of the URL. These versions offer a slightly different user experience, and different applications for OSINT.
Legacy version:
https://web.telegram.org/?legacy=1
For simpler media scraping methods that use browser plugins or manual techniques, the legacy version of the web client is recommended, as it maintains the conventional right-click functionalities.
Scraping media from a channel: With the legacy web client, you can swiftly gather media by using the Chrome plugin available at https://chrome.google.com/webstore/detail/scraper/mbigbapnjcgaffohmbkdlecaccepngjd.
As you navigate through a channel, you can easily collect similar media by right-clicking on an image and selecting "Scrape similar..". This feature facilitates the rapid extraction of media content, proving useful in various OSINT contexts.
Upon executing the "Scrape similar.." command, a list of "blob" objects is generated. These "blob" objects, short for "Binary Large Objects," represent the data holding elements that reference the URLs where the images are hosted. In simple terms, these URLs can be directly accessed to download the associated images individually or at scale.
New version:
https://web.telegram.org/k/
The new web client interface, while offering more user functionalities, removes the ability to right-click. This change limits the effectiveness of common browser plugins for accessing "blob" objects.
However, by accessing "Developer Tools" and navigating to the 'network' tab, you can filter by "blob:". This process reveals the same image URLs being processed, ensuring you maintain your ability to access and collect images.
Group Video Calls
Video and audio conference calls in Telegram aren't part of standard chat and media sharing in channels or groups. They can be initiated via mobile or desktop clients. When a user taps or clicks the group's title bar, an option to start an audio chat becomes available. From this point, video and screen sharing can be enabled.
As of the current version, video conference calls have a participant cap, limiting access to the first 30 people who join the voice chat. However, there's no participant limit for audio-only conference calls.
The mobile app has a display similar to below:
Given that video and audio chats on Telegram are live and don't appear to be stored or indexed, it's critical to understand the potential need for live monitoring. Identifying where these chats are happening around the internet during significant events and possibly accessing them directly to comprehend the context of the discussions could be crucial, depending on your specific needs. This ongoing awareness can guide your planning and decision-making process.
Chat Link Sharing
Telegram enables users to share a direct link for joining a group, channel, or chat. This functionality is crucial during an emerging event or situation as organisers can easily distribute a link for direct communication channels outside of their immediate Telegram network.
Those persistently monitoring threat groups should consider watching for URLs associated with Telegram audio/video chats. These URLs typically include:
"t.me/joinchat"Using advanced Google search techniques can help track these chat links either directly on the site or mentions of them elsewhere, for example:
"t.me/joinchat/AAAAAE_3K35dp8cTWdKl9Q -site:t.me"t.me/joinchat" australia -site:t.me
We can apply additional search parameters to narrow down to particular topics or areas.
Additional Telegram OSINT Tools
There are several established tools that can be essential for any OSINT toolbox for Telegram. They typically provide a starting point to identify channels or groups of interest. Once you've joined or viewed these (if they're open), you can use the scraping techniques outlined above to gather in-channel data using your personas.
Here are our top recommendations:
Lyzem: This tool excels in filtering by channels, groups, bots, and telegraphs.
Telegago: This custom Google Search Engine streamlines searching, enhancing efficiency. You can adapt its domain-searching principles to create a personalized tool catered to your specific needs.
TG Stat: As a comprehensive collection platform, this tool requires careful OPSEC consideration. Nevertheless, even its free version provides ample data that can be beneficial for initial searching.
Key Takeaways
Telegram's global popularity, ranking in the top three most downloaded messenger apps, makes it an influential communication tool worth understanding.
The platform's features allow for various modes of communication, potentially enabling threat actors to coordinate their activities at scale.
With the proper know-how, tools, and operational security considerations, media can be extracted directly from channels, and the workings of the video conference chat feature can be understood.
Be vigilant when monitoring URLs related to Telegram audio/video chats during emerging events or situations.
To delve deeper into the learnings above or discuss how we can more broadly support or assist in uplifting your organisation's OSINT capability, please contact us about our NexusXplore platform, or our in-person and self paced training courses.