Full Report
A WIRED investigation goes inside the Telegram groups targeting women who joined “Are We Dating the Same Guy?” groups on Facebook with doxing, harassment, and sharing of nonconsensual intimate images.
Analysis Summary
# Incident Report: Coordinated Misogynistic Harassment Network Using Telegram for Image Sharing
## Executive Summary
A coordinated network, originating from the "Are We Dating the Same Guy?" (AWDTSG) Facebook groups, shifted operations to private Telegram channels to share nonconsensual intimate images (NCII) and engage in doxing, targeting women associated with AWDTSG. The primary impact was severe digital harassment, doxing, and the circulation of private data, demonstrating a significant vulnerability in platform moderation and the exploitation of encrypted or private messaging services for illicit activity. Response involved external verification by WIRED and reporting to platform providers, though the network proved resilient through rebranding.
## Incident Details
- **Discovery Date:** Late January (when AWDTSG users began noticing and warning about the Telegram groups).
- **Incident Date:** Attack activity involving systematic doxing and NCII sharing observed between January 23 and January 27.
- **Affected Organization:** Public users/members affiliated with the AWDTSG Facebook community.
- **Sector:** Social Media / Online Communities.
- **Geography:** Global reach indicated by the international nature of AWDTSG, with initial reporting citing London-based users and the network's origins in New York.
## Timeline of Events
### Initial Access
- **Date/Time:** Late January 2024 (Implied precursor activity leading to creation of the retaliatory Telegram groups).
- **Vector:** Retaliation against women participating in the AWDTSG Facebook groups, leveraging information gained from those discussions.
- **Details:** Men who felt targeted by AWDTSG accusations shifted their coordination efforts to Telegram groups, intending to share NCII and personal information of women who exposed them.
### Lateral Movement
- **How attackers moved through network:** The network utilized Facebook groups as the initial point of contact and conversation amplification, TikTok to spread awareness and share links, and Telegram for the sustained, illicit sharing of NCII, personal identifiers, and doxing materials.
### Data Exfiltration/Impact
- **What was stolen or damaged:** Nonconsensual intimate images (NCII), phone numbers, usernames, location data, and other personal identifiers were shared widely among thousands of users within the Telegram network. The impact was severe psychological damage and targeted digital abuse affecting women, particularly women of color.
### Detection & Response
- **How it was discovered:** Users within the London-based AWDTSG Facebook group began noticing and warning others about the emerging, explicit retaliatory Telegram groups starting around January 23. WIRED conducted independent scraping and analysis of thousands of messages.
- **Response actions taken:** WIRED analyzed the data, brought the findings to light, and reported violations to TikTok. AWDTSG moderators attempted to warn members via Facebook, though posts were often removed. Victims/observers attempted to report the groups, leading in some cases to rebranding.
## Attack Methodology
- **Initial Access:** Exploiting prior knowledge/data shared within the AWDTSG ecosystem to target specific individuals.
- **Persistence:** Use of highly private/intimate Telegram groups (up to 200,000 members) to maintain the illicit sharing ecosystem, often evading scrutiny by labeling communication as "private."
- **Privilege Escalation:** Not clearly defined in standard cybersecurity terms; however, perpetrators achieved organizational coordination and widespread distribution capabilities within the misogynistic network.
- **Defense Evasion:** Utilizing Telegram's perceived anonymity and arguing they did not meet the threshold for regulatory scrutiny (e.g., DSA designation as VLOP). When reported, groups reformed through rebranding.
- **Credential Access:** Not explicitly detailed, but personal data (phone numbers, usernames) was collected and distributed.
- **Discovery:** Leveraging information shared across public/semi-public platforms (Facebook, TikTok) to identify targets.
- **Lateral Movement:** Transitioning coordination from Facebook to Telegram to utilize a more permissive environment for sharing illegal content.
- **Collection:** Systematically tracking, doxing, and gathering personal identifiers (phone numbers, locations) of targets.
- **Exfiltration:** Sharing NCII, personal data, and doxing materials digitally through Telegram group chats.
- **Impact:** Psychological trauma, potential job loss, requirement to move cities for survivors, and pervasive digital harassment.
## Impact Assessment
- **Financial:** Not explicitly estimated, though legal costs for victims (defamation lawsuits against AWDTSG members) and the cost of supporting victims (via organizations like The Cyber Helpline) are implied.
- **Data Breach:** Massive circulation of nonconsensual intimate images (NCII) and Personally Identifiable Information (PII) including phone numbers, usernames, and location data.
- **Operational:** Disruption of the intended purpose of the AWDTSG forum due to internal warnings and moderation conflicts; significant operational adaptation by harassers to continue illicit activity.
- **Reputational:** Damage to the reputation of the targeted women; negative scrutiny for Facebook (Meta) and Telegram regarding platform governance.
## Indicators of Compromise
*(Note: Indicators are related to platform behavior and coordination, not traditional malware IOCs)*
- **Network indicators:** Invitation links shared in TikTok comment sections leading to private or public Telegram channels.
- **File indicators:** Nonconsensual intimate images (NCII) shared within Telegram chats.
- **Behavioral indicators:** Systematic tracking, doxing, and degradation of women publicly associated with AWDTSG; use of specific coded language or knowledge suggesting prior association with AWDTSG exposure; rapid rebranding following detection.
## Response Actions
- **Containment measures:** AWDTSG moderators unsuccessfully attempted to contain the spread by removing warning posts on Facebook. Platforms (TikTok) removed some violating content/links upon notification.
- **Eradication steps:** External analysis (WIRED) identified the network structure; survivors reported content, though eradication was incomplete due to rebranding.
- **Recovery actions:** Organizations like The Cyber Helpline provided support for victims suffering psychological damage, requiring some to change jobs or move cities.
## Lessons Learned
- **Key takeaways:** The migration of illicit activity to platforms offering greater privacy (Telegram) enables coordinated abuse to flourish outside the regulatory scope of larger platforms (DSA compliance). Coordinated digital harassment is used as a tactic of retaliation against online activism.
- **What could have been done better:** Social media platforms failed to adequately moderate cross-platform coordination. AWDTSG moderators failed to protect members when they removed warning posts, potentially increasing risk exposure.
## Recommendations
- **Prevention measures for similar incidents:**
1. Implement stricter, proactive cross-platform monitoring for coordinated harassment campaigns that migrate between services.
2. Telegram must face increased regulatory pressure to enforce content removal policies within large private groups, regardless of their self-declared platform size classification.
3. Empowered community moderators (e.g., in AWDTSG) should be trained and supported to prioritize member safety reporting over concerns about unverified accusations.
4. Increase victim support resources specializing in digital trauma, acknowledging that cybercrime consequences are often as damaging as offline crimes.