Telegram is the criminal-and-fringe internet’s town square in 2026. Ransomware operators use it. Stealer-log markets run on it. Disinformation operators coordinate from it. Doing OSINT on Telegram has its own rules and its own pitfalls. Here’s the playbook I run.
Discovery: how to find channels worth monitoring
The simplest method is following the link graph. When a known channel forwards a message from another channel, you have a candidate. Telegram’s “forwarded from” attribution is a discovery engine if you watch it long enough. The same goes for invitations and cross-posts in chat groups.
Aggregators help too: TGStat, Combot, and a few smaller search engines index public channels and let you query by topic, language, or growth rate. They miss private channels and many criminal ones, but they’re useful for the surface layer.
For criminal-adjacent channels, the discovery often runs through other platforms. A leak listed on a leak-site links to a Telegram channel for “negotiations.” A post on XSS forum points to a Telegram contact for affiliate enrolment. The pivot is usually one click.
Archiving: capture before it disappears
Telegram channels and chats can be deleted instantly. If you want to cite something, archive it. The Telegram Desktop client supports exporting channel histories to JSON or HTML. Tools like Telethon (Python) automate that across many channels with a single account. For real-time archival, a small script that subscribes to your monitored channels and writes everything to a database is straightforward to build.
Archive everything on capture, not when you need it. The amount of evidence I’ve watched evaporate because someone delayed a screenshot is significant.
Admin fingerprinting
The interesting work starts when you try to attribute a channel to a real operator. Useful signals: typo patterns, time-of-day posting consistency (suggests timezone), language-switching habits, references to specific games or media, mentions of personal details. Cross-reference posting times against known timezones and activity gaps consistent with sleep cycles.
The username history of admins is gold. Telegram allows username changes, but the older usernames sometimes link to historical posts on other platforms (Reddit, Twitter, GitHub, gaming forums). A search for older usernames against the public web often produces correlations.
Reactions, replies, and forwarding patterns reveal social graphs. The admin who reliably reposts from three specific other channels is in a relationship with those three. That relationship is itself attribution-relevant.
OPSEC for Telegram researchers
Use a research persona phone number, a virtual one (eSIM, MySudo, Hushed) is fine. The number gets attached to your Telegram account permanently from the operators’ perspective even though you can change it later. Don’t use a number that’s ever been on your real account.
Don’t engage with channels you’re monitoring. Reactions, comments, and replies all tip your hand. If you must engage, do it from a separate account that has been seasoned with weeks of normal-looking activity first.
Disable the “show profile photo to anyone” setting. Disable phone-number visibility. Disable last-seen visibility. The default Telegram profile leaks more than people realise.
Attribution discipline
The same “two of three” rule applies. Don’t publicly attribute a channel to a real person on a single signal. The cost of being wrong on attribution is large, for the named individual if they’re not the operator, and for your credibility regardless. Build the case slowly. Sit on partial attributions until they’re strong. The work compounds; the bad publish doesn’t.
Telegram OSINT is mature in 2026. The tools and the discipline are well-documented. The patient researcher with a methodical workflow gets the right answer. The impatient one publishes the wrong name and stops getting reads.