Telegram
ShadowMap monitors Telegram channels and groups used by threat actors and reposts the messages that mention your organization — your brand names, domains, or key personnel. Telegram has become a primary distribution channel for stealer logs, ransomware victim announcements, initial-access sales, carding, and hacktivist coordination, and it often surfaces this activity faster than traditional Tor-based forums.
Overview
The page is a triage queue. Each row is a single Telegram message that matched one of your monitored keywords, attributed to the channel it was posted in. Above the table you get a metrics strip (counts by status, new-this-week trend, top channel), an optional analytics panel (four charts), status tabs, full-text search and field filters, and a sortable, paginated table. Selecting one or more rows reveals a bulk-action bar; clicking a row opens a detail drawer; the detail page gives a focused, tabbed view of a single message.
Telegram sits in the Dark Web module alongside Data Breaches, Compromised Computers, Stealer Logs, and Discussions. Use it to catch mentions of your assets in the fast-moving channel ecosystem and to route the serious ones into investigation.
How it works
These are the mechanics you can't read off the UI:
- Source. ShadowMap continuously ingests messages from a curated set of Telegram channels and groups associated with cybercrime — credential dumps, stealer-log resellers, ransomware leak announcements, access brokers, carding shops, and hacktivist coordination channels. The backend module that powers this view is internally named Morpheus.
- Matching. A message lands in your queue only when its text matches one of your monitored keywords — brand names, domains, executive names, and other identifiers configured for your tenant. The matched terms are stored on the row and shown in the Keywords column and detail view, so you can see exactly why a message surfaced. A message with no keyword match never enters your queue.
- Channel vs. message. A channel is the Telegram source (display name,
@handle, subscriber count, link); a message is one post within it. The list is message-level — the same channel can appear on many rows. Use the Top Channel metric card or the Top Channels analytics chart to spot a channel that is repeatedly posting about you, which usually signals a campaign rather than a one-off mention. - Status is per-message and analyst-driven. New matches arrive as New (status value
0). An analyst moves a message to Investigating (2) while working it, or to Reviewed (1) to dismiss it. Status is set manually — there is no automatic scoring that closes rows. (Internally the "Reviewed" state is backed by the platform's false-positive constant; the product surfaces it as Reviewed because dismissing a row is not necessarily a claim that the mention is fake.) - No new scan to trigger. Ingestion runs on ShadowMap's schedule; you don't launch a scan from this page. New messages appear in the New tab as they are collected.
- Date sorting. The table defaults to sorting by Message Date (
messaged_at), newest first — i.e. the most recent Telegram posts about you are at the top.
Telegram is often the earliest signal
Because banned channels reappear within hours and posting is real-time, the same leak frequently shows up here before it reaches a Tor forum or a structured breach record. When you find a credential dump or stealer-log post mentioning your org, cross-check Stealer Logs and Data Breaches for the same data.
Understanding the data
Statuses
Three workflow states drive the tabs and the status badge on each row.
| Tab | Row badge | Value | Meaning |
|---|---|---|---|
| New | Active | 0 | A fresh keyword match that no analyst has triaged. This is your inbox. |
| Investigating | Investigating | 2 | An analyst is actively working the message. |
| Reviewed | False Positive | 1 | Triaged and dismissed — irrelevant, benign, or already handled. |
The tab is labeled Reviewed, but the badge on the row (and the "False Positive" metric card) still uses the underlying false-positive label for this state — they are the same status, value 1. The tab counts in the header come from the summary endpoint and update as you change statuses.
Columns
The table is column-customizable (the Customize Columns button in the header toolbar toggles visibility; your choice is remembered in the browser).
| Column | What it shows |
|---|---|
Channel (channel_nice_name) | The channel's human-readable display name. Hover for the full value if truncated. |
Handle (channel_name) | The channel's @username. |
Message Preview (desc) | An excerpt of the message text; the full body is in the drawer and detail page. |
| Keywords | The monitored terms that matched this message, as chips (first three shown, with a +N overflow indicator). |
Date (messaged_at) | When the message was posted, shown as relative time. Default sort column. |
| Relevance | A relevance indicator for the match. |
Status (response_status) | The current workflow state badge. The badge text reads Active, Investigating, or False Positive (the dismissed state's underlying label) even though the matching tab is named Reviewed. |
Additional fields appear in the detail views but not as list columns: Category (the channel's classification), Subscribers (channel audience size), and Channel Link (a direct URL to the Telegram channel).
Opening channel links
The detail views include a direct Channel Link to the Telegram channel. These open external, attacker-controlled spaces. Open them from a sandboxed or non-attributable environment, not your corporate identity.
Filtering and search
The search bar combines a free-text search with structured field filters:
- Full-text search — searches within message content.
- Field filters — build conditions on:
- Channel Name (
channel_name) — the@handle. - Channel Display Name (
channel_nice_name). - Keywords (
dwi_keywords) — narrow to a specific monitored term. - Message Date (
messaged_at) — a date range to focus on recent activity.
- Channel Name (
- Bookmarked — the toolbar chip filters the current view to rows you have bookmarked (star icon).
- View mode — toggle Compact / Expanded row density.
Filters are scoped to the active status tab, and switching tabs clears the applied filters. Sorting is available on any sortable column header.
Detail view
Click any row to open the detail drawer on the right without leaving the list. It shows the channel name, a metadata grid (handle, category, message date, status), the matched keyword chips, the full message body, and the channel link. Use the chevrons to step prev/next through the list, or the open-in-new icon to jump to the full detail page. Message text is rendered as plain, pre-formatted text (no HTML execution) for safety.
The full detail page (open in new) presents three tabs:
- Overview — handle, display name, category, message date, status, subscriber count, matched keywords, and the full message.
- Evidence — the channel link (or a "no evidence links" state when none is available).
- Comments — analyst comments and any attachments, with author and timestamp.
Taking action
You can act on a single message (row buttons or drawer) or on many at once (bulk-action bar, shown when one or more rows are selected).
| Action | Where | What it does |
|---|---|---|
| Mark Investigating | Row, drawer, detail, bulk bar | Sets status to Investigating. |
| Mark Reviewed | Row, drawer, detail, bulk bar | Sets status to Reviewed (dismiss). |
| Bookmark | Row star, list toolbar | Flags a message for follow-up; filter to bookmarks from the toolbar chip. |
| Comment | Row, detail Comments tab | Add internal notes (and attachments) for investigation tracking. Comment templates are available. |
| Assign | Bulk bar | Assign selected messages to a team or person (or clear the assignee). |
| Share | Bulk bar | Push selected messages to a connected integration (for example Slack, Teams, or a ticketing tool). |
| Export | Search bar, bulk bar | Export the current filtered set (or selection) as a downloadable file. |
| Select all | Table header checkbox | Select every row on the page for a bulk action. |
Keyboard triage is supported on the list — j/k (or arrows) to move between rows, Enter to open detail, Space to select, Esc to close the drawer, and ? to show the shortcuts overlay.
A practical triage flow
- Read the match. Is it a credential dump, an access sale, a ransomware victim post, or just a passing brand mention?
- Set urgency. Active credential dumps and access sales mentioning your domains need immediate response; generic mentions may only need monitoring. Move the row to Investigating if you're working it.
- Cross-reference. Check Stealer Logs and Data Breaches for the same data — Telegram often precedes them.
- Watch the channel. A single mention can be the start of a broader campaign; a channel that keeps appearing in Top Channels warrants tracking.
- Document and route. Use comments and Share to create a paper trail and hand off to incident response, then mark Reviewed when closed.
Common questions
Why did this channel/message show up for me? Because the message text matched one of your monitored keywords (brand, domain, executive name, etc.). The matched terms are shown in the Keywords column and on the detail view.
Does ShadowMap join the channels or interact with them? No. This is passive monitoring — ShadowMap ingests and reposts matching messages. You read evidence here; any direct visit to a channel link happens in your own browser, so use a non-attributable environment.
What's the difference between Telegram and Discussions?Discussions covers forum-based dark-web threads (typically Tor-accessed and slower-moving). Telegram covers real-time channel/group messaging. Both watch for mentions of your assets; serious findings often appear on Telegram first.
Can I get a takedown of a channel? Telegram takedowns have limited effectiveness — banned channels frequently reappear under new names — but reporting branded impersonation is still worthwhile. Treat detection and IR routing as the primary value here.
Why is "Reviewed" backed by a "false positive" status internally? Historically the dismiss state used the platform's false-positive constant. The product label is Reviewed because dismissing a message isn't necessarily a claim that the content is fake — it just means it's been triaged and closed.
How do alerts work for new Telegram matches? New matches land in the New tab as they're ingested. Configure delivery (email, integrations, SLA timers) so the team is notified rather than polling the page. See Alerts.
Related
- Stealer Logs — raw stealer output that is frequently distributed on Telegram first; cross-check matches here.
- Compromised Computers — infected hosts behind the credentials and logs traded in these channels.
- Data Breaches — structured breach records that Telegram posts often precede or accompany.
- Discussions — forum-based dark-web monitoring; the complementary surface to Telegram channels.
- Dark Web Overview — consolidated summary across all dark-web sources, including Telegram.
- Alerts — route new Telegram detections to your team instead of polling the queue.