đŸ”Ŧ
intro
  • đŸ’ģSummary
  • 🧑‍đŸ’ģMe
  • 🟠Investigation
    • 👁ī¸â€đŸ—¨ī¸Reconnaissance
  • 🔴The Evidence
    • 🔍Evidence #1
    • 🔍Evidence #2
    • 🔍Evidence #3
    • 🔍Evidence #4
    • 🔍Evidence #5
    • 🔍Evidence #6
    • 🔍Evidence #7
    • 🔍Evidence #8
    • 🔍Evidence #9
    • 🔍Evidence #10
    • 🔍Evidence #11
    • 🔍Evidence #12
  • đŸŸŖTracking Down
    • đŸ’ģIP Addresses
    • đŸ‘ŋThe Telegram Admins
  • đŸŸĸThe Break
    • 🤝The Marketing Agency
    • 🙈The People
    • 📞Phone Numbers
  • 🟤Concslusion
    • ℹī¸Final Words
  • âšĢDo Your Part
    • đŸ‘ĢHelp Thy Neighbor
  • 🟡Bonus Info
    • 📉Snowfall Scam
Powered by GitBook
On this page
  1. Tracking Down

The Telegram Admins

Matching Admins with IPs

PreviousIP AddressesNextThe Marketing Agency

Last updated 2 years ago

I wanted to ensure that the admins were indeed working at the WeWork office, so I created a fake news article similar to the ones they release regularly. The only difference is that this one contained fake negative press. I shared it with all admins simultaneously, and every link I shared with every admin had a different unique ID at the end of the URL, which I assigned to an admin username on an excel sheet. This allowed me to match admin usernames with IPs.

I got a few hits before they realized it was a means to expose their data. The notorious Telegram admin called Eddie quickly went into damage control, advising every admin not to visit the article. It's ironic that he actually said that I'm doing something illegal when he's behind multi-million dollar rug pull scams.

And this is what I managed to pick up:

Username: Hamidola28 Display Name: Hamid | NEVER DM FIRST. IP: 105.113.16.123 Location: Nigeria

The above is a new IP that I never picked up before. We all know what Nigeria means in the scam world. There's no other country in the world more associated with scams than Nigeria.

Username: Harry_Orbeon Display Name: Harry (WILL NEVER DM FIRST) IP: 80.235.222.154 Location: Lewisham, UK

This one is a direct hit. If you did not recognize the IP yet, let me refresh your mind. This is the Virgin Media Limited IP that I tracked via an email sent to devops@orbeonprotocol.com. We now know that Harry_Orbeon is actually part of the fake "development team" and has direct access to the DevOps email and unrestricted access to the platform to issue tokens, meaning he is directly involved in the scam.

Username: SiennaOrbeon Display Name: Sienna Orbeon | Never DM First IP: 213.86.221.106 Location: London, UK

Username: alexorbeon Display Alex Orbeon IP: 213.86.221.106 Location: London, UK

Another direct hit. This is the WeWork IP. Therefore, Sienna and Alex operate from the WeWork 30 Churchill Place London, England E14 5EU office.

Username: Sean_Orbeon Display Name: Sean Orbeon IP: 104.28.30.131 (IPR) Location: London, UK

This one is an iCloud Private Relay IP, meaning that Sean opened the link from his iPhone.

The scammers are under the impression that using Telegram is a safe way to stay anonymous. What they don't know is even the most privacy-centric platforms have to comply with stringent laws, as Telegram found out on November 2022.

It is important to note that Telegram was forced to share user data, including IP addresses of the Group admins, even after the groups were deleted, for copyright infrigenment reasons.

The app operator was forced by a Delhi High Court order to share the data after a teacher sued the firm for not doing enough to prevent unauthorised distribution of her course material on the platform. Neetu Singh, the plaintiff teacher, said a number of Telegram channels were re-selling her study materials at discounted prices without permission.

Getting to real people behind copyright infringement through Telegram wasn't hard. A single teacher did it. Getting to crooks behind multi-million dollar scams should be a walk in the park for authorities in the UK and other countries.

đŸŸŖ
đŸ‘ŋ
LogoTelegram shares users' data in copyright violation lawsuitTechCrunch