Introduction

The roller coaster of social media suspensions and removed jihadi content is well documented. However, the jihadis’ struggle to keep up with the relentless suspensions and removal of jihadi social media content, may have finally run its course. The new frontier of jihadi communication is taking place on a recently launched tool, in a messaging platform that has revolutionized the social media sphere, and at least for now put an end to any watchdog oversight.

This TRAC project does not merely document that many groups have shifted to Telegram, it describes how they operate on Telegram.  The following report is divided into three sections:

• Jihadi Infrastructure on Telegram,
• Money Transferring on Telegram, and
• Cross Section of TRAC’s Telegram Archives.

The New Virtual Underground Railroad

Telegram was created as a free, encrypted, messaging application that guarantees both privacy and never to delete accounts. On September 22, 2015, Telegram introduced a new feature, called “channels”  – it is this new feature that has been enthusiastically embraced by many militant groups, becoming an underground railroad for distributing and archiving jihadi propaganda materials. Moreover, Telegram’s chat feature continues to be essential to both the recruiting and money moving activities.

For More on TRAC Insight: Adaptation Strategies in the Islamic State Twitter War

For More on TRAC Insight: Google Plus- Hidden Passage to Recruitment

Not a Fad

Though TRAC has seen sporadic attempts to jump to other social media platforms by many different militant groups worldwide, we have good reasons to believe this is an actual resettlement — a grassroots movement to shift communication styles. The usual pattern of initial attempts to transit from a mainstream social media outlet like Twitter, to another social media platform for covert communications is: initial patchy use; followed by a dropping off of content; then, ultimately becoming a “back-channel” for propaganda when all other media outlets are unavailable for one reason or another. This current migration to Telegram looks nothing like the past attempts to move from the more mainstream social media platforms like Twitter.  The sheer scale and momentum of the Telegram migration is hard to fathom. The force of the numbers using Telegram channels is staggering, watching hundreds of new members in an hours’ time; thousands coming on in over a few days is commonplace for many channels.

Membership in Elite Messaging: Telegram Channels

Since it went live on August 14, 2013, the messaging application Telegram has seen major success, both among ordinary users as well as jihadis; but it wasn’t until their launch of “channels” in September 2015, that TRAC began to witness a massive migration from other social media sites, most notably Twitter.

Advantages

• Channels work like Twitter on steroids, you become a member, and then you are automatically updated anytime a new item appears on a channel. No need to check it every minute of the day; it simply pings you when new information is available. Only the channel administrator can post to the channel but as a user you can forward any message they post to any one of your contacts. Administrators of one channel can also forward content from a channel they visit to the one they administer.
• Since many people were already using Telegram as a messaging application, the proliferation of messages on channels spreads like a virus. Often you will see a channel that has very few members but the posted messages will have 1,000s of views.
• Any medium of any file size can be included in a channel message and then downloaded from by channel visitors or users, avoiding pesky YouTube or Just Paste It deletions. You do not have to join a channel to access messages or download content.
• Telegram is nimble in use; one can ‘be on-the-go’ so to speak and access their account in many different ways. Telegram can be loaded to your mobile device or used as an application on your laptop or can simply be seen on the internet from any type of browser.  One can also log into all points of access simultaneously.

TRAC’s Archive

TRAC has archived 200+ major, mainstream jihadi channels. While many of the channels have Islamic State affiliations, there are an increasing number of channels from other major players in the global jihadi world. From al Qaeda in the Arabian Peninsula (AQAP) to Jabhat al-Nusra (JN) to Ansar al-Sharia in Libya (ASL) to Jaysh al-Islam, the rate of membership escalation for each discrete channel is staggering. Within a week’s time, one single Islamic State channel went from 5,000 members to well over 10,000 members. Though it is unclear if what is commonly referred to as “the ISIS fan club” will migrate to Telegram, what is clear is that the hard core disseminators already have.

Jihadi Infrastructure

Nearly half the channels TRAC has archived belong to the Islamic State. Many of them have thousands of members, who seem to regularly access the posted message; messages in these channels get at many as 6,000 views in real time. Therefore, the Islamic State channels are the best example of how jihadis are currently using (and will continue to develop) Telegram as both an operational theater, and as a repository. The Islamic State has begun to create channel infrastructure and templates for each type of content in at least 12 different languages. The notorious Nashir (alternative: Nasher) distribution network has the most distinct matrix within Telegram. Languages include: Arabic, Bengali, Bosnian, English, French, German, Indonesian, Italian, Kurdish, Russian, Turkish, and Urdu.

Planning for the Future

There is also evidence that the Islamic State considers Telegram a permanent part of its future. Their most popular website for video distribution, ISDARAT, has five distinct Telegram channels, each with a corresponding new website that contains different content, tailor-made to its Telegram channel. ISDARAT is well-known and its website is constantly shut down by authorities or vigilante attacks. Thousands of twitter profiles include one version or another of the oft-changing URL. With Telegram’s promise of permanence, and the ability to transfer any type of file via a channel, ISDARAT no longer needs to play hide and seek with its followers.

Protected Repository

Telegram is not just a tool for file sharing but rather it has become “the protected repository” of resources for the Islamic State. The images that follow include the info page for Khilafah News, which shows the number of shared media resources available, as well as a page of both the video and file listings for that channel.

Click to enlarge                             Click to enlarge                      Click to enlarge 

Screen shots (above): Khilafah New’s Telegram feed nearly one month after establishment. As of 28 October 2015: 1,875 photos shared; 71 video files; 130 data files; 14 voice messages; 816 shared links.

For More on TRAC INSIGHT: Media Outlets of Islamic State

Creation and Background

Image: Screen shot of Telegram’s features, note look very much like Monopoly characters.

The Brothers Durov

Telegram was created by two Russian brothers, Pavel and Nikolai Durov. Pavel is the financial and visionary figure of the company, while Nikolai specializes in the technical and programming aspects. However, Telegram’s website states that the company is actually based in Berlin and holds no geographical or litigious ties to Russia.[1]

The company describes Telegram as an application that serves as a fusion between text messaging and sending e-mails. This is not to say that Telegram offers an e-mail component, rather that the design of the application is one that blends the functions of text messages and e-mails.[2] Furthermore, Telegram is a free service and currently operates as a nonprofit company. It is financed by Pavel Durov’s fund Digital Fortress.[3]

Security

Privacy and security are Telegram’s primary attraction to potential users and are a key reason for its widespread adoption. The company has been seemingly effective in riding the wave of privacy scares following Edward Snowden’s revelations regarding government encroachment on privacy. Notably, Pavel Durov publicly offered Snowden a job, an offer he declined.[4]

For More on Three Insider Leaks

Privacy

Telegram’s website highlights the services’ stance on internet privacy. It states, “At Telegram we think that the two most important components of internet privacy should be:

1. Protecting your private conversations from snooping third parties, such as officials, employers, etc.
2. Protecting your personal data from third parties, such as marketers, advertisers, etc.”[5]

Keeping Russian Eyes Off

Pavel Durov later echoed these sentiments when he stated that the prime motivation for creating Telegram was to establish a means of communicating that cannot be accessed by “the Russian security agencies.”[6] It is important to note that Telegram’s target market is a generation that grew up on social media and who currently have a heightened awareness of privacy issues.

End-to-End Encryption

The application boasts about its end-to-end encryption and the fact that its programming is not veiled, but is open-source and available to users. Telegram is so confident in its encryption that it has offered $300,000 rewards to the first individual to crack the encryption.[7] In an interview with TechCrunch, Pavel Durov stated that the encryption has not been cracked, but a developer received $100,000 for discovering a significant vulnerability.[8] Nevertheless, skeptics state it is only a matter of time before Telegram’s encryption system is breached.

User Information is Stored

Telegram provides an environment that is genuinely respectful of the user’s privacy, as opposed to other major social media and internet services such as Facebook and Google. Telegram posits that merely offering users options to make their posts or information “private” does not mean that the information itself, which is shared through given service, is protected. Conversely, Telegram argues that many sites use these methods to quell users’ privacy concerns, but user information is stored, “mined” for targeted advertising and remains prone to being shared with third parties.[9]

Self-Destruct Feature

The “self-destruct” option is particularly useful for those who move around a lot and forget passwords or have limited use of the internet for long periods of time. There are privacy settings for each individual account that can either set messages to self-destruct after a certain period of time (see Secret Chat below) or accounts to self-destruct after chosen periods of inactivity.

Channels

On September 22, 2015, Telegram announced channels as a way for users to “broadcast” their postings to a wide audience.[10] Prior to adding channels, Telegram served groups of up to 200 people using a broadcast feature to share information. Although Telegram is adding functionality to channels, it appears that the biggest attractions of the channel feature has been its feature of having an unlimited number of members, as well as non-member access to channel content.

Not surprisingly, the channel feature has become quite popular with jihadis. Although Telegram is still technically a messaging application, channels allow users to produce and share content with ever-growing audiences.

Downloads

The messaging only version of Telegram was enormously popular in the Middle East.  In December 2013, merely four months after Telegram’s launch, it was reported that users in the Middle East downloaded Telegram over 100,000 times in one day. This surge dwarfed previous Telegram downloads in the Middle East that had been approximately 2,000 per day.[11] Clearly not all of its earlier users in the Middle East were jihadis, especially since the militant and political ecosystem of the region is vastly different today than it was at the end of 2013. Nevertheless, the it has proven to be very attractive as an outlet for jihadi propaganda.

Promoting your Channel

Many of the larger jihadi channels have attracted thousands of members, and the view count for each message suggests some channels are visited more by non-members than by members. At least three channels have well over 10,000 members. Back on Twitter, Twitter account holders are pushing their followers to Telegram – they tweet and retweet information about how to get the Telegram app and which channels to join. Others on Twitter have implored their followers to join their Telegram channels. They rarely state that they are motivated by their next, imminent suspension.  But for followers who repeatedly search for “shout-outs” that point them to the new accounts of their favorite jihadis, the reason to switch to Telegram is apparent.

An Islamic State Nashir channel posted an infographic on how to spread material from a channel.

The image announced: “To support the channel, do not copy published material but follow these steps:

1. Choose the desired post
2. Press ‘Forward’
3. Then choose the future recipient”

Transferring Funds

A Virtual Hawala System

Secret Chats

It has always been possible to transfer funds via text message – by using services that just require a person to establish their identity and provide a transaction number. Telegram makes that type of exchange more appealing because the encryption and self-destruct features of the “Secret Chat” limit access to the information. And for even more anonymity, bitcoin and other crypto-currencies don’t even require that an individual establish there identity.

Untraceable

Law enforcement agencies have been emphasizing the potential for bitcoin to be used in all manner of criminal enterprises. But in the US, by obtaining a warrant, they are typically able to get data from unencrypted conversations. Telegram has asserted that they will not comply with such warrants – that private conversations are private. However, even if Telegram changes its policy to allow warrant access, the Secret Chat function deletes any information passed via the self destruct feature making it the virtual Hawala system of Telegram.

For More on Cyber Crime Nexus: Liberty Reserve, Freedom Hosting and Silk Road

For More on Concealment Practices Among Cybercriminals & Terrorists

Using ‘Bots’

In addition to transactions that involve merely exchanging information, there are bots designed to facilitate the actual transfer of crypto-currency. The most publicized is Julia – an app dependent bot developed by GetGems to move funds to and from Coinbase accounts (Coinbase is a bitcoin “bank”).

The Telebit Bot

Another well-established bot – that operates entirely within Telegram – is Telebit. It is accessed by searching Telegram to find the bot (by entering “telebit” in the search box, then selecting @Telebit (Telebit Sender). The result looks like an empty chat, but as shown in the following images, sending the message “help” produces all of the information needed to access all the Telebit functions.

   

Creating Bots

Telegram encourages individuals to create new bots and there are already quite a few of these fund-transfer bots. The following Tweet is from the creator of another Telegram bot, who has developed a way to transfer the bitcoin value of phone minutes via a Telegram chat.

Numerous Outlets for Asset Transfer on Telegram

There are undoubtedly numerous other bots and informal fund transfer systems operating on Telegram. The use of Telegram and other messaging applications to transfer funds (and other assets of value) is expected to be a rapidly changing environment that will require constant monitoring. TRAC will provide regular updates regarding the rapid adoption of Telegram, as well as changes in the way it is utilized in support of terrorist communication and operations.

Cross Section of TRAC’s Archive

TRAC’s archive is consistently expanding, the 200+ channels have an estimated 150,000 ever-increasing total membership levels. The following is a cross-section of some of the more interesting accounts from the archive.

Image: 07 October 2015, Screen shot of Tweet advertising AQAP’s Telegram channel.

Must Be Directed to Channel Addresses

Its very important to note that Telegram channels are not easy to just “stumble upon,” account names are case sensitive and there is no autofill function to help one search for channels. Jihadis have been passing Telegram channel “addresses” so to speak a number of ways, advertising on Twitter accounts, advertising on specific Blogs like https://ansarukhilafah.wordpress.com/news-sources/, or advertising on specific websites like ISDARAT (mentioned above in Infrastructure section). Because Telegram was already widely used as an encrypted messaging application, it can be assumed that direct messaging was the initial way to spread new channel accounts. Like Twitter, the hash tag #function is operational on Telegram but the hashtags only work if you already subscribe to a channel.

Telegram Channel	Affiliation	Membership 10.29.2015	Icons
IS_new_2	IS	9,904
IS_new	IS	3,310
a3maqagency	IS	10,672
nasherislamicstate	IS – Arabic	11,195
Is_news_ru	IS – Russian	2,410
nashirislamicstateDE	IS – German	401
nashirislamicstateBN	IS – Bengali	240
nashirislamicstateINA	IS – Indonesian	1,451
nashirislamicstateEN	IS – English	1,264
nasherislamicstateFR	IS – French	424
nashirislamicstateKURDI	IS – Kurdish	111
nashirislamicstateIT	IS – Italian	4
nashierislamicstateBOS	IS – Bosnian	275
nasherislamicstateTR	IS – Turkish	287
nashirislamicstateUR	IS – Urdu	15
isyemen	IS – Yemen	858
ICA_ES	IS – Hacking	847
DabiQ	IS	3,337
isdarat_News	IS	786
isdarat1	IS	2,709
isdarat_is	IS	521
isdaraty	IS	615
isdarat_islamicstate	IS	1,319
KhilafahNews	IS	1,787
FURSANUpload	IS	3,349
Nashr4k	IS	1,112
azalkelafa11	IS	1,895
DarAlislam	IS	1,015
AQAPTV	AQAP	2,760
Rayareporter	ASL	726
allewaa6	FSA	25
AlnasarArmy	Al-Nasar Army	185
jaishalislam01	Jaysh al-Islam	2,047
GIMF_Channel	AQ aligned	1,072
doaat	Varied	6,369
JihadnewsCh	Varied	6,579
mujahednews	Varied	2,203
almonaseronn	Detainees	3,009
sawtaljihad	Varied	1,370
KhilafahTree	IS	1,093