UNCLASSIFIED // FOR OFFICIAL USE ONLY

15 October 2019 [email protected] | 407-858-3950 Bulletin #: 19-10-107

Open Source Intelligence Bulletin

Central Florida Intelligence Exchange
Brevard ⋆ Indian River ⋆ Lake ⋆ Martin ⋆ Orange ⋆ Osceola ⋆ Seminole ⋆ St Lucie ⋆ Volusia

(U//FOUO) Use of Telegram by White Supremacist Extremists

(U) Scope

(U//FOUO) This bulletin was created by the Central Florida Intelligence Exchange (CFIX) to provide background
on the use of Telegram by White Supremacist Extremists (WSEs), to include countermeasures currently being
employed in response to censorship of their accounts. A comparison of WSE and Islamic State of Iraq and ash-
Sham (ISIS) usage of Telegram will also be highlighted. This information is intended to support local, state and
federal government agencies along with the private sector in developing / prioritizing protective and support
measures relating to existing or emerging threats to homeland security.

(U) First Amendment Acknowledgement

(U) The CFIX recognizes that Americans have constitutionally protected rights to assemble, speak, and petition
the government. The CFIX safeguards these rights and reports on only those activities where the potential use
of rhetoric and/or propaganda could be used to incite individuals to carry out acts of violence. Additionally,
potential criminality exhibited by certain members of a group does not negate the constitutional rights of the
group itself or its law-abiding participants to exercise their individual liberties under the First Amendment to
the U.S. Constitution. Unless specifically noted, the social media reporting in this product originated from users
whose affiliation and credibility are unknown and are included for the purpose of providing broad trends in
online behavior and situational awareness for federal, state, local, tribal, and territorial counterterrorism and
law enforcement officials and private sector security partners.

(U) Overview

(U//FOUO) As seen with ISIS, Telegram has become increasingly

popular with WSEs due to frequent suspensions and censorship of
their accounts across multiple social media platforms. The content
being shared by WSEs is typically the same as what they are sharing
on other platforms such as Gab and Twitter (i.e. propaganda,
tactical guidance, promotion of violence, etc.). Although WSEs
believe they will eventually be removed from Telegram, they have
encouraged their followers to get as much use out of the platform
as they can while they still have access.

(U//FOUO) Currently, WSEs are able to maintain relatively extensive

networks of public channels some of which have thousands of
members with minimal disruptions. Telegram has been criticized
extensively by critics saying that the platform functions as an “echo

HANDLING NOTICE: This information is the property of the CFIX and may be distributed to federal, state, local, tribal, and territorial counterterrorism and
law enforcement officials and private sector security partners. This document contains sensitive information FOR OFFICIAL USE ONLY that cannot be
released to the public, the media, or other personnel who do not have a valid "need-to-know" without prior CFIX approval.

UNCLASSIFIED // FOR OFFICIAL USE ONLY

 UNCLASSIFIED // FOR OFFICIAL USE ONLY

CFIX OPEN SOURCE INTELLIGENCE BULLETIN

chamber” for both ISIS and WSE users. However, Telegram’s handling of ISIS versus WSE content is vastly
different. Telegram administrators rarely remove WSE content, and typically only for high-profile accounts or
posts that have received extensive media attention. In contrast, ISIS channels posting similar content continue
to be removed regularly. With the recent increased media reporting on WSEs usage of Telegram, they have
employed countermeasures, many of which mirror those used by ISIS, to maintain their presence on the
platform.

(U) What is Telegram?

(U//FOUO) Telegram is an encrypted messaging app where users can send messages, photos, videos and files
of any type and is most well-known in the violent extremist realm for its use by ISIS as a primary point of
distribution for their propaganda. Telegram is available for Android, iPhone/iPad, Windows Phone, along with
PC, Mac and Linux desktop versions. Users can access their messages simultaneously from all of their devices.
All content on Telegram is encrypted using a combination of 256-bit symmetric AES encryption, 2048-bit RSA
encryption and Diffie-Hellman secure key exchange. Additional features include:
.
 (U) Public and private groups that can have up to 200,000 members
 (U) Public broadcast channels that can have an unlimited number of subscribers
 (U) Animated gif search, photo editor and open sticker platform
 (U) Secret chats with end-to-end encryption and self-destructing messages
 (U) Audio-calls

(U) ISIS versus WSE Use of Telegram

(U//FOUO) Current WSE activities on Telegram are reminiscent of 2015 ISIS usage, as are some of the
countermeasures being employed. As such, methodologies used to track and identify ISIS networks on
Telegram could potentially be used to identify WSE networks. ISIS began using Telegram in September 2015
when Telegram introduced public broadcast channels, which is the primary feature being exploited by WSEs at
this time. The primary uses of Telegram for both WSEs and ISIS include:

 Sharing Propaganda: Both ISIS and WSEs have utilized Telegram as a means to share various types of
propaganda. Most of the channels focused on propaganda distribution are created as read-only, where
members can join, but are unable to post content. Some but not all of the original content shared on
Telegram makes it way to other platforms.

 Library Archives: Both ISIS and WSE use Telegram as an archive for publications and videos. Files
uploaded directly to Telegram are available to users as a direct download. Files uploaded to Telegram
are saved in the cloud, making them accessible until the channel is taken down. ISIS users are also
using the TGhost bot which allows users to upload a file and receive a download link. The files are
never deleted and are always available for download, preventing them from losing the content when
their channels are removed. At this time, TGhost hasn’t been mentioned by WSE users, however it is
possible that they are using the bot as well.

 Advocating Violence: Both ISIS and WSEs use their Telegram channels to advocate and incite violence
from their networks. This activity can be observed daily, however, increases significantly during a
terror attack. During recent attacks, users in both ISIS and WSE Telegram networks can be seen trying
to determine whether or not the attack is being carried out by one of theirs. With recent attacks, WSE
Telegram users have shared the attackers’ manifestos and livestreams, as well as celebrating the
attackers with memes, hashtag campaigns and videos.

UNCLASSIFIED // FOR OFFICIAL USE ONLY

 UNCLASSIFIED // FOR OFFICIAL USE ONLY

CFIX OPEN SOURCE INTELLIGENCE BULLETIN

 Tactical Guidance: Both ISIS and WSEs maintain channels that provide
tactical guidance. For ISIS, they have used channels such as “Just Terror” and
“Lone Mujahid” to provide guidance for lone wolf attacks, and others that
provide physical and online operational security (OPSEC) guidance. WSEs also
have several channels that provide OPSEC guidance, suggestions for targeting,
bomb making, weapons, general survivalist skills, etc.

 Focused Networks: There are numerous WSE channels on Telegram, some of

which have been have organized into their own focused networks. For
example, one of the more popular networks identifies itself as “Terrorgram”.
The Terrorgram network consists of channels that support James Mason’s
Siege Culture and groups such as Atomwaffen Division, Feuerkrieg Division,
Sonnenkrieg Division, The Base, etc. Another popular network is “Fashwave,”
which is a network of channels focused on the development of WSE memes.
Although the majority of these channels are publically accessible, these
networks are somewhat insulated. ISIS supporters have also created insulated
networks for English-speakers such as the Baqiyah Family network and
Greenb1rds, amongst various others.

(U) Account Removal and Censorship

(U//FOUO) ISIS’s presence on Telegram received extensive media coverage following the use of its official
Arabic-language channel to claim credit for the November 2015 attacks in Paris. In response, Telegram
administrators released a statement advising that they were reviewing all reports regarding public Telegram
broadcast channels being used by ISIS. With their public channels being removed, ISIS transitioned to private
chat groups, where they operate almost exclusively at this time.

(U//FOUO) Although Telegram continues to suspend their accounts regularly, ISIS and their supporters are still
able to maintain a significant presence on the platform. However, their use of Telegram is driven more by
necessity rather than an actual fondness for the platform. The primary complaint from pro-ISIS users about
Telegram is that it limits their ability to reach a wider audience and identify potential recruits.

(U//FOUO) WSEs usage of Telegram has begun to receive more attention over the last several months. Most
notably, WSE Telegram channels received media coverage following some of the recent attacks such as the 3
August 2019 shooting in El Paso, Texas, and the 9 October 2019 shooting in Halle, Germany. Whereas ISIS-
affiliated accounts may have only a few hundred subscribers due to constant suspensions, many WSE accounts
currently have thousands. Although many of these WSE channels contain content that incites violence, at this
time the channels are rarely removed and instead are censored or shadowbanned. In contrast, ISIS channels
with similar content are removed on a daily basis.

 (U//FOUO) Shadowbanning: Public channels on Telegram can be indexed and found in a general
search. When a WSE channel is shadowbanned, the content is blocked from the public online
community. A name search for a shadowbanned channel will bring back no results and the
administrators for these channels don’t immediately know that their channel has been banned. The
shadowbanning has no effect on subscribers of the channel. Additionally, new users are still able to
join these channels by clicking hyperlinks shared by other WSE channels they have subscribed to.

 (U//FOUO) Censorship: In June 2019, Apple and Microsoft began blocking certain public WSE channels
due to “Hate Speech” violations. Users trying to access certain channels would receive the following
message “Unfortunately, this channel couldn’t be displayed on your device because it violates Apple

UNCLASSIFIED // FOR OFFICIAL USE ONLY

 UNCLASSIFIED // FOR OFFICIAL USE ONLY

CFIX OPEN SOURCE INTELLIGENCE BULLETIN

[Microsoft] App Store Review Guidelines, section 1.1.1.” It has not been made publicly available as to
how the determination is made as to which channels are censored.

(U//FOUO) Even with the censorship and shadowbanning of their accounts, subscriber numbers for WSE
channels continue to increase. The most significant increase in subscriber counts can be observed following an
attack. In comparison, following an ISIS-inspired or directed attack, ISIS affiliated channels are suspended en
masse. Other factors have contributed to increased subscribers numbers, such as the removal of 8chan
following the El Paso shooting and the release of media reports referencing WSEs use of Telegram, as many of
these articles provide channel names.

(U//FOUO) Like ISIS, WSEs have also commented that much of the information shared on Telegram is not
making its way to other publicly accessible networks, limiting their reach. They believe that the censorship of
their accounts is amplifying this issue. They also believe that because of the censorship, they are being
“kettled,” which they defined as a police tactic for confining a group to a small space. They have encouraged
their users to develop countermeasures to maintain their presence on Telegram, but to also continue their
efforts on other, more visible platforms.

(U) Countermeasures

(U//FOUO) Like ISIS, WSEs are continually employing new countermeasures in attempts to minimize the
disruption of their online recruitment and propaganda distribution efforts. Once Telegram began censoring
their channels, WSE users began posting warnings of the “war on Telegram” and providing guidance on how to
maintain their presence on this platform. In efforts to maintain their Telegram channels, WSE users are
employing many of the same countermeasures that have been somewhat successful for ISIS and their
supporters:

 (U//FOUO) Back-Up Accounts: WSE Telegram users have begun setting up primary channels along with
reserve accounts. The reserve accounts are typically created using
the exact same name as the primary channel, followed by a
numeric (i.e. fashwave1, fashwave2, etc.). Others have attempted
to create reserve accounts using a slight variation in the spelling
of the original channel name. These back-up accounts are running
concurrently as mirror images of the original channel as a means
to bypass censorship and shadowbanning. This countermeasure is
also used extensively by ISIS and their supporters.

 (U//FOUO) Shout-outs: When a new channel is established on Telegram, WSE users are providing
shout-outs within their existing channels. They are also promoting their Telegram channels via their
accounts on other platforms such as Twitter and Gab. This countermeasure is also used by ISIS and
their supporters.

 (U//FOUO) Private Chat Groups: In response to the blocking of their public broadcast channels, WSE
Telegram users have started creating semi-private chat groups. Unlike the public broadcast channels
where content can be viewed regardless of whether a user follows the account, users must “join” the
chat groups in order to view the content. The chat group names are not searchable and Telegram users
must be provided with the specific “telegram.me/joinchat” URL to access the group. In most instances,
WSEs are still attempting to maintain their public channels and have created the private channels as a
back-up. This was a countermeasure used by ISIS when their public channels began being removed. ISIS
currently operates almost exclusively in private chat groups.

UNCLASSIFIED // FOR OFFICIAL USE ONLY

 UNCLASSIFIED // FOR OFFICIAL USE ONLY

CFIX OPEN SOURCE INTELLIGENCE BULLETIN

 (U//FOUO) Vetting New Members: With recent events and media attention on WSEs usage of
Telegram, many users have stopped accepting new members to their groups without proper vetting to
prevent journalists, law enforcement, and others from infiltrating. Admins for some of the public
channels are contacting new members through the secure message feature on Telegram for vetting
purposes. Others are providing invite links directly to those they would like to have as members.
Individuals attempting to use the invite link who did not receive it from the group’s admin are declined
access. This countermeasure is also used by ISIS.

 (U//FOUO) Use of Bot Channels: Instead of subscribing to the actual WSE channel, users subscribe to a
particular Telegram Bot Channel that has been created to aggregate posts from various channels into
one feed. Once a user has subscribed to the bot channel, they enter the URL for all of the public WSE
channels they are interested in viewing content from. Viewing the posts through the bot channel in
lieu of joining the individual channels allows WSEs to bypass the Apple and Microsoft censorship. Bot
channels are also utilized extensively by ISIS; however, this particular type of bot cannot be used with
private channels.

 (U//FOUO) Use of Nicegram: WSEs have encouraged mobile users to download the Nicegram app in
place of the Telegram Messenger app. Nicegram has all of the same functionality as the Telegram app
with additional features such as allowing a user to switch between 7 accounts instead of the 3 allowed
by the Telegram Messenger app. WSE users have advised that channels censored by Apple and
Microsoft can be viewed on these devices through Nicegram.

(U) Outlook and Implications

(U//FOUO) In spite of the persistent suspension of their accounts across various platforms, social media
continues to be an effective tool used by WSEs. As their accounts continue to be censored by Telegram, WSEs
will continue to develop new countermeasures in an attempt to maintain their public presence on the
platform. Although their intent is to remain in the public realm in order to attract new recruits, like ISIS, they
will likely continue to shift to private insulated networks to maintain some type of online presence. Many of
the countermeasures currently being used by WSEs mirror those used by ISIS. As such, it is possible that by
reviewing historical and current methodologies and countermeasures used by ISIS to maintain their online
presence, future actions of WSEs online usage can be predicted.

(U) Reporting Notice

(U) The Central Florida Intelligence Exchange is providing this bulletin for situational awareness. For comments
or additional information on this product, please contact the Central Florida Intelligence Exchange (CFIX) at 407
-858-3950 or [email protected].

(U) Tracked By: HSEC-8.8, HSEC-8.8.3, CFIX-1.3, CFIX-1.6, CFIX-2.3, CFIX-10.3, CFIX-10.4

(U) Sources

1. (U) Telegram; “Telegram Faq”; https://telegram.org/faq; accessed on 22 JUL 2019.

2. (U//FOUO) CFIX; Cyber Intelligence Bulletin; “Islamic State Employs Countermeasures to Maintain its
Presence on Telegram”; 20 NOV 2015; overall document classification is U//FOUO.

3. (U//FOUO) CFIX; Based on CFIX’s review of publicly available social media of ISIS and WSE networks, 2015-
2019.

UNCLASSIFIED // FOR OFFICIAL USE ONLY