Telegram Chats & Media
Updated: May 2
Telegram recently brought back group video chats within Telegram channels. This presents an interesting feature return that can present new avenues for threat actors to communicate and coordinate at scale, beyond just text and voice. It allows for conference group video calls.
There are plenty of legitimate uses of this feature on the encrypted messaging platform, however, video sharing has often been a popular method to stimulate followers of an emerging situation or coordinate activities of a group. When we look at the de-platforming that occurred after the US Capitol events (see our free in-depth reports here: https://www.osintcombine.com/reports) and having an unmoderated platform can present risks for ground-swell to take hold without any ability to remove inappropriate content.
Using alt-tech platforms for distributing questionable content isn't new, but Telegram video chat presents a new risk in the way groups can build up a following in a closed (or open) channel and use more direct visceral methods to coordinate or stimulate followers with immediate feedback through video conference calls.
This article is focused on how we can firstly collect media directly from channels, and then understand how the new video conference chat feature works. Note: this article is based on having a persona/account that can access Telegram directly for native collection. Apply your own OPSEC considerations as required here. There are lots of great resources for non-native Telegram searching & exploitation, this is more focused on more direct channel monitoring.
There are several ways to access Telegram for native viewing:
Of course, there are plenty of bespoke services, websites & databases. This article is focused on native access for source validation & verification.
If we want to focus on speed & efficiency, using the web client for Telegram is useful. Visit https://web.telegram.org and log in with your account to get started.
You will notice that a new version of the client is available and forwards you to: https://web.telegram.org/k/ - there are also other versions of the web client available. Simply change the /k/ to a /z/ or /?legacy=1 to see the different versions:
To access easier scraping methods using browser plugins or manual techniques, you will want to use this version as it doesn't change your right-click methods.
Scraping media in a channel:
Using the legacy web client, install this handy Chrome plugin for rapid collection: https://chrome.google.com/webstore/detail/scraper/mbigbapnjcgaffohmbkdlecaccepngjd
When you are viewing a channel, simply right-click on any image and click "Scrape similar.."
You will then be presented with a list of "blob" objects which reference the hosted URL of the image. A blob object is a "Binary Large Object" that is responsible for holding data. Simply put, you can use this direct URL to access & download the image directly & at scale.