360%20Digital%20Sherlocks_WHITE_BACKGROU

Telegram and Encrypted Messaging Platforms Analysis 

NOT FOR RELEASE: Please remember that videos and material are reserved to 2021 participants to the 360/Digital Sherlocks program and are not meant to be shared outside the cohort, downloaded, recreated, or disseminated in any way. Having been selected as a participant to this program, you will be expected to respect the confidential nature of DFRLab’s proprietary material. 


If you have any questions, please email us at DFRLab@AtlanticCouncil.org

Telegram and Encrypted Messaging Platforms Analysis 

Trainers

TELEGRAM

  • Primarily a messaging platform with over 500 million users
     

  • End-to-end encrypted (only the individuals sending and receiving can read messages, no others are able to decode them) but most messages still stowed on the Telegram cloud server 
     

  • Due to its simplified set-up requirements, user anonymity, end-to-end encryption, and the company’s unwillingness to work with law enforcement, Telegram has become home to a host of malicious online activity, including a black market (fabricated documents, fake accounts, etc.), recruitment for extremist groups such as ISIS, and organizing coordinated violent events such as the Jan. 6th Capitol riots 
     

Key App Features:  
 

  • Users: Devices with the Telegram app installed (can hide identifying features such as profile photos, bios, etc.)  
     

  • Bots: Accounts operated by software, allowing users to give bot commands that help run third party applications within Telegram. Contain the word ‘bot’ at the end of their username, and creating a bot is relatively simple with a bit of programming knowledge 
     

  • Groups: Contain multiple users communicating with each other and are usually devoted to specific topics. Groups have many features, such as replies, mentions, and pinned messages  
     

  • Normal Groups:  
     

  • Hold up to 200 members 

  • Cannot be made public 
     

  • Super Groups:  
     

  • Hold up to 100,000 members  

  • Can be made public (can be found via search) or private (can only join with invite link)  
     

  • Channel: Managed by admins who can post content for multiple users - a form of one-to-many broadcasting 
     

  • Unlimited number of subscribers 

  • Only admins can post, but any subscriber can see how many people saw a message and how many people are in a channel  

  • Admins are offered almost complete anonymity (can hide their phone numbers, create fake names, etc.)   
     

  • Secret Chats: In addition to being end-to-end encrypted, these messages are not stowed on the Telegram server, meaning even Telegram cannot decode the messages being sent at any point.  

 

 

Case Study: Alt-Right Extremism in the United States and the end of Parler  
 

  • After January 6th, the de-platforming of alt-right accounts on mainstream social media (Twitter, Facebook, etc.) in the US, WhatsApp’s announcement that it provides data to Facebook, and the takedown of the social media app Parler drove people to alt-tech platforms such as Telegram  

  • One particular Telegram group, “Parler Life Boat” was monitored by the DFRLab and it experienced explosive growth once Parler went down (access the full case study here) 


Methods/Tools to Analyze Telegram  

Using Telegram

Telegram1.png

By clicking the three dots highlighted by the red circle in the right, you can export a number of details surrounding a chat in Telegram, including media, files, and voice messages. 

Using Third Party Apps

  

Telegram Analytics 

  • Contains one of the largest catalogues of Telegram channels 

  • Created by a Russian company, currently limited to specific countries but working to expand its reach 

  • There are three main dashboards on this tool: 

  • Channels ranking: This dashboard allows you to search for channels based on the search criteria and the “Search channel” bar. The returned metrics are self-explanatory, except for ERR%, which is the Engagement Rate by Reach. ERR% is calculated by dividing the Avg Post Reach by Subscribers. If you click on a channel, it gives numerous details about that channel, including a citation index, which counts the number of times the channel was mentioned in other channels 

  • Search in Telegram: This dashboard allows you to search for specific posts  

  • Post Ranking: This dashboard allows you to see the most popular posts based on specific filters 
     

Buzz.im and Intelx.io  

  • These are both search tools, and they’re best used in conjunction since they have different (but sometimes overlapping) catalogs 

Popsters

  • This is a paid tool, however, it offers a free trial  

  • Uniquely, it allows comparison between multiple pages

This is the Popsters dashboard. By clicking the plus sign highlighted by the red circle, you can add a page to compare and compare details such as views comprehensively. ​

Telegram2.png

Encrypted Messaging Platforms (EMPS)

 

  • Like Telegram, EMPS are messaging platforms that are encrypted, meaning only the sender and receiver are able to read the messages being exchanged. Examples include WhatsApp, Facebook Messenger, Telegram, Viber, WeChat, etc.  

  • Central appeal to malicious actors: the encrypted nature of these platforms creates close knit information silos based on trust and familiarity. As people feel they are surrounded by like-minded individuals, they are able to speak and organize freely  

  • EMPS are often used by malicious actors to spread hostile narratives, organize, and recruit members. This allows them to spread propaganda, influence individual views, and feed very isolated information to their followers. The malicious use of EMPs is an international issue, and has recently been driving COVID-19 mis- and disinformation, affecting political outcomes, driving extremism in the United States, etc.  

  • EMPs are very difficult to track and monitor. The main current method is to create fake accounts and join these online ecosystems to monitor, analyze, and archive 
     

Best Practices  

  • Anonymity is KEY: protect yourself and your identity, these are often very serious groups and it is imperative you protect your safety to not get doxxed and/or removed from the group.  

  • Do not attract attention to yourself!  

  • LARPing is frequently unproductive – your goal is to monitor, archive, and analyze, not engage 
     

  • Use encrypted email accounts when registering for these apps:  

  • If creating an account requires a phone number, use the following E-imcard/second phone number tools ($$):  

  • Keep vicarious trauma in mind:  

  • Some of this content is extremely graphic and intense, so remain aware of your mental health when encountering these groups   

  • Take frequent breaks, mix up workflow, and speak to supervisor/colleague if in doubt 

Telegram

  • Toggle security settings: Settings > Privacy and Security

  • Do not use your real phone number, and be sure to turn off the ability for users to see the number you are using, as group admins will sometimes call to verify identity and you want to avoid that situation.

Telegram3.png
Telegram4.png

WhatsApp

  • Toggle privacy settings: Settings > Account > Privacy

  • Toggle security settings: Settings > Account > Security + Two Step Verification (turn this on!)

  • In particular, toggle the feature that lets you control who can add you to groups, as sometimes people will add you to phising groups. 

Telegram5.png
Telegram6.png

Key WhatsApp Features:  
 

  • WhatsApp Messenger: Main messaging application that allows the exchange of messages, files, images, etc. and make calls 

  • WhatsApp Group: Collections of users, have a 256 group maximum 

  • WhatsApp users often operated in closed groups where joining is contingent on an invitation. They also tend to be far more hyperlocal in comparison to Telegram.  

  • There is no “search feature” – you cannot join groups by topic or searching like you can on Telegram
     

  • End-to-End Encryption: No third party can access content between two users messaging one another. WhatsApp does not store delivered messages, and undelivered messages are stored for 30 days before they are deleted. WhatsApp reserves the right to monitor content it finds as potentially dangerous for its users, however, this topic is heavily debated 
     

  • Forward Limits: Message forwarding is misused very often, particularly in South Asia, to deliver massive amounts of mis- and disinformation almost instantaneously 

  • In response, WhatsApp introduced forward limits, where if a message has been forwarded to more than 5 chats, it is labeled with a double arrow icon to indicate it’s widely forwarded 

  • Messages with the double arrow icon can only be forwarded to one chat at a time, leading to a 25% decrease in forwarded messages  

  • WhatsApp also labels forwarded messages if they are unsure whether someone is the original author of a message. They also introduced a 5 person forwarding limit 

  • “Search the Web” feature adds a magnifying glass next to frequently forwarded messages that allows users to instantly search the internet and fact-check the message themselves. This feature is only available in select countries, is text only, and the company does not store the content of the message itself 
     

Methods/Tools to Analyze WhatsApp   
 

  • People usually post invite links to groups on public forums – Twitter, Facebook – which is a good way to join relevant groups 

  • Can sometimes find these groups by adding “chat.whatsapp.com” to a search term in Google and Twitter 

  • On Facebook, search “WhatsApp Groups” and select the Groups filter – some groups exist only to share WhatsApp group links  

  • Similarly, you can do a Pushshift Reddit search and include “chat.whatsapp.com” 
     

Websites Indexing WhatsApp Groups  

Other Tools 
 

  • Chatilyzer  

    • Free and paid 

    • Join a group > click on the group’s information page > export 

    • Export with attachments for archiving/further analysis  

    • Export without attachments to receive a .zip file, that when extracted, returns a .txt file 

    • Upload the .txt file for an analysis of interesting features, such as average messages per day, activity over time, top phone numbers, keywords etc.
       

  • WhatsAnalyzer 

    • Export .txt file as you would with Chatilyzer, and email it to whatsanalyzer@uni-wuerzburg.de  

    • Goal: Statistically evaluate anonymized chats to develop new models for communication traffic; data stored in an anonymized form, so it is safe to use 

Telegram7.png

chatanalyzer.moritzwolf.com  
 

  • Same process as the other two tools: Join a group > click on the group’s information page > export 

  • Export with attachments for archiving/further analysis  

  • Export without attachments to receive a .zip file, that when extracted, returns a .txt file  

  • Upload the .txt file for an analysis of interesting features 

  • Best option for those with privacy concerns – the data is not stored to any external database and it is only contained in your browser  

  • Source code is available for inspection  
     

WhatsAppMonitor: Monitors the online times of selected contacts and displays them as a graph   
 

WhatsFoto: Can be used to download multiple profile pictures from WhatsApp, also available as an extension for Chrome  
 

WhatsApp Group Contacts Scraper: Enables you to get group contacts from your WhatsApp specific group. You can export these findings as a CSV or Excel file  
 

WhatsAllApp Community Edition: A chrome extension that creates an overlay of extra information on top of WhatsApp web 

OSINT In Practice

Telegram8.png

A potential flow of an OSINT investigation -- keep in mind what part of the process you are at, and how to move forward with your investigation. 

Case Study: Terrorgram  

A study conducted on the presence and growth of neo-Nazi content on Telegram, delving into how this growth promotes virulent, accelerationist content and increases the possibility of lone wolf attacks and perpetuates the hive terrorism process (access the full case study here

Case Study: TRF terrorist group amplifying attacks on social media 

A report on TRF’s presence online despite extensive, government imposed internet shutdowns in Kashmir (access the full case study here).