When news of the arrest of Telegram’s founder and CEO Pavel Durov first broke in August 2024, it sent shockwaves around the world. For many champions of privacy, this was an over-reach by governments seeking to force regulation and compliance of the platform. For many in law enforcement who have investigated cases involving Telegram usage, this was the first step into holding the platform accountable for allowing illicit and criminal activity to thrive with impunity. Historically, Telegram has always been a proverbial “black hole,” with no means to compel any type of response from the platform. With close to one billion users as of 2024, Telegram has arguably become the third most utilized end-to-end encryption (E2EE) messaging platform, succeeding Meta’s WhatsApp and Apple’s iMessage. As of September 2024, Telegram began accepting legal notice via its newly established compliance email. For many, Telegram itself remains a mystery — specifically what the platform is, what can now be compelled and the best practices for conducting Telegram investigations.

Telegram was first released on iOS and Google Play/Android in 2013 after being developed by brothers Pavel and Nikolai Durov. The encryption algorithm employed to protect the messages/data in transit is known as “MTProto,” which is exclusive and proprietary to the Telegram network. Telegram messenger was the first offering from Digital Fortress LLC, which purportedly acts as a cloud hosting service. The Durov brothers rose to fame after founding the social networking service VK (VKontakte) in Russia, and subsequently moved out of St. Petersburg to establish the Telegram headquarters in the United Arab Emirates after pressure from the Russian government. Telegram requires users to create an account attributed to a phone number, and as of 2025, the Telegram network supports the creation of accounts utilizing any country code around the world (including +850 North Korea). In 2023, Telegram launched its own anonymous country code that users could purchase: +888. Those numbers are currently for resale on fragment.com.

Upon creating a Telegram account, users can set a unique username (i.e., @UbivisProject), choose an account avatar and conceal their phone number. Unique usernames can be viewed online via https:/t.me/ followed by the username, channel, chat or bot. Telegram offers a variety of social engagement options, including open channels, interactive services known as bots and platform-based games. Over the past 12 years, Telegram has evolved significantly, now offering various versions of the platform: mobile, desktop and web.

Telegram launched the web version of the app in 2023, allowing users to access their accounts in a web browser alongside their mobile device. Similarly, in 2013, Telegram introduced a desktop version, enabling users to seamlessly operate their accounts on both desktop or mobile devices. However, a Telegram user must first install and activate the app on a mobile device. While the account remains portable across different versions, it is still tied to a phone number for initial creation. Upon account registration, Telegram assigns a unique user ID (UUID). An example would be my username @UbivisProject, which resolves to Telegram UUID: 5534824703.

In lockstep with the cryptocurrency and blockchain zeitgeist, 2018 saw Telegram develop The Open Network, or colloquially referred to as TON. Similar to smart contract blockchain networks like Ethereum, TON offers myriad support for multiple cryptos, meme tokens known as “jettons,” NFTs and even the .ton domains. Confused? I implore you to check out live TON blockchain explorers like TonScan (tonscan.org) as well as traverse the .ton domains via TON Proxies like Ton.run.

With a fundamental understanding of how Telegram operates, we can explore how to conduct a cursory investigation into illicit services utilizing Telegram, whether through channels or bots. For example, illicit marketplace “BlackBet” has its own Telegram channel, which is advertised on both deep and dark web forums as well as on the marketplace homepage. The channel also appears to just be a promotional repository for new additions to the marketplace (see Figure 1).

These set of circumstances are not unique and uncommon. In fact, many illicit marketplaces and criminal actors provide ways to contact them via Telegram online. In a rather popular credit card/carding forum, we can see “QingWa” advertising their Telegram user account and channel shop in Figure 2.

Pivoting from the deep web and dark web channels to Telegram can prove to be invaluable. From the actor “QingWa’s” Telegram channel, we can see that they own the +888 Telegram anonymous country code. As mentioned previously, +888 numbers are auditable as they are non-fungible tokens (NFTs) on the TON blockchain. Let’s look at the history of this specific number in Figure 3.

We can see that this number was sold on October 10, 2024. Looking at the affiliated purchaser’s TON wallet, tinyurl.com/bddbctbv, we can see much more history. It would be possible to further analyze the cryptocurrency transactions using blockchain analytics to potentially uncover additional identifiers for our actor. Furthermore, we could issue a request to Telegram to compel subscriber information associated with the actor’s usernames, which are linked to the suspect’s TON wallet (see Figure 4).

The previously displayed examples of “BlackBet” and “QingWa” are real-world examples and are currently active in the illicit space of credit card fraud and identity theft. In my humble opinion, the easiest way to potentially discover who these actors are in the real world is through Telegram. While there are certainly more open-source pivots we could explore, the TON blockchain provided us with valuable information without ever requesting any subscriber data from Telegram for “QingWa.” While there is certainly no shortage of polarizing opinions on Telegram, the truth remains that many criminals prefer to utilize the platform. It is important for law enforcement to not only understand how Telegram operates but also recognize how much intelligence can be gathered from open-source cultivation, as well as by serving Telegram legal notice.