Neither are programmers or hackers, but through a deep understanding of Telegram’s strengths and weaknesses and a heavy dollop of social engineering, they laid the perfect trap.
On December 22, just before the long Christmas weekend last year, a 25-year-old man from Wandoor, one of several small towns strewn across Malappuram in north Kerala, was arrested by the state police. Kodakkadan Sharaf Ali was in possession of child pornography, a crime that could lead to five years of imprisonment.
People have been arrested for child pornography before, but Ali’s arrest was significant and unusual. He was charged with sharing these images and videos on a private group on the messaging app Telegram.
Telegram, a non-profit privacy-focussed app founded in 2013, has seen significant traction for those engaged in nefarious activities. ISIS is using it for propaganda, bookies are using it in IPL, and manipulators are using it to fix markets. And, child abusers to share child pornography.
Telegram has become the go-to app for those who want to remain anonymous. Unlike WhatsApp, Telegram accounts can be used without revealing one’s phone number. And everything is encrypted.
The Kerala Police were able to ascertain Ali’s identity despite Telegram’s reputation for security. Investigators across the world have been grappling with Telegram. In December 2015, FBI Director James Comey testified that they were unable to decrypt messages used in an attempted terrorist attack in Texas. French investigators could not penetrate ISIS Telegram groups during the Paris attacks of November 2016.
Telegram protects users by splitting its decryption keys across different countries. So, court orders from multiple jurisdictions are needed to decrypt messages. On its website, Telegram proudly claims: “To this day, we have disclosed 0 bytes of user data to third parties, including governments.”
How was the identity of the Kerala group’s administrator revealed?
This is where Jaljith Thottoli and Binu Phalgunan come in, two ordinary citizens zealous about fighting child pornography. Neither are programmers or hackers, but through a deep understanding of Telegram’s strengths and weaknesses and a heavy dollop of social engineering, they laid the perfect trap. In the process, they shed light on the unseemly world of child pornography lurking on Telegram. (In the context of information technology, social engineering involves manipulating people into divulging information.)
***
Thottoli, 38, is a freelance medical transcriptionist from Thiruvananthapuram. But social activism is where his heart is. Whether dismantling claims of faith healers, poking fun at religious fundamentalism, talking about sexual abuse, or documenting LGBT romance, Thottoli has been quite opinionated on social issues.
Phalgunan, a 34 year old journalist, is a chief sub-editor with OneIndia Malayalam in Kozhikode, the northern Kerala port town. Over the years, he has written a lot on science, international affairs, and development issues.
Thottoli had busted a child pornography ring earlier. In 2015, “somebody messaged anonymously that we had not seen real sexual frustration,” says he. The person also sent him and friends links to two paedophile groups operating on Facebook: Kochu Sundarikal (Little Beauties) and Home Little Angels.
Thottoli’s group immediately complained to the cyber cell in Thiruvananthapuram. But, three months later, the cops informed them the admin was in Saudi Arabia – outside their jurisdiction. They shut the page down but couldn’t do anything more.
In September, the page resurfaced again. Thottoli filed a case.
Around the time, he came in touch with Phalgunan, who was reporting on the case. Over time, the two became friends and spoke about their disgust for child pornography.
“Child porn is something that makes me really angry. It was something that we would discuss all the time,” says Phalgunan.
Meanwhile, the police waited till the admin of Kochu Sundarikal and Home Little Angels visited Kerala in December 2015. Nine others, too, were arrested in the case.
***
Thottoli was an early adopter of Telegram in 2014. Despite his familiarity with the platform, the medical transcriptionist was surprised when on November 22, 2017 a friend messaged him about a porn group on Telegram. He told him that there was a channel called Naadan Thundu meant for local porn.
“I didn’t know there were porn running on Telegram until I saw this message. I didn’t even know that desi porn was available,” says Thottoli.
But Thottoli’s friend had pointed him to it to draw attention to an announcement by the admin of the channel: MLPM with the @awesomekerala username.
On November 9, MLPM posted a message to the group. (This and all other chat excerpts in this story have been translated to English from Malayalam.)
MLPM
We wish to start a Kerala/India based Pedo group. You know, getting Indian pedo is hard.. But, Pedo lovers can achieve it if they put their mind to it.. No, we will do it!
🇮🇳
MLPM was planning to start a new group for paedophiles under the same name — Poombatta (Butterflies). Thottoli immediately decided he was going to do something about it.
Once Thottoli received the tip-off about the Poombatta group, he turned to Phalgunan.
Like Thottoli, the journalist was surprised about these groups despite being a longtime user of Telegram.
A plan began to form. The duo decided that Phalgunan should first try and get into that group. He joined Naadan Thundu. But getting into the child porn group would be harder than anticipated.
To understand the difficulty, it’s necessary to understand how groups and channels work on Telegram.
A channel is a tool for the creator to broadcast messages to large audiences. The traffic is one-way: a subscriber to a channel cannot post anything on it. Naadan Thundu was a channel run by MLPM. Channels are public, anyone can join by searching for them.
Telegram groups, on the other hand, allow two-way communication between members. Like WhatsApp groups. But Telegram groups are more sophisticated, allowing very fine-grained controls. Admins can make a group public, so all someone needs to join is search for it.
For private groups, an admin has two options. He can add members manually on a case-by-case basis. Or he can create invite links: anyone with the link can join the group.
For Poombatta, MLPM used the invite link route. Phalgunan had to figure out a way to get the invite link.
***
Using his secondary phone number, Phalgunan set up a new Telegram account. He joined Naadan Thundu. “My first aim was to chat with him (MLPM) to enter the Poombatta group,” he says.
The chief sub-editor decided to try an indirect approach.
On Naadan Thundu, MLPM announced that he was starting groups for gay sex and wife swapping. Phalgunan would first establish his credentials as someone interested in these groups. Then, he would ask for the link to the child pornography group.
On November 21, Phalgunan messaged MLPM privately on Telegram. He gave a fake name, and told him he was interested in the gay sex group. He received a canned response from MLPM detailing who can join and a set of questions on user preferences.
After answering them, Phalgunan asks him: “What happened to Poombatta and couple sex?“ An hour later, he adds that he’s “interested in pedo(sic) and wife swapping 😜”.
Later in the night, MLPM bites the bait. “Have you shared your wife,” he asks. Phalgunan replies that he hasn’t done that yet.
And then complains: “You have not added me to any group yet”.
Close to midnight, MLPM again asks: “You are interested in wife swap REALY?(sic)”.
Next morning (November 22), Phalgunan replies in the affirmative.
Finally, MLPM relents. He sends Phalgunan the link to the Poombatta group. Phalgunan immediately forwards the link to Thottoli.
Both Thottoli and Phalgunan joined Poombatta.
***
What went on in the Poombatta group?
“You can’t bear to see anything on it,” says Phalgunan. “It’s hard to look at it… because…you can’t even call it porn. It’s that much….” His voice drops.
“It’s a lot of photos of underaged and undressed kids,” says Thottoli. He estimates the group featured around 3,000 pictures and 500-600 videos in six days. The increase in content corresponded to an increase in the number of members.
On November 22, when both Phalgunan and Thottoli joined the group, there were 26 members. By the next day, the number increased to 240. By the third day, the number increased to 360. The numbers stabilized after that.
The group was obsessed with Indian content. Thottoli says that a large number of the explicit photos were of Indian girls. “I have seen a lot of Malayali girls in that group. If you say, girls, I am not talking about 15 year old girls. I’m talking about children who are less than 10 (years),” he says.
Phalgunan says that there’s a photo of a girl with her legs spread as she’s reading a Malayalam magazine. “There are people who are grooming kids in that fashion,” he adds. Grooming is the process of befriending a child, with the intention of sexually abusing the child.
“I am very sure that those kids were groomed. They didn’t have any problem posing like that,” says Thottoli. “ It gives me an impression it [the person taking the pictures] might be their father, cousin, uncle…somebody they knew very closely.”
Of the videos, Thottoli estimates that close to 90% were from outside India. Most videos were in Spanish: probably from Latin American countries, he says. The legal age of consent is as low as 13 in many Latin American countries and it is 18 in India.
But there were Indian videos too. “There was one Indian rape video. A four-year-old kid was raped by two men, and she was crying ‘Amma, Amma’, he says. “You can make out that it is from a southern state.”
A large part of the discussion also devolves into abuse by the members. “They would discuss things like how to groom a child and what to do with the child,” says Thottoli. “It was gross.”
One user asks if anyone has “done it” with their own children. The same user later claimed that he abused his own daughter.
Taking screenshots and screen recordings of these activities took its toll on Phalgunan and Thottoli. Phalgunan says that he couldn’t sleep at night. “It was creating this physical discomfort in me… some days it was really difficult.”
“Truth be told… In the end we couldn’t even look at it,” says Thottoli. “Going through that group was a very tough thing… a really tough thing I could not eat for the first three days. At one point, I vomited.”
Both Phalgunan and Thottoli are married. The journalist has a seven-year-old daughter, the transcriptionist doesn’t have children.
***
The day Thottoli got the link to the group, he filed a complaint with the cyber crime police station at Thiruvananthapuram. He told them about Poombatta and the activity that he saw on the group. They asked him to take all the screenshots necessary and file a written complaint.
He went to the police station with printouts of screenshots and gave a written complaint. The same day (November 22), he wrote an email to the IGP (Crime) with the link to the group and attached screenshots and screen recordings. The Protection of Children from Sexual Offences Act (POCSO Act) 2012 addresses sexual abuse and sexual exploitation of children in the physical world. Section 67B of the IT-Act deals with child porn in the digital world.
But, deep down, Thottoli knew the culprit was nowhere close to getting caught. “There’s no way you can get the admin’s number. No way!” a friend familiar with software told him.
The cyber crime police told him: “We are contacting Telegram. We will get the information from them in due time. Maybe two weeks.” That wouldn’t happen, the transcriptionist knew.
He turned to Google and found a thread about Telegram. “I found that I can get the other guy’s number if I can make him save my number,” he says.
That was useful information: if MLPM saved a fellow Telegram user’s number on his phone, his (MLPM’s) number would be visible. “It’s kind of a trust-based thing,” Phalgunan says.
The editor had a channel open with MLPM, who seemed hooked because Phalgunan had said he was interested in wife-swapping.
MLPM: “Have you shared your wife?
This was the third time he was asking.
Phalgunan asked if the wife swapping group was ready. MLPM replied that data was being collected and the group would take some time.
“He was eager. He thought there was a possibility – that maybe I was not interested in my wife and I was interested in gay sex,” recounts Phalgunan.
MLPM then asked for Phalgunan’s number. The editor gave him the number linked to the Telegram account – his secondary number.
Immediately, he checked MLPM’s profile. He couldn’t see the admin’s phone number yet – meaning MLPM had not saved his (Phalgunan’s) number on his phone yet.
Phalgunan continued the conversation.
Phalgunan: 👍 [11:16 am]
R u married [11:16 am]
MLPM: No [11:16 am]
Single [11:16 am]
Phalgunan: Are you gay? [11:17 am]
MLPM: Experienced with 3 couples
Little gay [11:17 am]
Phalgunan: 👍 [11:17 am]
Phalgunan: Bisexual [11:17 am]
MLPM asked Phalgunan if he’s had gay sex. Yes, came the reply.
When was the last encounter, the admin asked. Phalgunan lied: two months ago.
The conversation turned explicit. Phalgunan made up in detail stories of his sexual experience. “I had to speak to him in a very bad … by bad I mean in a very vulgar manner,” he says, deeply embarrassed.
Despite his disgust and the bile, Phalgunan talks of organising a gay group meet and slips a question about where he’s from. MLPM replies CLT – the railway station code for Kozhikode. Phalgunan tells him that he comes to Kozhikode occasionally. He then asks if he wants to do a voice call.
MLPM replies: Not now.
The conversation ends there.
***
A little later, Phalgunan checks his phone again. Now, the Telegram app shows MLPM’s number! MLPM had saved Phalgunan’s number on his phone!
FactorDaily tested this with two Telegram users, who did not have each other’s numbers in their address books. A little after the first user saved the number of the second user, the latter was able to see the number of the first.
Phalgunan suspects MLPM saved his number because of their conversations. “That was because of trust… Because he began to trust me,” he says.
Phalgunan sent MLPM’s number to Thottoli, who immediately wrote with the screenshot to the cyber police station.
As Thottoli and Phalgunan were laying the trap for the person behind Poombatta, a Facebook post nearly derailed it.
The post was on a group called Right Thinkers, a Kerala-based group with over 200,000 members. Thottoli says that the post talked about Poombatta and how they would take it down. “I did not want Poombatta to be publicised or taken down immediately.”
Thottoli knew the admin of Right Thinkers. He told him that Poombatta was under police investigation. “I asked him to delete the post,” he says.
Though the post was taken down, MLPM learnt about it. On Naadan Thundu, he was aggressive:
Naadan Thundu
Did you think that this is like your cyber hackers playground Facebook and WhatsApp?
👙Children, this is Telegram, your antics will not work over here. Why, even government and cyber cell have failed in front of Telegram.
“He was not at all scared. He was so confident. This is where privacy of Telegram comes in,” says Thottoli.
The child pornography content on Poombatta continued. But only until November 28, when MLPM suddenly turned cautious. “He was tipped off somehow. And he decided to shut down the group,” Thottoli says.
The group became inaccessible and the link went invalid.
By then, between November 22 and November 28, the group had shared around 3,000 pictures and 500-600 videos.
On November 28, Phalgunan checked with MLPM if Poombatta had been deleted. He received no reply. He messaged him again on December 8. Again, no reply.
On December 13, he asked him if the gay group was up and running. This time, MLPM replied with a link to the channel.
The next day, Phalgunan enquires where MLPM was:
Phalgunan: Hi [10:13 am]
Haven’t seen you at all [10:14 am]
MLPM: Tell me[10:14 am]
Phalgunan: What happened to the wife swapping group [10:14 am]
MLPM: Not right now [10:15 am]
Phalgunan: Hmm.. [10:15 am]
That was the last that Phalgunan heard from MLPM.
Meanwhile, all that Thottoli had heard from the police that “they needed solid evidence so that MLPM could not escape”.
On December 22, the Malappuram police arrested MLPM: Kodakkadan Sharaf Ali from Wandoor, Malappuram.