Find out Telegram user data: User Enumeration & De-anonymization

The organization of pro-Russian hacker groups like Killnet in Telegram groups raises the question whether it's possible to obtain user data via Telegram. In this article, we present two proofs of concepts that can de-anonymize Telegram users.

Table of contents

The idea: find out user data of Killnet members via Telegram

The war in Ukraine has led to an increase in pro-Russian hacking attacks on Western agencies and companies. To counter these attacks, ProSec has developed the Live Attack Parser. This parser scans the attackers' Telegram groups to provide information about planned attacks. This offers companies the opportunity to better protect themselves against planned attacks.

When investigating the Telegram groups, we found that they are mainly organized via a number of Killnet subgroups, mostly led by group leaders. This led us to the following question: Is it possible to find out user data via Telegram in order to deanonymize the users responsible for cyberattacks?

All proof of concepts presented were developed in August 2022. As of the current date (January 2023), all PoC's are still functional.

You want to avoid the consequences of a successful hacker attack on
your IT system?
Test your IT now with a professional penetration test!
To the penetration test

General operation & requirements

Basically, the proofs of concepts exploit the problem that Telegram does not have a contact request function and thus makes it possible to get data such as the username in numerous ways based on the cell phone number. The poorly implemented handling of URIs and the personalized links are used for this purpose. These allow other users to be contacted via the username or the phone number.

The prerequisite for this is that the target person/user has set the "Who can find me under my number" setting to "Everyone".

The setting "Who is allowed to see my number" is irrelevant here, since the number is resolved via the URI/API. Thus, it does not matter whether it can be displayed in the app, since you can correlate the request to the answer. However, when enumerating Telegram apps, it should be noted that they are sometimes very unstable and therefore often provide unreliable results. Therefore, the scan results should be validated several times to be able to make an accurate statement.

Additionally, it is possible to validate the found number via common groups or the added contact of the target person.

Find out Telegram user data: Settings
Privacy and Security Settings of the Telegram App (iOS)

Proof of Concepts: Finding out Telegram user data

User deanonymization via web and desktop application


The procedures of user deanonymization via the web and desktop application are very similar, as they both use the URI to resolve the requested number.

The main difference is that the web app takes the URI as a URL encoded query and the desktop app is called directly using the tg:// URI.

Telegram URI
Telegram URI to resolve numbers via links

Sobald man die Anfrage über einen Browser sendet, wird man jeweils auf die Web oder Desktop Applikation weitergeleitet. Falls die angeforderte Nummer existiert, wird der Chat geöffnet. Andernfalls erscheint der Hinweis „<number> Not Found“.

Telegram Attack Chain
Attack Chain - Web/Desktop Application

Enumeration via Web vs. Desktop Application

Since Telegram does not currently limit access to said URIs via desktop web apps, you can send as many requests as you like. This way, you can bruteforce numbers and then correlate them based on common groups or (if available) the username, for example.

In the case of enumeration via the web application, however, the number of requests sent is quite high and thus relatively conspicuous. Requests here could easily be detected and blocked by a web application firewall (WAF).

The enumeration via the desktop application does not have this problem, since you only send requests indirectly to the web infrastructure of Telegram. However, the response handling is much more complicated here, since you cannot work with HTTP responses. This also limits the speed significantly.

User Deanonymization via Telethon API


Telethon is a Python library that allows to interact indirectly with Telegram's API. It provides a set of functions to query user information.

This includes the "ImportContactsRequest", which allows users to be added to their own Telegram contacts via a phone number. Afterwards, it is possible to request a number of user data via the get_entity function - for example, username and profile picture.

Communication telethon
Attack Chain - Telethon API

Advantages & Disadvantages

The Telethon API offers two advantages. On the one hand, it is much easier to further process the resulting data sets. On the other hand, one receives a number of other useful information such as the language code of the requested user, if this is set.

However, this API interface is severely restricted: After a certain number of requests to the API, you are temporarily blocked. This makes effective enumeration of numbers currently almost impossible.

Conclusion: Advantages and disadvantages of PoC and outlook

All of the presented proof of concepts are suitable for finding out Telegram user data. When deciding on one of the PoCs, it is relevant how many resources are available to resolve as many numbers as possible. It also matters how the numbers are generated. For example, it would be possible to bruteforce more effectively with special prefixes if there was information about where the target might be located.

The question remains how Telegram will deal with such features in the future to counter possible attacks on its users' privacy. This would of course have an impact on the functionality of the presented Proof Of Concepts.

Find out Telegram user data: PoC comparison
Overview of advantages and disadvantages of proof of concepts
Increase the security of your IT system now!
You will receive detailed advice from us!
Contact Now

Table of contents

Do you want to be part of our team?