Geogramint – An OSINT geolocalization tool for Telegram

Geogramint – An OSINT geolocalization tool for Telegram

Geogramint is an OSINT tool using the Telegram API to locate users and groups near a given point, developed by Alb310 of Projet FOX. Inspired by Tejado’s  Telegram Nearby Map OSINT tool, which is no longer maintained, it aims to provide a more user-friendly alternative.

Geogramint finds the approximate location of Telegram users and groups around the stored coordinates, at distances ranging from 500m, 1km, 2km and more.

How the tool works

Telegram Nearby Map, inspiration of Geogramint, was a NodeJS-based OSINT tool developed by Tejado. The tool used the Telegram API to extract the locations of nearby users and report them on an OpenStreetMap interface. The tool allowed digital investigators to locate users within a specified distance of a given point. Once launched, the tool would repeat a search every 25 seconds and report new and pre-existing users on the map, while providing the exact distance of the targets from the original location to triangulate them. However, as Telegram updated its API to decrease the accuracy of its “Nearby” feature, Telegram Nearby Map became obsolete and was not maintained by its author.

Telegram Nearby Map Interface
Telegram Nearby Map

Geogramint, a Python-based OSINT tool, provides a more user-friendly alternative. The tool also uses the Telegram API to extract the approximate position of users and groups around a given point in perimeters of 500m, 1km, 2km and more. The tool allows you to enter coordinates via the OpenStreetMap interface, makes an API call via Telethon on this basis, and in return gets the set of users and groups in the vicinity whose “Nearby” function has been activated. The tool then downloads their profile pictures, if available, and displays the results.

Geogramint Interface
Geogramint

It is important to mention that, like Telegram Nearby Map, Geogramint can only detect Telegram users who have enabled the “Nearby” feature in their Telegram app – by default, this feature is disabled. The tool does not automatically triangulate the location of detected users and groups as Telegram Nearby Map did.

Geogramint can be used for OSINT investigations applied to conflict zones, dangerous areas, remote locations or sensitive facilities. It should be noted that according to Telegram, more than 700 million users are active monthly, opening up a vast field of possibilities around the world.

Geogramint can be downloaded here!

As an illustration, we propose to use Geogramint through three concrete cases on strategic areas of interest in Ukraine, Venezuela and Iran. We will insist on the exploitation of the results obtained in combination with classical OSINT methods.

Russian base in Chaplynka, Ukraine

Satellite image of the Russian base of Chaplynka in Ukraine: 46.34488434614635, 33.54157111211887

On July 3 2022, Benjamin Pittet, also known as Coupsure, noticed on satellite images that an airfield in the city of Chaplynka in Ukraine was still being used as a military base by the Russians.

This airfield has been used as a military base since the beginning of the Russian invasion, as shown by Maxar satellite images from March 2022. 

In addition, Tim Ehrhart, ArtisanalAPT, confirmed that this base is still used by the Russian military by exploiting satellite images of better accuracy.

It is therefore certainly a place where Geogramint can be decisive to confirm the hypothesis of a Russian presence in real time and find more information. We start our research on July 29 2022:

46.34488434614635, 33.54157111211887

Of all the users and groups detected in the area, some are within the perimeter of the Russian base. We can confirm that, according to Telegram, these users are:

These users were detected within a 500m radius around the coordinates: 46.34488434614635, 33.54157111211887

500m radius

We will focus on one of the users who has a username:

We will name him Alek to preserve his identity. We start by mining his Telegram profile. We immediately notice that he was recently logged in and has four profile pictures, which can help us better identify his other social networks.

Upon further research, we find his Instagram account under the same pseudonym as his Telegram account. Similarly, on his Instagram account, we find his first and last name – identical to those put on Telegram.

Alek is probably a soccer fan, he has posted many photos and videos with his ball since the creation of his account. We also note that his last post was on January 2, 2022, before the Russian invasion of Ukraine. We also find on his Instagram account one of his Telegram profile pictures.

One of the videos posted on his account can be geotagged using the classic GEOINT methods.

With the help of Google Lens, Google’s image recognition tool, we get this link among the results. So we learn that it is probably the “Стадион им. Гагарина”, that is, the “Im. Gagarin Stadium”. Visiting the link, we get the coordinates of the stadium.

Moreover, the images on the google map page of the stadium confirm that it is indeed this stadium.

The video was geotagged in Snezhinsk, Chelyabinsk Oblast, Russia: 56.09356599253964, 60.73532333115896

In addition to the videos where he speaks russian on his Instagram account, we can say with more certainty that Alek is not Ukrainian but Russian. It is therefore very likely, given the various other reports about the Russian base in Chaplynka, that Alek is a soldier involved in the Russian invasion and is currently, at the time of writing, stationed at the Chaplynka base in Ukraine.

We could certainly exploit further the other results given by Geogramint in this practical case, but for this article we will stop here.

Fuerte Tiuna, Venezuela

Satellite image of Fuerte Tiuna, Venezuela

Fuerte Tiuna is the name given to one of the most famous military installations in the city of Caracas and in the South American country of Venezuela.

It is home to important institutions of different types, such as the headquarters of the Ministry of People’s Power for Defense, the EFOFAC, the General Command of the Army, the El Libertador firing range, the Army Food Center, the Military Circle of Caracas, the Paseo Los Próceres, the Bolívar Battalion, the La Viñeta residence, the official residence of the Vice President, and some units of the Venezuelan Military Academy.

It houses not only military structures but also sports, urban, cultural, financial spaces, highlights the Tiuna City Complex, a set of thousands of housing units built under the auspices of the Ministry of Housing, and the Carlos Raúl Villanueva Residences assigned to military personnel.

This is the kind of sensitive military installation where Geogramint can be of interest. We start our search on July 18, 2022:

10.452344, -66.911173

Among all the users detected in the area, we can visually confirm that many are Venezuelan military thanks to their profile picture. Here are some of them:

We will focus on two of them in order to deepen the research:

We will name the first one Rama and the second Hugo to preserve their identities.

Let’s start with Rama. You can see on his profile picture that he is wearing an officer’s uniform and not military fatigues like the majority of the users in the area.

Thanks to Geogramint, we have his full name. Let’s start by identifying his rank and the branch of the Venezuelan army to which he belongs. 

Comparing the insignia on his shoulders with those on the wikipedia page of Venezuelan military ranks, we notice that he is a “Sargento mayor de tercera de la Aviación Militar Bolivariana”, third class sergeant major of the Bolivarian Military Aviation of Venezuela.

Insignia on Rama's uniform
Venezuelan military ranks - Wikipedia

We now know that Rama is a sergeant major third class and that he is in the Venezuelan Air Force.

Let’s try to find one of his social networks. We start with a simple google search with his first and last name. We quickly find a Facebook account with the same name, a military man in profile picture but a diminutive of Rama as first name.

We quickly see that it is the right person but the photos are older. In his Facebook profile picture, he is wearing military fatigues. We can see the same rank on his collar as on his uniform. 

On his profile, there are several photos of him, some of which were taken when he was still a sergeant major second class.

We could dig even deeper, but we’ll move on to the second user, Hugo.

Unlike the first user, Hugo is wearing field uniform in his profile picture. Thanks to Geogramint, we have his full name.

Let’s try to find one of his social networks. As before, we start with a simple google search with his first and last name. We came across his Facebook account, where he posted many pictures of himself in field uniform, in combat training and even in operations. 

We also find the photo that he posted as a Telegram profile picture.

Among the many photos, we find one with a uniform. So we can also try to identify his rank and branch of the Venezuelan army.

Comparing the insignia on the shoulders with those on the wikipedia page as before, we notice that he is a “Teniente del Ejército Nacional de la República Bolivariana de Venezuela”, lieutenant in the national army of the Bolivarian Republic of Venezuela.

We now know that Hugo is a lieutenant and that he is in the Venezuelan Army.

We could certainly exploit further the other results given by Geogramint in this practical case, but we will stop here.

Iran's nuclear program

Iran’s nuclear program is an ongoing scientific effort by Iran to master nuclear technology to the point where it can be integrated into its weaponry. Iran has several research sites, two uranium mines, a research reactor and uranium processing facilities, including three known enrichment plants.

There is growing concern about Iran’s nuclear program. The International Atomic Energy Agency fears that Iran’s latest actions will deal a “fatal blow” to the JCPoA treaty, which calls for Iran’s international reintegration in exchange for a verifiable freeze on its nuclear program.

Iran’s nuclear program facilities are the kind of places where Geogramint can be of interest, given that they are the source of growing tensions in the Middle East.

In this section, we will initiate research on three sensitive facilities.

The Saghand uranium mine

32.303806782754286, 55.52715370548853

Saghand is the first uranium mine in Iran that became operational in March 2005. The deposit is estimated to contain 3,000 to 5,000 tons of uranium oxide at a density of about 500 ppm over an area of 100 to 150 square kilometers.

We start our research on July 27, 2022:

32.30082853538944, 55.522938478829644

We find four users in the area, within 500m of our point:

Thanks to Geogramint, we have the usernames of three of them as well as a full name.

Our research was not conclusive except for the fourth user, in whose biography we found a link to a Telegram channel.

It is a Persian Telegram channel with 9,800 subscribers publishing only images around the theme of “profile pictures”.

In addition to that, we find on the profile picture of our target the inscription of a username. This time it is not a Telegram account but an Instagram account, probably his own.

We thus come across an Instagram account with more than 68,500 followers that only posts images around the theme of romance. 

The information found here will probably not be more useful to us. So we move to another installation.

Natanz nuclear facility

33.724823667831764, 51.72584932922439

Natanz is a fuel enrichment plant covering an area of 100,000 square meters, built 8 meters underground and protected by a 2.5-meter thick concrete wall, which is itself protected by another concrete wall. It is located near Natanz, the capital of Natanz County in Isfahan Province, Iran. In 2004, the roof was hardened with reinforced concrete and covered with 22 meters of earth. The complex consists of two halls of 25,000 square meters and a number of administrative buildings. This once-secret site was one of two sites exposed by Alireza Jafarzadeh in August 2002.

According to the IAEA, in 2009, about 7,000 centrifuges were installed at Natanz, of which 5,000 were producing low-enriched uranium.

We begin our research on July 27, 2022:

33.72537298825002, 51.72522192297408

We can only find one user within the perimeter of the installation, without a profile picture or a username. So we can’t dig any further.

There is less access to 2G, 3G or 4G networks on these coordinates, so it is logical that we do not find any users there, especially since, as said before, the installation is mainly underground.

  We therefore proceed to the analysis of the last installation.

Bushehr Nuclear Power Plant

28.829746965342288, 50.88626725678741

The Bushehr nuclear power plant is located 17 kilometers southeast of the city of Bushehr on the Persian Gulf. Construction began in 1975, but was halted in July 1979 due to the Iranian revolution. The reactor was also damaged by Iraqi air strikes during the Iran-Iraq war in the mid-1980s. Construction did not resume until 1995, when Iran signed a contract with Russia’s Atomstroyexport to install a 915 MWe VVER-1000 pressurized water reactor in the existing Bushehr I building. In December 2007, Russia began delivering nuclear fuel to the Bushehr NPP. Construction was finally completed in March 2009.

On September 23, 2013, operational control of Bushehr was transferred by Russia to Iran. In November 2014, the two countries signed an agreement to build two new nuclear reactors at this site, with an option for six more later at different locations. Construction of these first two reactors officially began on March 14, 2017.

We begin our research on July 28, 2022:

28.82965857070601, 50.89128470361256

The search area being large, we launch several searches to be performed on different coordinates.

500m radius
500m radius
500m radius

Here are the users whose location we are sure are in the nuclear power plant perimeter:

The research was not conclusive for the majority of users, failing the first :

We will name him Ali to preserve his identity. Thanks to Geogramint, we have his username and his profile picture. On his profile picture, we also find his username with a car in the background.

We start by trying to find his social networks. We quickly come across his Instagram account with the same username and mention in his bio the city of Bushehr, the locality where the nuclear power plant is located.

We notice that Ali offers tattoo services and is passionate about cars and motorcycles.

On one of his posts, Ali has indicated his phone number where he suggests his clients to contact him via WhatsApp.

On WhatsApp, we find linked to this phone number a profile picture where several men pose in front of a mosque. We don’t know yet what Ali looks like, so we can’t identify him in the photo.

Digging deeper on his Instagram profile, his first post mentions another account belonging to him: “Old anchor tattoo main page @#######”.

We deduce that the account we had discovered was in fact his second account dedicated to tattoos.

Once we arrived on his main account, we start to find a lot more interesting information.

We find a photo taken in the same place as his WhatsApp profile picture, but this time with more people. Similarly, we find his Telegram profile picture.

More interesting: several photos show Ali in military fatigues and a video of him even shows him with a weapon.

The uniform Ali is wearing is similar to that of the Islamic Revolutionary Guard Corps, IRGC. We therefore initially assumed that he could be one of their militiamen in charge of protecting the Bushehr nuclear plant.

Field uniform of the Islamic Revolutionary Guard Corps

Searching more on his main account, we find a closer shot of Ali and his uniform:

By reversing the direction of the image horizontally to read the crest on his shoulder, we finally learn that he is a member of a police force, obviously assigned to secure the Bushehr nuclear facility.

Through further research, we get confirmation that the uniform identified on his pictures was indeed that of the Iranian police, although it is almost identical to that of the pasdaran.

Illustration of the Iranian police

We can therefore come to the conclusion that Ali is obviously engaged in the Iranian security forces, most likely in a section assigned to secure the Bushehr nuclear facility. In addition to his work, he is also a tattoo artist and has a strong passion for cars and motorcycles. We now have in addition of his alias, his phone number, photos of him, his full name and position at the Bushehr nuclear facility.

We could certainly make more use of all the data now available to us, but all this is more than enough to demonstrate the potential of using Geogramint in areas of strategic interest and the extent of the information made available by this tool.

I hope you have enjoyed these demonstrations of Geogramint. I developed this tool when Telegram Nearby Map stopped working properly, so that it could be used by all types of OSINT investigators in their research and allow them to access real-time information that is normally much less accessible through traditional methods.

I thank Gryzz and Spidacr, my teammates from Projet FOX, for their help in writing this article.

by Alb310