01 Why Open-Source Investigation Works
Scammers operate under the assumption that their internal communications and infrastructure are invisible. They're wrong. Here's why:
When scam groups form, all members are visible. Before they learn OPSEC, real Telegram accounts are used — personal profiles, phone numbers, mutual contacts. This window is where most intelligence is harvested.
In internal chats, scammers share wallet addresses, victim IPs, domains, payment amounts, screenshots with metadata. Every message is potential evidence — they just don't think anyone is watching.
Phishing domains need DNS, hosting, SSL certs. Payment flows need wallets. Every piece of infrastructure is registered somewhere, and most of it is queryable through public tools.
Every transaction on-chain is permanent and visible. Stolen funds can be traced from victim wallet through mixers, bridges, and eventually to exchanges where KYC exists. The ledger never forgets.
02 Common Scammer Mistakes
These are the operational security failures we exploit over and over:
Scammers join work chats from their real accounts — the ones linked to personal phone numbers, with real profile photos, mutual friends, and years of history. They create "work" accounts later, but by then we already have their personal IDs from the early group member list.
When a Telegram group is created, all initial members are visible to any member. Before the group grows and settings are locked, the complete member list — admins, workers, developers — is exposed. This is the gold mine of any investigation.
IP addresses, wallet addresses, stolen amounts, victim names, bank details — all shared openly in group chats. Screenshots of admin panels with victim databases visible. Every message becomes evidence that can be cross-referenced with blockchain data and victim reports.
Same hosting provider, same registrar, same wallet for receiving funds, same Telegram bots. When one operation is exposed, the shared infrastructure links it to every other operation the same actors run. One domain leads to twenty.
Admin panel screenshots showing URLs in the address bar, OS language settings, timezone, browser bookmarks, notification pop-ups from personal apps. Desktop screenshots that reveal usernames, file paths, installed software. Every pixel is intelligence.
Scammers love to flex — posting wallet balances, payment screenshots, exchange withdrawal confirmations. Each one is a traceable financial artifact that links their identity to specific wallets and transactions on the public blockchain.
Telegram bot tokens, API keys for payment processors, admin panel credentials — shared in plain text in group chats. A single leaked bot token reveals the entire command infrastructure, all users who interacted with it, and the message history.
03 Telegram OSINT
Telegram is the primary communication platform for CIS-region scam operations. Here's how to extract intelligence from it:
When you have access to a scam group (through leaks, infiltration, or public invite links), the member list is the first priority:
- • Export full member list: user_id, username, first_name, last_name, phone
- • Check admin list separately — admins are the operators
- • Cross-reference user IDs across multiple groups to map networks
- • Early members (by join date) are usually the core team
- • Check if personal accounts have profile photos, bios, linked channels
from telethon.sync import TelegramClient
from telethon.tl.functions.channels import GetParticipantsRequest
from telethon.tl.types import ChannelParticipantsSearch
async with TelegramClient('session', api_id, api_hash) as client:
participants = await client.get_participants(group)
for user in participants:
print(f"{user.id} | @{user.username} | {user.first_name} {user.last_name} | {user.phone}")
Full chat history contains the most valuable intelligence:
- • Wallet addresses — regex extract all crypto addresses from messages
- • Domains — extract all URLs, map phishing infrastructure
- • IP addresses — victim IPs shared in logs, admin panel IPs in screenshots
- • Financial amounts — stolen sums, payment shares, affiliate percentages
- • Bot tokens — 123456:ABC-DEF... format reveals entire bot infrastructure
- • Timestamps — activity patterns reveal timezone and working hours
import json, re
messages = []
async for msg in client.iter_messages(group, limit=None):
messages.append({
"id": msg.id, "date": str(msg.date),
"from_id": msg.sender_id,
"text": msg.text or "",
"media": bool(msg.media)
})
# Extract IOCs from text
wallets = set()
domains = set()
for m in messages:
wallets.update(re.findall(r'\b(0x[a-fA-F0-9]{40})\b', m["text"])) # ETH
wallets.update(re.findall(r'\b(T[A-Za-z1-9]{33})\b', m["text"])) # TRX
domains.update(re.findall(r'https?://([^\s/]+)', m["text"]))
Telegram user IDs are permanent. Even when usernames change, the numeric ID stays. Use it to:
- • Track the same person across multiple scam groups
- • Find their activity in public groups and channels
- • Use @username_to_id_bot for quick lookups
- • Build a graph of relationships between user IDs across groups
04 Blockchain Analysis
Follow the money. Every on-chain transaction is permanent evidence:
Trace the initial theft transaction. The receiving wallet is the first node in the money flow graph.
Track funds to CEX deposit addresses. Exchanges have KYC — this is where pseudonymous meets identity.
Decompile drainer smart contracts to find fee addresses, admin wallets, and the drainer-as-a-service operator.
Group related wallets by shared transaction patterns, common funding sources, or sequential creation timestamps.
05 Infrastructure Reconnaissance
Map the technical infrastructure behind scam operations:
Registration dates, registrant data (if not private), nameserver changes, historical ownership
A, CNAME, MX, TXT records. IP addresses behind domains. Shared hosting = shared actors.
Certificate transparency logs. Find all domains on the same cert, discover related infrastructure.
When you have one IP from a phishing domain, you can find every other domain hosted on it:
# Reverse IP lookup — find all domains on same server curl "https://api.hackertarget.com/reverseiplookup/?q=1.2.3.4" # Shodan — find open ports, services, banners shodan host 1.2.3.4 # Censys — TLS certificates on IP censys search "ip:1.2.3.4"
Scam operations frequently use Keitaro TDS to cloak phishing pages from moderators. Our tools detect it:
06 Tools & Open-Source Scripts
Everything listed here is free and open-source:
Python Telegram API client. Extract members, messages, media, bot interactions. The core tool for Telegram OSINT.
Alternative Telegram MTProto library. Async, modern API. Good for high-volume data extraction.
Find usernames across 400+ social networks. When you have a scammer's username, check if they reuse it.
Advanced username OSINT. 3000+ sites, profile parsing, report generation. Fork of Sherlock with deeper analysis.
Domain reconnaissance: subdomains, emails, IPs, employee names from public sources (Shodan, VirusTotal, etc.).
Subdomain enumeration. Find hidden admin panels, staging sites, API endpoints on scam domains.
Fast HTTP toolkit. Probe domains in bulk, extract titles, status codes, tech stack, redirects. Pairs well with mass domain lists.
Template-based vulnerability scanner. Custom templates can detect specific phishing kits, panels, and drainers.
Our Python script for mass Keitaro TDS detection. 7 evidence checks, multi-threaded, proxy support. Finds cloaking infrastructure.
70,000+ malicious domains blocklist maintained by PhishDestroy. Updated regularly. Use for threat feeds or cross-referencing.
07 Investigation Workflow
A typical scam network investigation follows this flow:
Victim report, leaked chat dump, public Telegram group link, phishing domain from blocklist, or blockchain transaction alert. Any single data point is enough to start.
Export full member list and chat history. Extract all IOCs: wallets, domains, IPs, bot tokens. Map the group structure — who are admins, developers, workers.
From Telegram user IDs, pivot to usernames. Run Sherlock/Maigret to find same username across platforms. Check if personal accounts reveal real identities, locations, social connections.
From domains, resolve IPs. Reverse IP to find co-hosted domains. Check SSL certs on crt.sh. Query WHOIS history. Identify hosting provider, registrar, CDN. Detect Keitaro TDS.
Trace wallet transactions. Map the flow: victim → collector → consolidation → mixer/bridge → exchange. Identify the exchange endpoint where KYC can unmask the actor.
Connect the dots. Same user ID in multiple groups? Same wallet receiving from different drainers? Same registrar for 50 domains? Build the complete picture and archive everything permanently.
Submit to ScamIntelLogs, report to law enforcement, share IOCs with the community, submit domains to blocklists, report phishing to Google Safe Browsing and registrars.
08 What You Actually Find
Real examples of data types extracted from scam network investigations:
09 Legal & Ethics
This guide is for security researchers, law enforcement, journalists, and anti-fraud professionals. All techniques described use publicly available data and open-source tools. We do not endorse or encourage unauthorized access to any systems.
Licensed under MIT License. See our Security Policy for vulnerability reporting.