Chinese law enforcement agencies are publicly monitoring Telegram accounts registered with 70 million CN phone numbers—Technical Analysis and User Privacy Protection Guide

At the 12th China International Police Equipment Expo held in 2025, the Third Research Institute of the Ministry of Public Security demonstrated a tool specifically designed for monitoring Telegram. According to reports from the South China Morning Post, this system has collected more than 30 billion pieces of information involving 70 million Telegram user accounts and 390,000 groups and channels.

This article aims to speculate on the underlying technical means through publicly disclosed information and to provide ordinary users legally using this software with personal privacy protection guidelines.

In the current digital governance system in China, Telegram, as a widely used encrypted communication tool for overseas communication, anonymous collaboration, and information dissemination, has become a key target for national intelligence agencies' monitoring. The 'Multi-dimensional Intelligence Analysis Terminal for Personal Extreme Behavior' demonstrated by the Third Research Institute of the Ministry of Public Security at the 12th Police Equipment Expo is a dedicated system developed for practical monitoring of Telegram. This system is not one that 'may have' technical capabilities, but one that is fully deployed, operational in real situations, and integrates a complete set of intelligence strike systems including network monitoring, social graph reconstruction, cross-platform data retrieval, behavior scoring, and device intrusion, aimed at 'systematically identifying, modeling, and intervening' all users of Telegram who touch sensitive content.

At the data collection level, this system has been running a large-scale automated crawling system for a long time, utilizing the Telegram Bot API and MTProto protocol interfaces to batch register bot accounts to join all visible public groups and channels, continuously scraping, archiving, keyword extraction, and semantic classification of content 24/7. These crawling activities do not require the cracking of any encryption protocols because Telegram's public content is inherently open to the entire internet. The public security system builds a long-term historical chat database through centralized servers, establishing a regular 'active member rolling list' for groups tagged with politically sensitive, overseas contact, religious radicalism, and other labels, and includes all users who have joined these groups into subsequent behavior modeling systems.

At the account identification level, all Telegram accounts registered with mainland China +86 phone numbers have been recorded and archived by the system's backend from the moment of registration. The system can directly call the telecom operator's real-name database to find out the name, ID card, address, and family relationship chain corresponding to that phone number. Even if users later change devices or phone numbers, the system can still re-identify and label them as 'old identity extension' through the residual device identification code (device fingerprint), language preferences, usage behavior, and contact intersections on Telegram. This mechanism means that any account registered with a Chinese identity can never completely escape tracking.

The system also has comprehensive cross-platform data fusion capabilities. The content and social networks of each Telegram user will be cross-modeled with behavioral data from major domestic platforms such as WeChat, Weibo, Taobao, Alipay, Baidu Search, Didi, 12306, etc. This process is executed by multimodal models commissioned by law enforcement agencies (such as semantic scoring systems based on the Dify framework). The system will label users with different tags such as 'political dissent type, cross-border gang type, online mobilization type, dissemination node type,' based on keywords, semantic structure, emotional characteristics, frequency of repeated expressions, and provide precise risk scores. Users who reach the intervention threshold will be automatically pushed to the 'multi-department joint crackdown list.'

In terms of in-depth control over target users, the following extreme measures have not been verified for ordinary users, but still warrant caution:

• SIM card hijacking (SIM Swap): Through cooperation with carriers, law enforcement agencies can transfer the user's phone number to a blank card controlled by the law enforcement department, thereby obtaining the Telegram verification code, forcibly logging in, and taking control of the account.

• Third-party client Trojan injection: Pushing 'localized' or 'optimized' Telegram clients to target users, obtaining all device permissions upon startup, extracting chat records from the system cache, and returning them to a designated intelligence server.

• Social engineering phishing: Posing as an administrator, friend, or Bot to send simulated page links, inducing users to input verification codes or passwords, directly stealing authorization tokens (session tokens).

• Open account control and manual verification: Using overseas personnel to penetrate and join target groups in Telegram, manually screening, recording, and cross-referencing users with high activity, frequent speech, or strong dissemination capabilities.

In addition, in terms of online tracking, law enforcement agencies can establish joint data exchange interfaces with telecom operators such as China Telecom, China Mobile, and China Unicom to access the DPI (Deep Packet Inspection) system in real-time. Although the MTProto protocol traffic of Telegram is encrypted, its connection frequency, VPN entry and exit points, and IP revisit characteristics can be identified. When users connect to Telegram servers multiple times within a short period, or repeatedly access specific VPN nodes, the system will immediately tag them as 'active in circumventing censorship' and automatically scrape records of the groups and channels they accessed, establishing a continuous trajectory of their behavior patterns.

Based on the integration of all the above capabilities, the Third Research Institute of the Ministry of Public Security and its subordinate units can now achieve the following effects on Telegram users:

Fully grasp the user's public behavior content;

Clearly identify the user's true identity and behavioral background;

Long-term recording of communication trajectories and social graphs;

Implement targeted account control, real-time behavior monitoring, and even account hijacking on specific users;

Completely bind online behavior to real identity through cross-platform data crossover.

For subjects classified as key personnel, this system can pull their chat content history at any time, view their device location, freeze their involved virtual assets, output complete risk reports, and distribute them for coordinated handling by cybersecurity, criminal investigation, and national security departments.

In the face of such a highly integrated and comprehensive technical intelligence system, ordinary users who still believe that Telegram is an absolutely anonymous and secure communication platform may face the real risk of identity exposure and content restoration. The real risk does not come from what has been said, but from being quietly categorized into a predictable and intervenable group within the system, subject to systematic observation, classification, scoring, and monitoring.

In fact, most governments around the world are doing this, and this article will not elaborate further.

Therefore, if you are an ordinary user and have already immigrated, due to the inability to inform this system: I have immigrated, please do not monitor me, the following solutions are proposed.

Register a new account and completely avoid using +86 phone numbers for registration.

Obtain client software only from the official telegram.org website.

Enable 'Secret Chat' feature.

Always use two-step verification passwords to prevent hijacked logins;

Do not discuss sensitive content in public groups or join channels with explicit political topics;

Regularly clean chat records, exit suspicious groups, and be wary of any unknown accounts claiming to provide free circumvention tools.

In summary, this system has indeed achieved an almost full-link, all-element, all-strategy monitoring and intelligence collection system in the field of Telegram. If users do not actively understand these technical logics and fundamentally improve their usage strategies, solely relying on Telegram's own encryption mechanisms is far from sufficient to ensure the privacy of their communications and the security of their identities.

Disclaimer

The content of this article is based on information disclosed through public channels, public reports, and technical principles, generated automatically by AI, for research, education, and information security popularization purposes only, and does not constitute any political stance or legal advice. The system descriptions, functional deductions, and strategic suggestions mentioned in the text do not represent the author's endorsement, support, or engagement in any related activities.

If there are images or content involving third-party rights, please contact us for deletion promptly. The author and the platform do not bear any responsibility for any direct or indirect consequences arising from the use of the information in this article. Users should assess and bear the risk of information usage while complying with local laws and regulations.