What this signal monitors
Telegram channel monitoring for events in SignalGuard's Chatter pillar surfaces threat-adjacent posts from a curated allowlist of public Telegram channels. The channels that matter to live-event security tend to be: protest coordination feeds, ticket-resale flippers, counter-demo organizers, and football-firm chat. Since the platform crackdowns on Facebook and WhatsApp groups in 2022-2024, the coordination layer that used to live there has migrated heavily to Telegram — meet-points, OPSEC chatter, "no phones on" instructions, ticket face-value listings, and DM-proof posts.
This is the operator-curated channel allowlist signal. For broader threat-channel discovery and message search, see the companion signal /docs/signals/telegram-threats.
Data sources
Telegram has no official public search API for channel content, so SignalGuard uses a two-stage approach. Today: an RSSHub gateway. Each allowlisted channel is exposed as an Atom/RSS feed at ${RSSHUB_BASE}/telegram/channel/{handle}. Operators can self-host RSSHub or point at a public instance. Configuration is TELEGRAM_RSSHUB_BASE plus TELEGRAM_CHANNELS (comma-separated handles).
Later: GramJS (MTProto) for richer metadata — forwards, view counts — once user-account credentials and rate-limit headroom justify the operational complexity. The RSSHub path covers 90% of the operational need at near-zero cost.
Locked operational rules: channels are allowlisted via env var only, never discovered-and-crawled (which would be a scope-creep and consent problem); raw message bodies are never persisted to disk; one request per channel per 5 minutes, sequential not parallel, to stay polite to whatever RSSHub instance is in front.
How SignalGuard scores severity
Telegram posts have no title/body split — every message is a body — so classification runs against the full text. The vocabulary is the Reddit/Bluesky base list extended with Telegram-specific lexicon: high tier adds /\bno\s+phones?\b/, /\bOPSEC\b/, /\bmeet\s*point\b/, /\boutnumber/, /\bpre[-\s]?match\b/ — operational coordination signals that on Telegram are usually higher-severity than the universal violence vocabulary, because the worst signals here are coordination, not aftermath. Medium tier adds /\bburner\b/, /\bface\s*value\b/, /\bDM\s*proof\b/, /\bfirm\b/ — fraud and footballfirm-adjacent lexicon.
Use cases for event security
A protest-prone event (university commencement, defense conference, partisan rally) is the canonical use case. Telegram channel monitoring for events surfaces a "meet point: 0700 outside Starbucks on Main" post on a counter-demo channel six hours before doors — operational planning visible to the duty officer that wouldn't appear on X.
A football fixture operator can allowlist the firm-specific channels (Headhunters, ICF, etc.) and watch for "pre-match" posts coordinating away-supporter intercepts. The lexicon is consistent across years of firm history and the regex catches it.
A music festival operator watches ticket-resale Telegram channels for face-value listings near the event date — the canonical "I'm at the gate, who wants face?" cluster is a leading indicator of upgrade-fraud at the actual ingress point.
Pairs well with
- Telegram threats (
/docs/signals/telegram-threats) — the allowlist channel signal covers known channels you've curated; the threat-intel signal discovers new channels via TGStat. Run both. - Reddit (
/docs/signals/reddit) — protest organizing frequently bridges Reddit (open discussion) and Telegram (operational coordination). - Dark web (
/docs/signals/dark-web) — counter-event organizing increasingly lives on Telegram, with only the most operational planning persisting on Tor; reading them together captures the migration.
Premium upgrade path
The RSSHub gateway is free if self-hosted. For a fully managed path, configure a paid RSSHub-as-a-service provider or move to GramJS with a Telegram developer account at my.telegram.org. For broader threat-channel discovery (not just allowlisted channels), enable the /docs/signals/telegram-threats signal with a TGStat API key — ~$30/mo basic, ~$100/mo with full word search.
Frequently asked questions
Can SignalGuard monitor private Telegram channels? No. Private channels require an invite-and-join from a user account inside the channel; SignalGuard's design explicitly never automates that join (it would be a scope-creep and consent issue). We monitor public channels only, via the public RSSHub feed path. For private-channel monitoring, the right tool is a vetted internal analyst with explicit operational authorization — not an automated platform.
How does Telegram channel monitoring for events handle deleted messages? RSSHub caches the feed; if a message is deleted on Telegram after RSSHub has captured it, the deleted message may still appear in the cached feed for a short window. SignalGuard surfaces what RSSHub serves; we don't independently re-verify against Telegram. The 5-minute cache TTL bounds the staleness window.
Why does the signal require allowlisted channels rather than crawling all of Telegram? Telegram has no public-channel discovery API equivalent to Reddit's search. More importantly, automated discovery-and-crawl across Telegram is both technically fragile and a posture problem: it shifts the product from "monitor what an operator has curated" to "monitor everything," which is neither what the buyer wants nor what SignalGuard's data-handling policy supports. For broader discovery, see the threat-intel signal.
Is allowlisted Telegram channel monitoring legal? Public channels are explicitly published for broad consumption — the Telegram channel architecture exists precisely for one-to-many publishing. The Council of Europe's Convention 108+ guidance on online monitoring supports public-channel monitoring under proportionality and necessity standards. SignalGuard's allowlist-only model, in-memory cache, and explicit operator curation align with those standards.
==========