How Federal Agents Obtain Telegram Messages and Encrypted Communications in Crypto Investigations
Every indictment in DOJ's Operation Token Mirrors relies on Telegram messages as its evidentiary foundation. Every recorded call came from an encrypted platform. The Gotbit case was built on Telegram chats. The ZM Quant case was built on recorded calls and Telegram messages. The ANTIER/CONTRARIAN case was built on Telegram chats, recorded calls, and an internal flow chart recovered from the CEO's records. The ZM Quant defendants also coordinated on WhatsApp.
Anyone who believes that using an encrypted messaging application provides protection from federal investigators is wrong. But anyone assessing these cases should also understand how dependent the government's theory is on the communications evidence. Without the defendants' own words, the prosecution's case is built on blockchain data and trading patterns. Trading patterns alone do not prove intent. That is the critical distinction.
Why Communications Evidence Matters More Than Blockchain Data
Federal prosecutors charging cryptocurrency market manipulation must prove that the defendant acted with specific intent to defraud. Blockchain data can show that trades occurred. It can show that a single entity controlled wallets on both sides of a transaction. It cannot show why the trades were made. A defendant can argue the trading was designed to provide genuine liquidity, to test an algorithm, to support a token launch, or to meet exchange listing requirements. Those are legitimate business purposes.
That is what makes the communications evidence the most important part of every Operation Token Mirrors case. The Telegram messages and recorded calls are the evidence that closes the gap between trading activity and criminal intent. Strip out the communications and the government faces a fundamentally different case at trial.
Understanding how federal agents obtain this evidence is essential for anyone facing a cryptocurrency investigation.
Device Seizure and Forensic Extraction
The most direct method is the most common. Federal agents obtain a search warrant under the Fourth Amendment and Federal Rule of Criminal Procedure 41, seize the target's phone, laptop, or tablet, and use forensic extraction tools to recover message content stored locally on the device. Telegram stores messages on the device by default. Signal stores messages on the device. WhatsApp stores messages on the device. Even when a user enables disappearing messages or auto-delete timers, forensic tools can often recover deleted content from the device's storage.
This is how the government obtained the Telegram messages in the Gotbit case. This is how it obtained the internal flow chart from the CONTRARIAN CEO. The messages existed on devices that agents seized with warrants.
The search warrant affidavit must establish probable cause to believe that the device contains evidence of a crime. That affidavit is a critical document. It reveals the government's theory, the scope of the investigation, and the evidence already in the government's possession. Challenging the affidavit's sufficiency is a foundational defense strategy in cases built on seized communications. If the affidavit does not establish probable cause, the evidence obtained from the device may be suppressed.
The Stored Communications Act
The Stored Communications Act (SCA), codified at 18 U.S.C. §§ 2701-2713, governs the government's ability to compel electronic communication service providers to disclose stored communications. The SCA creates different tiers of legal process depending on the type of information sought and how long it has been in storage.
For the content of communications stored for 180 days or less, the government must obtain a search warrant based on probable cause. For communications stored longer than 180 days, the government can use a warrant, a court order under Section 2703(d), or a subpoena with prior notice to the subscriber. For non-content records, including subscriber information, IP address logs, and connection timestamps, the government can use a subpoena or court order.
Section 2703(f) is particularly important. It allows the government to issue a preservation request to any provider, requiring the provider to preserve all existing records and communications for 90 days, renewable for an additional 90 days. This buys investigators time to obtain a warrant or court order while preventing the provider from deleting data. Preservation requests are not disclosed to the user. A provider who receives one is prohibited from notifying the subscriber.
Each of these legal tools has constraints that defense counsel can exploit. Subpoenas can be challenged for overbreadth. Search warrants can be attacked for lack of probable cause or deficient particularity. The 180-day distinction creates authentication issues. Preservation requests that are not followed by timely legal process raise due process concerns. The SCA is a powerful tool for the government. It is not without limits.
The CLOUD Act and Overseas Data
Cryptocurrency investigations are international by nature. The defendants in Operation Token Mirrors lived in Russia, Hong Kong, the United Kingdom, India, and Singapore. The messaging platforms they used store data on servers around the world. Before 2018, whether the U.S. government could compel a provider to produce data stored on foreign servers was an open legal question.
The Clarifying Lawful Overseas Use of Data Act (CLOUD Act), enacted in 2018, resolved it. Section 2713 of the SCA now provides that a covered provider must comply with its disclosure obligations "regardless of whether such communication, record, or other information is located within or outside of the United States." If a U.S.-based provider controls the data, the government can compel production through a domestic warrant, even if the data is physically stored on a server in Ireland, Singapore, or anywhere else.
For providers not based in the United States and not subject to U.S. jurisdiction, the government uses mutual legal assistance treaties (MLATs) to request evidence from foreign jurisdictions. MLAT requests can be slow. But they work. The arrests in Singapore, Portugal, and the UAE in the Operation Token Mirrors cases demonstrate that international cooperation in cryptocurrency fraud enforcement is real and effective.
The CLOUD Act does have limits. It applies only to providers within the "possession, custody, or control" of the data. It provides a mechanism for providers to challenge warrants that conflict with foreign law. And it does not reach companies that operate exclusively outside the United States with no U.S. presence. Defense counsel evaluates whether the specific provider is subject to CLOUD Act jurisdiction and whether the warrant complies with the statute's requirements.
Undercover Collection
The Operation Token Mirrors cases illustrate a collection method that bypasses encryption entirely. The FBI did not need to decrypt anything. Its undercover employee participated in the Telegram conversations and recorded calls in real time. The agent was a party to the communications. The defendants chose to share their methods, pricing, and strategy with someone they believed was a client. That person was a federal agent.
This is lawful. Federal courts have long held that a person who voluntarily discloses information to another person assumes the risk that the recipient is cooperating with the government. The Fourth Amendment does not protect conversations voluntarily shared with an undercover agent.
But undercover evidence is not invulnerable. Entrapment is a defense when the government induced a defendant to commit a crime the defendant was not otherwise predisposed to commit. In the Operation Token Mirrors cases, the government addresses predisposition through prior conduct involving real tokens like the Saitama Token, Robo Inu Token, and VZZN Token. A defendant without a history of manipulating real tokens has a stronger entrapment argument than a defendant whose prior conduct mirrors the undercover manipulation.
Cooperating Witnesses
The government also obtains message content through cooperating witnesses. Co-conspirators who agree to cooperate surrender their devices and provide access to their message histories. A cooperator's Telegram archive can contain months or years of conversations with targets. Cooperators may also agree to record future conversations with targets while wearing a wire or using a monitored device.
In the Operation Token Mirrors cases, multiple defendants have already pleaded guilty. Gotbit's CEO pleaded guilty. CLS Global pleaded guilty. MyTrade's founder pleaded guilty. Each cooperator potentially provides additional communications evidence against remaining defendants.
Cooperator testimony is often the most damaging evidence at trial. It is also the most vulnerable to cross-examination. Cooperators receive favorable treatment at sentencing in exchange for their testimony. That creates an inherent bias. Defense counsel attacks cooperator credibility through their plea agreements, their motive to shade testimony, and inconsistencies between their statements and the documentary record.
Metadata and Consciousness of Guilt
Even when message content has been deleted or is otherwise unavailable, metadata can be powerful evidence. Metadata shows who communicated with whom, when, how often, and for how long. Prosecutors use communication patterns to corroborate the existence of a conspiracy, identify the participants, and establish the timeline. A jury does not need to read the messages themselves if the pattern of communications, combined with blockchain data and financial records, establishes the scheme.
Deleting messages after learning of an investigation creates a separate problem. In the ANTIER/CONTRARIAN case, the indictment alleges that defendants deleted Telegram messages and stopped trading the Powerlink token immediately after the DOJ issued its October 2024 press release announcing the first wave of Operation Token Mirrors charges. The CONTRARIAN CEO did not join a scheduled videoconference the following day. That deletion is evidence of consciousness of guilt. It is also an independent federal crime. 18 U.S.C. § 1519 makes it a felony to destroy records with intent to obstruct a federal investigation. The penalty is up to 20 years. The message deletion that a defendant hopes will protect them can become a separate count in the indictment.
The lesson from these cases cuts both ways. Encrypted messaging does not provide protection from federal investigation. But these cases also reveal how dependent the government's theory is on the communications evidence. Without the defendants' own words, the prosecution must prove intent through circumstantial evidence alone. That is where defense begins.
Frequently Asked Questions
How does the government obtain Telegram messages in a cryptocurrency investigation?
Federal investigators obtain Telegram messages primarily through device seizures under search warrants issued pursuant to Federal Rule of Criminal Procedure 41. Agents seize phones and laptops and use forensic extraction tools to recover message content stored locally. Even messages set to auto-delete can often be recovered from device storage. The government also uses the Stored Communications Act (18 U.S.C. §§ 2701-2713) to compel providers to produce stored communications. The CLOUD Act (18 U.S.C. § 2713) requires providers to comply regardless of whether data is stored inside or outside the United States. In Operation Token Mirrors, the FBI also used undercover agents who participated in and recorded communications in real time.
Does using end-to-end encryption protect communications from federal investigators?
No. End-to-end encryption protects data in transit between devices. It does not protect data stored locally on the devices themselves. When federal agents seize a phone or laptop under a search warrant, forensic tools can extract message content regardless of whether the platform uses encryption. The government also bypasses encryption entirely through undercover operations where agents participate directly in conversations, and through cooperating witnesses who surrender their devices and message histories. In the Operation Token Mirrors cases, the FBI's undercover employee was a party to the Telegram conversations and recorded calls in real time.
Can deleting messages after learning of a federal investigation result in additional charges?
Yes. Destroying records with intent to obstruct a federal investigation is an independent felony under 18 U.S.C. § 1519, carrying up to 20 years in prison. In the ANTIER/CONTRARIAN case, the indictment alleges that defendants deleted Telegram messages immediately after DOJ issued a press release about Operation Token Mirrors. That deletion is evidence of consciousness of guilt and can become a separate count in the indictment. Forensic tools can also often recover deleted messages from device storage, meaning the deletion may not even succeed in removing the evidence.
What is the Stored Communications Act and how does it apply to crypto investigations?
The Stored Communications Act (18 U.S.C. §§ 2701-2713) governs the government's ability to compel electronic communication providers to disclose stored communications. For content stored 180 days or less, the government must obtain a search warrant based on probable cause. For older content, a court order or subpoena with notice may suffice. Section 2703(f) allows preservation requests that require providers to retain data for 90 days, renewable for an additional 90 days, while agents obtain a warrant. Each of these tools has legal constraints. Subpoenas can be challenged for overbreadth. Search warrants can be attacked for lack of probable cause. Defense counsel evaluates every step of the government's collection process for compliance with the statute.
How do Armstrong and Bradylyons challenge the government's communications evidence?
Scott Armstrong and Drew Bradylyons built federal cryptocurrency fraud cases using device seizures, the Stored Communications Act, cooperating witnesses, and undercover operations as prosecutors at the DOJ Fraud Section and EDVA. They now use that experience to challenge the government's evidence at every stage. They file motions to suppress unlawfully obtained communications, challenge search warrant affidavits for lack of probable cause or deficient particularity, cross-examine cooperating witnesses on bias and motive, contest the authentication and chain of custody of electronic evidence, and evaluate whether undercover operations implicate entrapment defenses. Their cryptocurrency market manipulation defense practice includes challenging the admissibility of seized communications from the first day of an investigation.
Under Investigation for Cryptocurrency Fraud?
As a former Assistant Chief at DOJ's Fraud Section, Scott Armstrong built cryptocurrency fraud cases using every evidence collection tool described in this post. He now uses that experience to challenge the government's proof. As former Chief of EDVA's Financial Crimes and Public Corruption Unit, Drew Bradylyons supervised complex cryptocurrency fraud prosecutions and coordinated enforcement with the SEC and CFTC. Armstrong & Bradylyons PLLC defends individuals and companies in federal cryptocurrency investigations nationwide.
