How to Identify Coordinated Inauthentic Behaviour on Telegram

Why Telegram Is Different

Telegram's architecture creates distinct forensic signatures compared to other platforms. Public channels with unlimited forwarding, no algorithmic feed, and minimal content moderation make it both the preferred operational environment for information operations in Eastern Europe and one of the more technically tractable platforms for coordination analysis.

Understanding what coordination looks like on Telegram requires understanding how the platform's mechanics interact with amplification strategies.

Signal 1: Forwarding Velocity Anomalies

Organic content on Telegram accumulates forwards gradually, with a natural decay curve: high initial velocity as core audience engages, declining over 48–72 hours, long tail.

Coordinated amplification produces a different curve: a delay after posting (accounts receiving posting instructions), then a sharp synchronous velocity spike, then a cliff. This asymmetric profile — slow start, sharp peak, immediate cliff — is one of the cleanest coordination signals available.

How to measure it:

1. Record forward counts at 1h, 6h, 12h, 24h, 48h, 72h post-publication
2. Fit an exponential decay curve to the expected organic model for that channel size
3. Flag content where observed velocity deviates from the expected curve by more than 2 standard deviations at any measurement interval

In Retelnist, this analysis runs automatically for all monitored channels, with flagged items surfaced in the anomaly queue.

Signal 2: Cross-Channel Forwarding Clusters

Individual pieces of content forwarded to many channels simultaneously is a baseline coordination signal. More diagnostic is identifying which channels forward to which other channels — the network topology.

Coordinated channel networks show characteristic structural features:

• Hub-and-spoke topology: A small number of originating channels (often obscure or recently created) that consistently source content forwarded by larger, more established channels
• Temporal clustering: Forwards from the network arriving within a narrow time window (often under 30 minutes) rather than distributed over hours
• Content homophily: Networks sharing content exclusively within ideological/narrative alignment, with no counter-narrative content engagement

Signal 3: Account Age and Activity Patterns

Channel creation dates relative to operational start dates are a reliable indicator of purpose-built infrastructure. A cluster of channels all created within a 30-day window, all starting to post on the same date, is almost never organic.

The metrics to collect for each channel in a suspected network:

• Channel creation date (if accessible via API)
• First post date
• Posting frequency distribution (time of day, day of week) — operational channels often show distinctive posting schedules tied to working hours in source country
• Subscriber count growth curve — coordinated channels often show step-function growth (bulk-added subscribers) rather than organic gradual growth

Signal 4: Content Cloning and Near-Duplicate Detection

Adversarial operations frequently deploy near-duplicate content across multiple channels simultaneously — slight modifications to avoid exact-match duplicate detection, but substantively identical framing and claims.

Detection approach:

1. Generate content fingerprints using MinHash locality-sensitive hashing (not exact string matching — near-duplicates will evade that)
2. Cluster content with similarity above 0.85 cosine threshold
3. Examine clusters for cross-channel origin — identical or near-identical content appearing in multiple channels is a strong coordination signal
4. Cross-reference with posting timestamps to identify whether the cross-channel appearance is simultaneous or follows a propagation pattern

Signal 5: Linguistic and Formatting Fingerprints

Human operators create content. Humans have habits. Consistent use of specific formatting conventions, punctuation patterns, or lexical choices across accounts that should not be related can identify common authorship or content generation infrastructure.

This is the most labour-intensive signal to operationalise but often the most conclusive for attribution. In the context of information operations originating from a specific country or organisation, characteristic linguistic or formatting fingerprints can definitively link apparently independent channels.

Building a Network Map

Once you have identified suspicious channels using the signals above, build a directed network graph:

• Nodes: channels
• Edges: forwarding relationships (weighted by frequency)
• Edge direction: from source channel to forwarding channel

Visualise this graph using force-directed layout. Coordinated networks will cluster visually. Identify the highest-betweenness-centrality nodes — these are the operational coordination points that, if disrupted or de-amplified, most affect the network's reach.

Confidence Levels and Reporting

Do not report suspected coordinated behaviour without attaching a confidence level. The intelligence standard is four levels: Confirmed, High, Medium, Possible. Define criteria for each level explicitly in your methodology documentation.

Retelnist generates network analysis reports with explicit confidence levels for each attributed channel cluster. Unconfirmed attribution is marked as such — the worst outcome in cognitive security intelligence work is false attribution, which discredits legitimate findings and can be weaponised by the adversary.