xmr.club
EN 中文 ES RU
← all guides
guide · long-form explainer

Telegram OPSEC — using a doxxable app without doxxing yourself

Telegram treats your phone number as the master identifier, indexes your contacts against its server, and stores cloud chats unencrypted from its own perspective. None of that makes it private. But it's also where every no-KYC exchange, every bridge operator, every Monero project actually congregates — refusing to use it is refusing to participate. So the question isn't "should I use Telegram" but "how do I use it without handing over my SIM, my real name, and my last-seen timestamp to anyone who asks?" Below: the seven failure modes that catch people in practice, and what each one costs to defend against.

What Telegram actually encrypts

Treat “Telegram is encrypted” the same way you treat “Gmail is encrypted”: transport is TLS, storage is AES, but Telegram holds the keys to your default chats. The threat model that matters — server compromise, subpoena, employee curiosity — is not addressed by default.

  • Cloud chats (the default for everything). Server-side encrypted at rest. Telegram can read every message. Subpoena-able in any jurisdiction Telegram has infrastructure in. Synced across all your devices, indexed for search, retained until you delete them.
  • Secret chats. Real E2E. Device-pinned, no sync, no forwarding. Available only in 1:1 DMs, not in groups, not in channels, not in bots. Optional self-destruct timer.
  • Groups and channels. Never E2E. Always cloud. A 1000-member “privacy” group on Telegram is one subpoena away from full disclosure.
  • Voice / video calls (1:1). E2E via MTProto with key-fingerprint emojis both sides should verify on first call.

Signup — the phone number is the master ID

You sign up with a phone number and Telegram uses it as your account identity forever, even after you set a username. The number you choose at signup is the most consequential OPSEC decision on the platform.

  • Real SIM — lowest friction, maximum dox. Anyone who knows your number gets directly to your account; carrier compelled-disclosure leaks who you are; SIM swap = account takeover. Acceptable only if you already accept Telegram knowing your real identity.
  • Long-lived VoIP — JMP.chat (Bitcoin/Monero payable, XMPP-backed), MySudo, or a prepaid in a friendly jurisdiction. Account is anchored to a number you control independently of your real identity. Survives 2FA-recovery flows because you still own the number months later.
  • One-shot SMS — 5sim, sms-activate, etc. You receive the activation code once, then the number recycles. Account works, but: lose 2FA password = no recovery path. Use for throwaway / single-purpose accounts you can afford to abandon.
  • Anonymous numbers on Fragment. Telegram’s own TON-priced number marketplace. Functionally pseudonymous, but you’re paying in TON on a public ledger and the number is still on the Telegram network — useful for compartmentalization, not for state-level anonymity.

The four casual leaks: username, photo, last-seen, contacts

Default visibility settings are too permissive on every Telegram client. The fix is one settings sweep, takes five minutes, prevents the most common dox routes.

  • Phone number. Default “My Contacts”. Set to Nobody. Side effect: people who already have your number in their phonebook can still find you via reverse-lookup unless you also disable “Find me by my number” — do both.
  • Last seen + online status. Default visible to contacts. Anyone who DMs you can infer your sleep schedule and rough timezone. Set to Nobody; you can carve out exceptions per contact.
  • Profile photo. A real face = automatic OSINT identifier. Reverse-image search collapses alt accounts the moment they share a photo. Use a generic image, abstract art, or no photo at all for high-OPSEC accounts.
  • Username. If @handle matches your X / GitHub / Reddit handle, the account is already doxxed by definition. Pick a fresh handle per identity, or skip the username entirely and accept being addressable only by the auto-generated user ID.
  • Bio. Links to your other handles are graphable. Don’t advertise the connection — even “https://t.co/foo” in your bio undoes the rest of the work.
  • Contact sync. Off, always. Default behavior pulls your phonebook and matches every saved number against the Telegram graph — if a colleague with your real number ever installs Telegram, your alt account gets surfaced to them as “Possible Contact”.

Secret chats vs cloud chats — and the timer mistake

If you need real E2E inside Telegram, you need a Secret Chat. They are not the default and people regularly forget.

  • Starting one. Open the target user’s profile → menu → Start Secret Chat. New thread alongside the cloud one. Compare the key-fingerprint emojis on first message — verifies you’re not talking through a MITM that intercepted the handshake.
  • Device-pinned. Secret chats do NOT sync across devices. Switching from phone to desktop = new secret chat with new keys. This is by design; multi-device key management would weaken the guarantee.
  • Self-destruct timer. Both sides auto-delete N seconds after read. Useful, but: the timer does NOT prevent screenshots, OCR, or copy-paste before it fires. Treat it as “reduces accidental persistence”, not “stops a determined other party”.
  • Where secret chats don’t fit. Groups and channels are never E2E — a “private” 50-person group is still cloud-stored. For those conversations, move to SimpleX / Session / Signal and treat the Telegram group as the rendezvous channel, not the conversation channel.

Multi-account compartmentalization

Telegram supports up to 3 accounts per install (mobile) and more via Premium / desktop. Use this aggressively — one account per identity surface is the OPSEC equivalent of separate email aliases.

  • One number per account, full stop. A public “founder” account on your real SIM, a community account on a JMP number, a trading account on a Fragment anonymous number. Never re-use phone numbers between identities.
  • Don’t share photos, bios, or styles across accounts. The same emoji-pattern in two bios is enough for a casual observer to correlate. Same profile photo collapses everything via reverse-image.
  • Network attribution still matters. Never log into the alt-account from a network linked to your real identity (home wifi, office IP) without Tor or a multi-hop VPN. Telegram retains a “country / region” for each session and your IP lands at the data center even if the chat content doesn’t.
  • Never message between your own accounts using your own contacts list. Telegram’s contact-graph features (“Possible Contact”, “Mutual Contact”) will out the connection to anyone with both numbers in their phonebook.
  • Don’t paste alt-account text into LLM tools. Anything you send to a third-party AI with telemetry on may retain timestamps that correlate against your real-identity usage of the same tool.

Sticker, file, and forwarded-message metadata

Telegram strips less metadata than people assume. The defaults leak in ways you can’t see from the UI.

  • Forwarded messages keep their source link. “Forwarded from John” follows every re-forward by default — paste-forward to the wrong channel and you’ve doxxed John. Fix: Settings → Privacy → Forwarded MessagesNobody. Your forwards will then appear as anonymous quotes when re-forwarded.
  • Photo vs File. Telegram strips EXIF on uploads sent as “Photo” (with the compression toggle on), but PRESERVES it on uploads sent as “File”. Drag-in a JPEG and pick “Send as File” → GPS coordinates, camera serial, and edit history go with it. Send as Photo unless you specifically need byte-exact transmission.
  • Stickers. Every custom sticker pack has a creator. A pack you uploaded under your real account is publicly attributable forever. For OPSEC accounts, use only built-in packs or re-upload existing packs from a throwaway account.
  • Documents. PDFs from Word, screenshots from macOS, photos from a stock Android camera all carry author / device metadata. Run them through exiftool -all= before sending if the recipient isn’t already trusted.
  • Voice messages. No filename leak, but voice prints are stable identifiers — same speaker across an alt and a real account is detectable. If you’re running compartmentalized identities, text-only is safer.

Login codes, SMS interception, and the 2FA password

Default login uses SMS, and SMS is the weakest link in the entire stack. Hardening here is the single highest-ROI fix on Telegram.

  • SS7 interception. Works against any carrier, anywhere, today. State-level adversaries (and well-funded private ones) can pull a Telegram login code without touching your phone. Already-disclosed and not patchable at the protocol level.
  • SIM swap. The civilian-tier attack. Social-engineering at the carrier → port your number to an attacker SIM → attacker requests Telegram login code → full account takeover. Very common in 2026.
  • The defense. Settings → Privacy → Two-Step Verification. Now logins require BOTH the SMS code AND your chosen password. SIM swap alone becomes insufficient.
  • Recovery email. Use an alias (SimpleLogin / AnonAddy / Tutanota), not your real address. The recovery email is stored at Telegram and visible to support staff. An alias compartmentalizes the leak.
  • Active sessions. Settings → Devices. Review weekly; “Terminate” anything unrecognized. Set Session Auto-Terminate to 1 month so abandoned tablets / laptops don’t linger as decade-old footholds.

Account deletion — what actually purges

Telegram’s deletion behavior is more nuanced than “messages disappear”. Know what survives before you depend on the kill switch.

  • Cloud chats. Messages from your side are removed for both parties when you delete the account. Messages the other party sent you are also removed from both sides.
  • Secret chats. Already removed via timer or manual delete; account deletion is final.
  • Channels you created. If there are other admins, ownership transfers to a top admin and content stays online. Sole-admin channels go orphaned but remain visible until Telegram garbage-collects them (weeks to months).
  • Username + phone number. Released after a delay (~weeks) and may be re-claimed by other users. Signing up again with the same phone number gives you a fresh account, NOT recovery of the deleted one.
  • Auto-delete on inactivity. Settings → Privacy → Delete My Account → If Away For. Set to 1–6 months. If you go dark, the account self-destructs without you having to log back in to trigger it — ideal for high-risk accounts where confiscation of your device shouldn’t mean access to a year-long archive.
  • Per-chat auto-delete. Settings → Privacy → Auto-Delete Messages → 1 day / 1 week / 1 month. The single most under-used hardening on Telegram. Lets you keep using the app without accumulating a multi-year archive that gets dumped if the account is compromised.

When Telegram is the wrong tool, period

Some conversations don’t belong on Telegram regardless of how much hardening you apply. Three categories to migrate elsewhere:

  • Anything subpoena-sensitive. Telegram cooperates with court orders in some jurisdictions; cloud chats are recoverable. If the conversation would be a problem if subpoenaed, it belongs on SimpleX / Session / Signal, not in a Telegram group.
  • Groups where you don’t know every participant. You’ve implicitly consented to whatever data-collection any participant runs. Bots, scrapers, screenshotters — all in scope. Treat any group over ~20 members as effectively public.
  • Bot interactions for sensitive services. Anything financial, identity-related, password-reset — the bot operator sees every message and the back-end logs are rarely E2E. Bots are convenience, not security.

Telegram is the right tool for: public channels, community discussions, async low-stakes coordination, broadcast announcements. It is the wrong tool for anything where the threat model includes the platform itself. The fix is not to leave — it’s to use the right channel for each conversation.

Picks

  • JMP.chat — Long-lived VoIP phone number (US/CA), accepts SMS for Telegram signup. Bitcoin/Monero payable, XMPP-backed, no ID. Survives 2FA-recovery flows because the number stays yours.
  • 5sim — One-shot SMS for throwaway signups. Cheap, fast, no account binding — use for accounts you can afford to abandon if you lose 2FA recovery.
  • SimpleLogin — Alias email for the Telegram 2FA recovery slot. Compartmentalizes: Telegram stores the alias, not your real address.
  • SimpleX Chat — Where to move conversations that don’t belong on Telegram. No phone number, no user ID, no server-side metadata — the strongest counter-design.