hades-group

umdctf

Task: a Telegram export from a seeded criminal-themed group had to be used to deanonymize the anonymous operator behind channel posts. Solution: pivot from the anonymous sticker pack name to the creator UID, correlate historical usernames and phone data, recover the real name Niklas Hofmann, then pull the final Germany record ID REC-9305174.

telegram osint telegram_export sticker_metadata username_history phone_lookup identity_resolution

telegram_export_reconsticker_pack_pivotusername_history_correlationphone_to_identity_resolutioncross_source_record_lookup

$ ls tags/ techniques/

telegram osint telegram_export sticker_metadata username_history phone_lookup identity_resolution

telegram_export_reconsticker_pack_pivotusername_history_correlationphone_to_identity_resolutioncross_source_record_lookup

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

hades-group — UMDCTF

Description

Organizer description was not preserved in the local task files used for this writeup.

The provided artifact was hades_export.json, a Telegram export for the private group Hades Group. The goal was to identify the real-world record tied to the anonymous operator account and recover the resulting flag. The Telegram bots and lookup services referenced below were fictional or seeded challenge infrastructure, not real investigative targets.

Challenge Summary

Export-only analysis already suggested that the anonymous channel28740651 account represented the group owner or operator: it handled moderation, queue control, pinning, and policy messages. Several public accounts had stylometric overlap with those anonymous posts, but the decisive clue was not writing style — it was an anonymous sticker message that exposed a unique sticker pack name.

Reconnaissance

The first useful finding in the export was that anonymous administrative actions and posts consistently came from:

from_id / actor_id: channel28740651
group name: Hades Group

This strongly suggested that channel28740651 was the account to deanonymize.

The key export artifact appeared at message id: 56:

{
  "type": "message",
  "from": "Hades Group",
  "from_id": "channel28740651",
  "media_type": "sticker",
  "sticker_set_name": "styx_reaction_pack",
  "file": "stickers/styx_reaction_pack_001.webp",
  "id": 56
}

That sticker pack name was the intended deanonymization pivot. The export alone did not directly map the anonymous channel to a person, but it did leak a unique object that could be traced through the challenge's seeded Telegram intelligence tooling.

Analysis

Stylometric overlap existed between the anonymous operator and several visible group members, especially around queue-management language. However, those overlaps were suggestive rather than conclusive.

The stronger observation was structural:

channel28740651 authored the anonymous posts.
Message 56 was posted anonymously by that same account.
The message was a sticker from a uniquely named set: styx_reaction_pack.

...

hades-group — UMDCTF

Description

Challenge Summary

Reconnaissance

Analysis

Similar writeups