🔎 Maltego Telegram

OSINT Transforms for Telegram investigations

Maltego Telegram is a free set of Maltego Transforms designed for OSINT investigations in the Telegram messenger.

The project originally focused on de-anonymization via stickers and emoji, but has since evolved into a full-featured toolkit for analyzing Telegram channels, groups, and user profiles.

---

🚀 Features

With Maltego Telegram you can:

• 📱 Retrieve a Telegram profile by phone number
• 👥 Discover groups and chats linked to a Telegram channel
• 🛡 Get a list of Telegram group administrators
• ✍️ Identify authors of Telegram channels
• 🔁 Collect forwarded and audience-overlapping (similar) channels
• 🗑 Detect deleted posts and generate links to archived content
• 😀 Index all stickers and emoji used in a Telegram channel
• 🧩 Identify creators of sticker and emoji packs

More than 10 Transforms are currently available.
A full list can be found:

• in the Transforms directory
• directly in Maltego after importing the project

---

🧠 How it works

Below are some key investigation scenarios enabled by the Transforms.

---

😀 Stickers and their creators

Every Telegram user has a unique UID.
When a user creates a sticker pack, this UID is embedded inside the pack ID.

The Transform extracts it using the following logic:

1. Request sticker pack metadata via the Telegram API
2. Extract the value of the id field
3. Perform a 32-bit right binary shift

The resulting UID can be resolved to a username (for example, via the @tgdb_bot).

📌 Practical use case
If a channel author does not provide contact details, they can be de-anonymized by scanning the channel for sticker packs they have created.
Maltego Telegram performs this process automatically.

🔗 Read more:
What's wrong with stickers in Telegram? Deanonymize anonymous channels in two clicks

---

🔗 Similar channels

Telegram provides a built-in feature for discovering channels with overlapping audiences, but the results are shown only as a list.

Maltego enhances this by:

• visualizing relationships,
• revealing channel networks,
• simplifying ecosystem-level analysis.

---

🔁 Profiles associated with a channel

Channel administrators often:

• forward their own messages,
• repost content from personal accounts.

Even if a user later restricts forwarding (Forwarded Messages = Nobody), older forwarded messages remain linked to the original profile.

This Transform:

• detects such messages,
• connects channels to real user profiles.

---

🗑 Deleted posts and archived content

Each Telegram post has a sequential numeric ID:

• 1, 2, 3, 4 …

Missing IDs indicate that posts were deleted.

This Transform:

• detects gaps in post IDs,
• checks public Telegram archives,
• generates links to preserved copies of deleted content.

---

⚙️ Installation

1️⃣ Clone the repository

git clone https://github.com/vognik/maltego-telegram

2️⃣ Install dependencies

pip install -r requirements.txt

3️⃣ Configure config.ini

Set the following values:

• api_id and api_hash
  https://core.telegram.org/api/obtaining_api_id
• bot_token
  https://core.telegram.org/bots/tutorial#obtain-your-bot-token

---

4️⃣ Log in to Telegram

python login.py

5️⃣ Generate Transform files

python project.py

---

6️⃣ Import into Maltego

Import the following files using Import Config in Maltego:

• entities.mtz
• telegram.mtz

---

▶️ Usage

1. Drag an entity from the Entity Palette
2. Right-click on it
3. Select the desired Transform

🎥 Demo:

demo.mp4

---

📄 License

This project is licensed under the GPL-3.0 license.
See the LICENSE file for details.