OSINT Toolbox Talk: Extracting online media and investigating ProtonMail and Twitter

OSINT Workflow

Applying effective OSINT to geo-monitor Russian military activity

Russian Military vehicles and tanks

Undoubtedly, tensions in east Europe have flared immensely following the increased deployment of Russian military personnel to the border areas with Ukraine. In one LinkedIn post, an esteemed intelligence professional enquired as to how can OSINT tools and processes be deployed in order to monitor the ongoing military situation, especially if (and when) Russia proceeds with a military incursion into Ukraine.

This OSINT Workflow by OS2INT has been produced to show one of many ways in which OSINT can be deployed to monitor the ongoing situation; specifically, on how we are able to geo-locate and monitor suspected Russian military movements within the area of the Soloti Military Deployment Area. However, we go even further by transferring our knowledge of Russian military manoeuvre to identify a likely key route which could be used by the Russian military in addition to various areas considered ‘key terrain’.

To achieve our objective, we need to call on several tools and resources:

  1. NodeJS, the open-source, cross-platform, back-end JavaScript runtime environment which can be downloaded from https://nodejs.org/en/download/
  2. Sublime Text, a commercial source code editor which can be downloaded from https://www.sublimetext.com/3
  3. Telegram Nearby Map, a NodeJS-based utility that uses OpenStreetMap and the official Telegram library to find the position of nearby users (with the use of the Telegram API). This utility can be cloned from https://github.com/tejado/telegram-nearby-map
  4. Google Earth, the Desktop application that will allow us to plot data points of interest and conduct trilateration of Telegram users identified with Telegram Nearby Map. This application can be downloaded from https://www.google.com/earth/versions/.

Selecting our target area

Clearly, the entire area where the Russian military has been deployed is far too large for us to analyse in one go. Instead, we have opted to focus on one military deployment area – or ‘staging area’ – from which the Russian military can manoeuvre on one likely primary axis into Ukraine – namely along the 14K-34 single carriageway. The military deployment area in question is the Soloti Military Deployment Area, located approximately 3kms northwest of Valuyki. Additionally, we know from conducting basic open-source research that a secondary military deployment area exists to the north of Valuyki, indicating the probability that this military deployment area could be used to manoeuvre on its own primary axis – the 14K-33 dual-carriageway.

Installing and configuring NodeJS

This step of the workflow is quite simple as all that is required is for you to navigate to https://nodejs.org/en/download/ to download the NodeJS executable file and then install it on your system as you would with any other program.

Telegram Nearby Map

So, the primary OSINT tool we shall use is Telegram Nearby Map, a very effective NodeJS-based utility that uses OpenStreetMap and the official Telegram library to find the position of nearby users (with the use of the Telegram API). The first thing we need to do is create a Telegram sock puppet and obtain our API credentials from my.telegram.org. We will then make a note of our API credentials so that we can use them.

Next, we clone Telegram Nearby Map from Github and save the repository files in our local drive. In the same location, we will open up the file config.example.js using Sublime Text and input our Telegram API credentials inside – we then save the file as config.js.

Geo-locating Telegram users using OSINT

Now we proceed to install Telegram Nearby Map by running NodeJS within our command-line interface (CLI). As we normally would, we change the directory to where we have stored the Telegram Nearby Map utility files and then proceed by invoking the command npm install.

OSINT tools for Telegram

Once installed, we can now run the utility by invoking npm start. At this stage, the utility will request our Telegram details such as the telephone number linked to the Telegram account, a verification code in addition to your password (should it be the case that you have two-factor authentication configured on your account). With Telegram Nearby Map now running, we can go ahead to open the web app by opening http://localhost:3000 in our browser window.

Monitoring Telegram users

With the Telegram Nearby Map web app now open in our browser, we will navigate the utility to the Russia – Ukraine border and place the target marker over the Soloti Military Deployment Area. Next, we need to configure the distance we intend to search – in our case, we opted for a search coverage of 50,000 metres, and then began the search.

Mapping Telegram users

This is now the tricky part! We must take note on how Telegram Nearby Map works. The utility will only show users that have activated the ‘Find People Nearby’ feature on their respective Telegram applications. This feature is turned off by default. So, we are not going to get full visibility of every single Telegram user positioned within the Soloti Military Deployment Area, only those who are broadcasting their location. The utility is also built with a trilateration feature which provides a more accurate location for each Telegram user. This trilateration feature is based on the method detailed by the Github user jkctech – comprehensive details regarding this process can be found via this link: https://github.com/jkctech/Telegram-Trilateration/tree/master/Trilateration. Quite simply, Telegram Nearby Map will run a search every 25 seconds from different points relative to the target location that we set (usually 350 metres apart). The search will run counter-clockwise around the target location.

For the trilateration process to work correctly, we need to identify a Telegram user from three separate search points and calculate the distance from the Telegram user to each of the search points – Telegram Nearby Map does this automatically for us. So when we first run the utility as shown in the illustration above, we only begin to see the locations of Telegram users after the third search is implemented. This process will continue to repeat itself until we see our map containing markers labelled with a number. Each Telegram user that is identified is assigned with a number, each of these identified users can be viewed on the sidebar located to the left of the Telegram Nearby Map utility. What will soon become clear is that clusters will begin to appear on our map; for example, we will see a marker labelled 28 in three separate positions located close to each other. At this point, we must use our analytical skills to assess whether this could indicate a moving Telegram user, or whether this is indicative of an impairment often associated with GPS reception – as detailed in a research paper by Henrik Blunck, Mikkel Baun Kjærgaard, and Thomas Skjødeberg Toftegaard from Aarhus University, Denmark, the paper can be read via this link: https://pure.au.dk/ws/files/93802633/Sensing_and_Classifying_Impairments_of_GPS_Reception_on_Mobile_Devices_.pdf. What the authors of this paper are pointing out is that the accuracy of GPS positioning can be affected by several factors, including physical surroundings. Essentially, in urban environments, we can expect that the trilateration of Telegram users can be more accurate against those positioned in rural areas. Considering that the Soloti Military Deployment Area is positioned in a rural and isolated area, we must take into account that the results of the trilateration will have a margin of error – though we can apply our own techniques to approximate the position of each Telegram user.

Russia - Ukraine Military Builduop

Going back to Telegram Nearby Map, as the tool is running, we should take note of the latitude and longitude of the search points within the command-line interface which have calculated the position of each Telegram user, we can then use this data in order to identify clusters which could be associated the margin of error associated with the GPS positioning or whether such clusters could indicate a moving Telegram user. To paint a more insightful picture in this regard, we will implement what we refer to as a ‘soaking period’ – where we will let the utility search across the target area for an extended period of time. In our case, we ran the utility over the course of a six-hour period. Then, we will manually plot our results on Google Earth in order to allow us to paint a more analysis-focused picture.

Plot the data on Google Earth

Unfortunately, Telegram Nearby Map doesn’t provide us with the capability to export collected data within a structured file format such as CSV or GeoJSON – so, we have to resort to manually plotting identified Telegram users onto Google Earth manually. Of course, this isn’t an accurate procedure, but we can do our best!

Once we have plotted our Telegram users into Google Earth, we can look at the results more thoroughly and apply our own analysis in order to identify stationary and moving targets.

The first cluster we will look at is for Telegram user number ’30’. In total, we have identified three location data points for this user, all of which are positioned close to each other along what is assessed to be a trunk road being possibly being used by military vehicles to transit in and out of the military deployment area. As we look closely, we can see that the location data points are positioned relatively close together, indicating the likelihood that this is a stationary Telegram user as opposed to one that is moving. The location of the Telegram user is interesting as they appear to be located on the side of the trunk road, possibly near a cut in the treeline running alongside the road. From this, it is possible that this Telegram user could be a sentry positioned on a vehicle checkpoint or is stationed in this location to assist with the movement of Russian military vehicles. The results of our inspection on Google Earth is shown below:

Russian military Soloti Military Deployment Area

Applying the same to other data points, we can begin to formulate our own tactical assessment of stationary activity taking place within the Soloti Military Deployment Area as shown in the illustration below:

Russian Army activity on the Russia - Ukraine border

Detecting movements

However, we soon notice instances where some Telegram users are positioned within an area located considerably further away from each other – this probably indicates movement taking place inside the military facility.

Russian Army 752 Motorised Rifle Regiment in Soloti

So, we can take this assumption and apply it to Google Earth by plotting the likely route taken by the Telegram user in question. Next, we need to determine whether this Telegram user is travelling by foot or by vehicle. To do this, we must remember that each search initiated by Telegram Nearby Map is made with 25-second intervals. So, we can take this information to estimate the approximate speed of the Telegram user. So, using Google Earth, we calculate the distance taken by the Telegram user from the three search location points used to triangulate the user’s location and repeat the process from start to finish.

Monitoring Telegram user movements

The end result (as shown in the illustration above) is that we can see that it takes the target Telegram user a total of 1 minute 15 seconds to move from the likely vehicle staging area to the main gate of the Soloti Military Deployment Area – covering an approximate distance of 1.5 kilometres. Now, we apply some basic math and divide the distance by time to arrive at the speed of 72 km/h. From this, we can confidently assume that the target Telegram user is travelling by vehicle.

Detecting significant military activity

So, by this stage, we have gained a good level of insight with regard to activity within the Soloti Military Deployment area. Now, we want to look at how OSINT utilities such as Telegram Nearby Map can be used in the event that military forces at the Soloti Military Deployment Area move forward from their staging post towards the border with Ukraine. To make an informed assessment, we have to rely on doctrinal publications which are based on Russian / Soviet tactical manoeuvre. For the British military veterans amongst us, the British Army publication GENFORCE – otherwise known as the Land Component Handbook comes to mind. However, we should point out that the majority of doctrinal papers are often vastly outdated, many core principles remain the same.

As we pointed out earlier in this workflow article, we identified the 14K-34 highway, located directly adjacent to the Soloti Military Deployment Area to be a likely key route. What we can see from looking closely at the route is that it is a single carriageway (two lanes). With this in mind, we can turn towards several Soviet / Russian military doctrine publications to deduce that Regiment-level formations require between one to two main routes in order to advance on their axis – this would corroborate open-source reports indicating that the 752nd Motorised Rifle Regiment is the formation that is positioned at Soloti.

Using doctrine, we can further point out key locations on the 14K-34 highway and potentially use Telegram Nearby Map to collect data from those areas – this is, of course, assuming that Russian military personnel have their personal devices (with Telegram installed) in their possession. Key locations include intersections from where engineer and military police elements would seek to ensure unhindered military movements in addition to clearings within the vicinity of the route that can be used to position forward-deployed electronic warfare and logistical elements in addition to other combat service support elements. For our benefit, we marked each of these areas on Google Earth.

Google Earth use in OSINT

So, we thought we should take a look to see whether we can identify any possible forward-deployed military elements – possibly providing route security – along the 14K-34 highway. We positioned Telegram Nearby Map near the town of Tulyanka.

Using Telegram to monitor possible military activity

Straight away, identified several Telegram users positioned within close proximity to key locations we have marked on Google Earth. Whilst we can not say with any level of confidence as to whether these individuals are indeed Russian military personnel – we can most certainly say that Telegram Nearby Map is undoubtedly an excellent utility that can be deployed should the Russian military launch an incursion into Ukraine.


So by now, we have demonstrated one of many tools and techniques that can be used to monitor military activity in relation to growing tensions between Russia – Ukraine – and the West. Whilst we must point out that the primary tool in this case – Telegram Nearby Map – may not be 100% accurate due to the science which lies behind GPS positioning. That said, it does provide a good overview of potential military activity over a given area. More importantly, it could be used as a tool to monitor tactical military movements in the event that the 752nd Motorised Rifle Regiment are deployed from the Soloti Military Deployment Area towards the international border with Ukraine. On a final note, a special thank you should go to Tejado, the developer behind Telegram Nearby Map for producing a fantastic tool that we believe has a wide range of use cases. For our readers, we encourage you to reach out to us if you would like advice or information regarding the training we can provide you in relation to using OSINT tools that are based on NodeJS and Python frameworks.


Let's talk today Are you ready to begin discussing our range of training and capability development solutions?