Telegram Stickers Are Leaking Your Identity: The OSINT Tool Exposing Anonymous Threat Actors + Video

Introduction:

In the shadows of Telegram, where threat actors and extremists operate under the cloak of anonymity, a simple sticker pack can become a critical vulnerability. A new open-source intelligence (OSINT) methodology is turning this common feature into a powerful deanonymization tool, revealing the real identities behind propaganda channels and criminal networks by exploiting a fundamental design quirk in Telegram’s architecture.

Learning Objectives:

Understand the technical process of extracting a creator’s User ID from a Telegram sticker pack.
Learn how to operationalize the TGSpyder tool within a broader OSINT investigative workflow.
Identify complementary platforms like Darkside and SangMata for correlating and enriching exposed identifiers.

You Should Know:

The Technical Foundation: From Sticker Pack to User ID
The core of this deanonymization technique hinges on a predictable mathematical relationship encoded within Telegram’s system. Every sticker pack created on Telegram contains a unique numeric ID. Crucially, this sticker pack ID is algorithmically derived from the creator’s own Telegram User ID.
Step-by-step guide explaining what this does and how to use it.
The process to uncover this link is automated by tools like TGSpyder or Maltego Transforms, but it follows these discrete steps:
Target Acquisition: Identify a sticker pack used within a channel or group of interest. Copy its Telegram link (e.g., t.me/addstickers/YourStickerPackName).
Metadata Retrieval: The tool makes an API call to Telegram’s backend to fetch the full metadata for the specified sticker pack.
ID Extraction: From the API response, the tool programmatically extracts the sticker pack’s unique numerical ID.
Bit-Shift Decoding: The tool then performs a critical computational operation: a binary right shift of the sticker pack ID by 32 bits (pack_id >> 32). The resulting number is the Telegram User ID of the individual who created the sticker pack.

2. Installing and Running TGSpyder

TGSpyder is a Command-Line Interface (CLI) tool that automates the extraction and deanonymization process. Getting it operational requires a standard Python environment.
Step-by-step guide explaining what this does and how to use it.
1. Prerequisites: Ensure you have Python 3.7+ and `pip` installed on your system. You will also need a Telegram API `api_id` and api_hash, which you can obtain by creating an application on https://my.telegram.org.
2. Installation: Install TGSpyder directly from its repository using pip:

pip install tgspyder

3. Configuration: The tool will require your Telegram API credentials. This is typically handled via a configuration file or environment variables. Refer to the tool’s documentation for the specific format.
4. Basic Execution: To target a sticker pack, run:

tgspyder --sticker-pack "t.me/addstickers/ExtremistPropagandaPack"

5. Output: TGSpyder will output the decoded User ID. Its real power is in the optional `–resolve` flag, which attempts to query Telegram’s API directly to see if this ID can be linked to a current, visible username or phone number.

3. Bridging the Gap: When Direct Resolution Fails

Telegram’s privacy settings often prevent a User ID from being directly resolved to an active account. This is where investigation moves from automated querying to strategic intelligence correlation.
Step-by-step guide explaining what this does and how to use it.
1. Leverage Telegram Bots: Use the exposed User ID with bots built for OSINT. The TG DB Search bot (@tgdb_bot) is particularly powerful. Sending the raw ID to this bot can correlate it with a username and reveal all public groups and channels where that user is present, building a map of their associations.
2. Historical Username Checks: Use a service like SangMata to check if the User ID was ever associated with a username in the past. Threat actors may change their handle, but historical records can provide a crucial pivot point.
3. Analysis: Cross-reference the discovered groups and historical names. Is the user active in other related extremist channels? Do historical usernames follow a naming convention or reveal a persona? This builds a profile beyond a single number.

The Power of Breach Data: Enrichment with Darkside
The most potent enrichment comes from cross-referencing the Telegram User ID with massive repositories of compromised data, such as the Darkside platform by District 4 Labs.
Step-by-step guide explaining what this does and how to use it.
Platform Access: Darkside is a professional platform containing tens of billions of parsed records from hacked databases, combolists, and malware logs. It is accessible via a web UI or API for integration into analysis platforms like Maltego or Falkor.
Query Execution: Input the Telegram User ID into Darkside’s search. The platform scans its records for any instance where that identifier appears in a breached dataset.
Intelligence Enrichment: A positive result can be transformative. It may link the anonymous Telegram ID to a compromised account, revealing the email address or phone number used to register it. In some cases, this can be further linked to real Personally Identifiable Information (PII) like names, physical addresses, or even financial transaction data from the breach.
Workflow Integration: This makes the investigative workflow circular: A sticker pack leads to a User ID. The User ID, queried in Darkside, may reveal an email. That email can be searched again in Telegram or other social media, potentially confirming the identity.

5. Operational Security (OPSEC) for the Investigator

Conducting these investigations requires careful OPSEC to protect your own identity and the integrity of your inquiry, especially when dealing with hostile threat actors.
Step-by-step guide explaining what this does and how to use it.
1. Dedicated Environment: Use a virtual machine or a dedicated, clean machine for OSINT research to prevent cross-contamination with your personal data.
2. Anonymized Connectivity: Route all investigative traffic through a trusted VPN or the Tor network. This is critical when interacting with Telegram’s API or visiting extremist channels.
3. Burner Credentials: The Telegram API `api_id` and `api_hash` used for tools like TGSpyder should be created from a burner Telegram account, not your personal or professional account.
4. Secure Documentation: Use encrypted note-taking apps (e.g., Standard Notes, Joplin with encryption) to store findings, and avoid saving sensitive data in plain text files.

6. Real-World Application: From Theory to Threat Disruption

This methodology is not theoretical. It is actively used in high-stakes investigations to map cybercriminal and state-sponsored networks.
Step-by-step guide explaining what this does and how to use it.
1. Case Study – Propaganda Network: An analyst finds an ISIS-affiliated Telegram channel sharing new propaganda imagery as a sticker pack. Using TGSpyder, they decode the creator’s User ID.
2. Cross-Platform Correlation: The ID is run through Darkside, revealing a linked email address. That email is found on a hacked forum for cybercrime tools, used by a username “CyberJihadist.”
3. Network Mapping: Querying the User ID in TG DB Search bot shows the account is an administrator in three other, previously unknown, support channels. This maps the network’s infrastructure.
4. Attribution & Action: The compiled dossier—linking a propaganda asset to a specific digital identity and its broader network—can be provided to relevant authorities for action or used to publicly expose the network’s operations.

What Undercode Say:

Key Takeaway 1: Digital anonymity is often layered and brittle. TGSpyder’s exploit of Telegram’s sticker pack encoding reveals how a single, seemingly innocuous artifact can crack the first layer, demonstrating that true operational security requires threat actors to avoid creating any permanent, traceable assets on a platform.
Key Takeaway 2: The tool’s real power is multiplicative, not standalone. Its output—a raw User ID—is most valuable as a key for querying external breach databases like Darkside. This underscores the modern reality of intelligence: disparate data sources, when connected, create a picture that is far greater than the sum of their parts.

Prediction:

This technique will trigger a direct evolution in both offensive and defensive tradecraft. Sophisticated threat actors, especially state-sponsored groups, will increasingly avoid creating custom sticker packs or emoji, recognizing them as a fingerprint. We will see a rise in the use of “borrowed” or publicly available packs to maintain plausible deniability. Conversely, the investigative methodology will become more automated and integrated. Expect next-generation OSINT platforms to bake this sticker-pack-to-PII pipeline into a single click, automatically querying Telegram’s API, breach databases, and historical archives simultaneously. This will accelerate attribution timelines but also raise significant ethical and legal questions about privacy, as the digital breadcrumbs we all leave behind become exponentially easier to follow.