$ cat writeup.md…

osintfreemedium

hades-group

umdctf

Task: a Telegram export from a seeded criminal-themed group had to be used to deanonymize the anonymous operator behind channel posts. Solution: pivot from the anonymous sticker pack name to the creator UID, correlate historical usernames and phone data, recover the real name Niklas Hofmann, then pull the final Germany record ID REC-9305174.

telegram osint telegram_export sticker_metadata username_history phone_lookup identity_resolution

telegram_export_reconsticker_pack_pivotusername_history_correlationphone_to_identity_resolutioncross_source_record_lookup

$ ls tags/ techniques/

telegram osint telegram_export sticker_metadata username_history phone_lookup identity_resolution

telegram_export_reconsticker_pack_pivotusername_history_correlationphone_to_identity_resolutioncross_source_record_lookup

hades-group — UMDCTF

Description

Organizer description was not preserved in the local task files used for this writeup.

The provided artifact was hades_export.json, a Telegram export for the private group Hades Group. The goal was to identify the real-world record tied to the anonymous operator account and recover the resulting flag. The Telegram bots and lookup services referenced below were fictional or seeded challenge infrastructure, not real investigative targets.

Challenge Summary

Export-only analysis already suggested that the anonymous channel28740651 account represented the group owner or operator: it handled moderation, queue control, pinning, and policy messages. Several public accounts had stylometric overlap with those anonymous posts, but the decisive clue was not writing style — it was an anonymous sticker message that exposed a unique sticker pack name.

Reconnaissance

The first useful finding in the export was that anonymous administrative actions and posts consistently came from:

from_id / actor_id: channel28740651
group name: Hades Group

This strongly suggested that channel28740651 was the account to deanonymize.

The key export artifact appeared at message id: 56:

{
  "type": "message",
  "from": "Hades Group",
  "from_id": "channel28740651",
  "media_type": "sticker",
  "sticker_set_name": "styx_reaction_pack",
  "file": "stickers/styx_reaction_pack_001.webp",
  "id": 56
}

That sticker pack name was the intended deanonymization pivot. The export alone did not directly map the anonymous channel to a person, but it did leak a unique object that could be traced through the challenge's seeded Telegram intelligence tooling.

Analysis

Stylometric overlap existed between the anonymous operator and several visible group members, especially around queue-management language. However, those overlaps were suggestive rather than conclusive.

The stronger observation was structural:

channel28740651 authored the anonymous posts.
Message 56 was posted anonymously by that same account.
The message was a sticker from a uniquely named set: styx_reaction_pack.

Because sticker packs often tie back to their creator or historical owner, this was a much better pivot than trying to prove authorship from phrasing alone.

Solution

1. Identify the anonymous operator account

Reviewing hades_export.json showed that the moderation and control messages came from channel28740651 under the display name Hades Group. This was the anonymous entity to trace.

2. Pivot on the sticker pack name

The critical clue was anonymous message 56, which used the sticker set:

styx_reaction_pack

Querying the sticker intelligence bot with that sticker pack returned:

Creator UID: 7816442093
Aliases including @catchMeIfYouCan, @howDoYouLikeRecords, @styxrelay, @zeus_archive, and others
Phones: +52 55 5550 6104 and +81 70 5550 2941

This converted the anonymous sticker into a concrete Telegram user ID plus several historical aliases.

3. Use the best alias pivot

Among the returned aliases, @zeus_archive produced the key lead. Running SherlockTweaked on that account returned:

Username at lookup: @thanatos_signal

That gave a more current and more useful username pivot than the sticker bot output alone.

4. Resolve historical usernames and phone data

TGObserver on @thanatos_signal returned:

Username history: @erebos_lane, @thanatos_signal, @kerberos_spine
Phone: +49 160 5550 7318

QuickOSINT on @thanatos_signal reinforced the same identity cluster:

phone: +49 160 5550 7318
name: Niklas Hofmann
linked id: 7816442093
linked usernames: @kerberos_spine

At this point the chain was consistent across sources:

styx_reaction_pack
-> UID 7816442093
-> alias @zeus_archive
-> current lookup @thanatos_signal
-> phone +49 160 5550 7318
-> real name Niklas Hofmann

5. Pull the final record

Querying Atlas / CountrySearch with Niklas Hofmann returned:

Country: Germany
Record: REC-9305174

Therefore the flag was:

UMDCTF{REC-9305174}

Final Pivot Chain

Anonymous owner posts in Hades Group
-> from_id channel28740651
-> anonymous sticker message id 56
-> sticker_set_name styx_reaction_pack
-> creator UID 7816442093
-> alias @zeus_archive
-> SherlockTweaked: @thanatos_signal
-> TGObserver / QuickOSINT: +49 160 5550 7318
-> QuickOSINT: Niklas Hofmann
-> Atlas / CountrySearch: Germany, REC-9305174
-> UMDCTF{REC-9305174}

Lessons Learned

In Telegram-export OSINT, anonymous channel posts often still leak reusable infrastructure such as sticker packs, invite behavior, or media metadata.
Stylometry can suggest suspects, but a unique artifact pivot is much stronger than language similarity.
Historical usernames and phone numbers are powerful bridge fields when multiple seeded lookup sources agree on the same UID.
In this challenge, the Telegram bots and databases were fictional challenge infrastructure, so the correct path was to follow the designed pivot chain rather than treat every overlap as equally authoritative.