Find out Telegram user data: User Enumeration & De-anonymization

The organization of pro-Russian hacker groups like Killnet in Telegram groups raises the question of whether it is possible to find out user data via Telegram. In this article, we present two proofs of concepts that can be used to de-anonymize Telegram users.

Table of Contents

The idea: Find out user data of Killnet members via Telegram

The war in Ukraine has led to an increase in pro-Russian hacking attacks on western authorities and companies. To counteract these attacks, ProSec has the Live attack parser developed. This parser scans the attackers' Telegram groups and thus provides information about planned attacks. This offers companies the opportunity to better protect themselves against planned attacks.

Investigating Telegram groups found that they are primarily organized through a number of sub-groups of Killnet, mostly led by group leaders. This resulted in the following question for us: Is it possible to find out user data via Telegram in order to deanonymize the users responsible for cyber attacks?

All presented proofs of concepts were developed in August 2022. At the current time (January 2023) all PoC's are still functional.

You want to see the consequences of a successful hacker attack
spare your IT system?
Test your IT now with a professional penetration test!
For the penetration test

General functionality & requirements

Basically, the proof of concepts exploit the problem that Telegram has no contact request function and thus makes it possible to get data such as the user name in a number of ways using the cell phone number. The poorly implemented handling of URIs and the personalized links are used for this. These allow other users to be contacted via their username or telephone number.

The prerequisite for this is that the target person/user has set the setting "Who can find me under my number" to "Everyone".

The setting "Who can see my number" is irrelevant here, since the number is resolved via the URI/API. So it doesn't matter whether it can be displayed in the app, since you can correlate the request to the answer. When enumerating the Telegram applications, however, it should be noted that some of these are very unstable and therefore often deliver unreliable results. Therefore, the scan results should be validated several times in order to be able to make an accurate statement.

In addition, it is possible to validate the number found via shared groups or the added contact of the target person.

Find out Telegram user data: Settings
Privacy and Security Settings of the Telegram App (iOS)

Proof of Concepts: Find out Telegram user data

User deanonymization via web and desktop application


The procedures for user deanonymization via the web and desktop application are very similar as they both use the URI to resolve the requested number.

The main difference is that the web app receives the URI as a URL encoded query and the desktop app is called directly via the tg:// URI.

Telegram URI
Telegram URI for resolving numbers via links

As soon as you send the request via a browser, you will be forwarded to the web or desktop application. If the requested number exists, the chat will open. Otherwise the message " Not Found".

Telegram AttackChain
Attack Chain - Web/Desktop Application

Enumeration via web vs. desktop application

Since Telegram currently does not limit access to said URI's via desktop web apps, you can send any number of requests. You can brute force numbers and then correlate them based on common groups or (if available) the username.

In the case of enumeration via the web application, however, the number of requests sent is quite high and therefore relatively noticeable. Requests could easily be recognized and blocked by a web application firewall (WAF).

With enumeration via the desktop application, you don't have this problem, since you only send indirect requests to Telegram's web infrastructure. However, the response handling is much more cumbersome here, since you cannot work with HTTP responses. This also significantly limits the speed.

User deanonymization via Telethon API


Telethon is a Python library that allows interacting indirectly with Telegram's API. It provides a range of functions to query user information.

This includes the "ImportContactsRequest", which allows users to add a telephone number to their own Telegram contacts. It is then possible to request a range of user data via the get_entity function - for example username and profile picture.

communication telethon
Attack Chain - Telethon API

Advantages disadvantages

The Telethon API offers two advantages. On the one hand, it is much easier to further process the resulting data sets. On the other hand, you get a range of other useful information such as the language code of the requested user, if this is set.

However, this API interface is severely restricted: After a certain number of requests to the API, you will be temporarily blocked. This currently makes the effective enumeration of numbers almost impossible. 

Conclusion: advantages and disadvantages of the PoC and outlook

All presented proofs of concepts are suitable for finding out Telegram user data. When deciding on one of the PoC, it is relevant how many resources are available to resolve as many numbers as possible. It also plays a role in how the numbers are generated. For example, it would be possible to bruteforce more effectively with special prefixes if there was information about where the target might be.

The question remains how Telegram will deal with such functions in the future to counter possible attacks on the privacy of its users. This would of course affect the functionality of the presented Proof Of Concepts.

Find out Telegram user data: PoC comparison
Overview of the advantages and disadvantages of the Proof of Concepts
Increase the security of your IT system now!
You will receive detailed advice from us!
Contact us now
Newsletter Form

Become a Cyber ​​Security Insider

Get early access and exclusive content!

By signing up, you agree to receive occasional marketing emails from us.
Please accept the cookies at the bottom of this page to be able to submit the form!

Table of Contents

NewsLetter Form Pop Up New

Become a Cyber ​​Security Insider

Subscribe to our knowledge base and get:

Early access to new blog posts
Exclusive content
Regular updates on industry trends and best practices

By signing up, you agree to receive occasional marketing emails from us.
Please accept the cookies at the bottom of this page to be able to submit the form!