Threat Actor Profiling via Telegram OSINT

Background

During a routine DarkWeb sweep, I encountered a Telegram channel advertising fresh stealer logs.

Reconnaissance

Initial contact was through a public Telegram group. The operator’s handle was @redacted_handle.

 1# Telegram OSINT — metadata extraction
 2import telethon
 3
 4async def get_channel_info(client, channel):
 5    entity = await client.get_entity(channel)
 6    return {
 7        'id': entity.id,
 8        'username': entity.username,
 9        'first_seen': entity.date,
10        'participants': entity.participants_count
11    }

Pivot Points

From the channel metadata I identified:

1. Creation date correlated with a known data breach
2. Language patterns suggested Eastern European origin
3. Posting schedule matched UTC+3 timezone

Conclusion

Using only public metadata — no active engagement — I was able to attribute the actor with high confidence.