๐Ÿ”Ž Maltego Telegram

December 29, 2025 ยท View on GitHub

OSINT Transforms for Telegram investigations

preview

Maltego Telegram is a free set of Maltego Transforms designed for OSINT investigations in the Telegram messenger.

The project originally focused on de-anonymization via stickers and emoji, but has since evolved into a full-featured toolkit for analyzing Telegram channels, groups, and user profiles.

๐Ÿš€ Features

With Maltego Telegram you can:

  • ๐Ÿ“ฑ Retrieve a Telegram profile by phone number
  • ๐Ÿ‘ฅ Discover groups and chats linked to a Telegram channel
  • ๐Ÿ›ก Get a list of Telegram group administrators
  • โœ๏ธ Identify authors of Telegram channels
  • ๐Ÿ” Collect forwarded and audience-overlapping (similar) channels
  • ๐Ÿ—‘ Detect deleted posts and generate links to archived content
  • ๐Ÿ˜€ Index all stickers and emoji used in a Telegram channel
  • ๐Ÿงฉ Identify creators of sticker and emoji packs

More than 10 Transforms are currently available.
A full list can be found:

  • in the Transforms directory
  • directly in Maltego after importing the project

๐Ÿง  How it works

Below are some key investigation scenarios enabled by the Transforms.

๐Ÿ˜€ Stickers and their creators

stickers

Every Telegram user has a unique UID.
When a user creates a sticker pack, this UID is embedded inside the pack ID.

The Transform extracts it using the following logic:

  1. Request sticker pack metadata via the Telegram API
  2. Extract the value of the id field
  3. Perform a 32-bit right binary shift

The resulting UID can be resolved to a username (for example, via the @tgdb_bot).

๐Ÿ“Œ Practical use case
If a channel author does not provide contact details, they can be de-anonymized by scanning the channel for sticker packs they have created.
Maltego Telegram performs this process automatically.

๐Ÿ”— Read more:
What's wrong with stickers in Telegram? Deanonymize anonymous channels in two clicks

๐Ÿ”— Similar channels

similar

Telegram provides a built-in feature for discovering channels with overlapping audiences, but the results are shown only as a list.

Maltego enhances this by:

  • visualizing relationships,
  • revealing channel networks,
  • simplifying ecosystem-level analysis.

๐Ÿ” Profiles associated with a channel

forwarded

Channel administrators often:

  • forward their own messages,
  • repost content from personal accounts.

Even if a user later restricts forwarding (Forwarded Messages = Nobody), older forwarded messages remain linked to the original profile.

This Transform:

  • detects such messages,
  • connects channels to real user profiles.

๐Ÿ—‘ Deleted posts and archived content

deleted

Each Telegram post has a sequential numeric ID:

  • 1, 2, 3, 4 โ€ฆ

Missing IDs indicate that posts were deleted.

This Transform:

  • detects gaps in post IDs,
  • checks public Telegram archives,
  • generates links to preserved copies of deleted content.

โš™๏ธ Installation

1๏ธโƒฃ Clone the repository

git clone https://github.com/vognik/maltego-telegram

2๏ธโƒฃ Install dependencies

pip install -r requirements.txt

3๏ธโƒฃ Configure config.ini

Set the following values:

4๏ธโƒฃ Log in to Telegram

python login.py

5๏ธโƒฃ Generate Transform files

python project.py

6๏ธโƒฃ Import into Maltego

Import the following files using Import Config in Maltego:

  • entities.mtz
  • telegram.mtz

imports

โ–ถ๏ธ Usage

  1. Drag an entity from the Entity Palette
  2. Right-click on it
  3. Select the desired Transform

๐ŸŽฅ Demo:

https://github.com/user-attachments/assets/dba4b5b1-a82d-4e26-b8e4-d063f5456f88

๐Ÿ“„ License

This project is licensed under the GPL-3.0 license.
See the LICENSE file for details.