Daniel sent us this one — and it's personal in a way that I think a lot of Israelis will recognize. He was on Telegram during the war, like basically everyone, following journalists for breaking news. And in the course of that, he stumbled on a channel that raised the hair on the back of his neck — vague promises of remote work for Israelis, paid in crypto, all the hallmarks of those IRGC recruitment operations we've been hearing about for years. He reported it to the Israel National Cyber Directorate. Twice, actually, for different things. Both times he got back a polite form letter and then... And his question is: what actually happens after you hit submit? Was that a waste of time, or did his tip land somewhere real?
The reason this matters right now — I mean, beyond the obvious — is that during the twenty twenty-four twenty twenty-five escalation, Telegram became the primary real-time news source for Israelis and simultaneously the primary recruitment vector for Iranian intelligence operations. Those two things were happening on the same platform, in the same channels, often visible to the same users. Citizens were the first line of defense whether they signed up for that job or not.
You're scrolling for updates on the north, and the algorithm serves you a channel that's basically a digital storefront for treason. And you have to decide — do I report this? And if I do, does anyone actually read it? The feedback loop is a black box, and that silence has consequences that go beyond one person feeling a bit foolish.
It does, and I want to sit with that tension for a moment because Daniel's framing gets at something I haven't seen covered well anywhere. He's not asking whether reporting is worth it in some abstract civic sense. He's asking about the actual mechanics — what does the data show about how these tips are handled in practice? And the fact that he felt, in his words, a bit ridiculous after reporting — that's not just a feeling. That's a documented phenomenon with real national security implications.
The phrase you're looking for is "reporting fatigue." Criminologists have been studying it for decades — when citizens report suspicious activity and get nothing back but silence, their likelihood of reporting again drops sharply. And in a country the size of Israel, where the intelligence apparatus genuinely relies on citizen tips as part of its early-warning fabric, that's not a minor inefficiency. It's a structural vulnerability.
Or rather, that's exactly the problem. And it's worth noting that Daniel is not some random person firing off tips based on a hunch. He works in AI and tech communications, he's an active open-source developer, he's been following the IRGC recruitment pattern closely enough to recognize it in the wild. If someone with that profile is walking away from the reporting process wondering if he wasted his time, what does that tell you about the experience for everyone else?
That most people probably don't report at all. Or they report once, get the form letter, and never bother again. Which means the system is filtering for persistence rather than accuracy, and that's a weird way to run an intelligence-gathering operation.
Let's start with what we actually know about how these Telegram recruitment operations work — because understanding the mechanism is the first step to understanding why reporting matters and why the silence on the other end is so frustrating.
I think the place to begin is the scale. This isn't a handful of bad actors running a few channels. Israeli police reported in early twenty twenty-five that dozens of citizens had already been indicted for espionage-related offenses linked to Telegram recruitment, with hundreds more under investigation. The IRGC's cyber unit — Mabna — has been running these operations since at least twenty twenty-two, but they accelerated dramatically after October seventh.
Mabna is the key entity here. It's the IRGC's dedicated cyber division, and they've been linked to everything from university-targeted credential theft to these Telegram-based human intelligence operations. What's striking about their approach is how industrial it is. They're not running one elaborate long-con on a high-value target. They're casting a wide net, running dozens of channels simultaneously, and seeing who bites.
It's the gig economy of espionage. Low overhead, scalable, and the platform does half the work for them.
Right, and Telegram specifically — not WhatsApp, not Signal — because of a set of platform affordances that make it uniquely suited to this kind of operation. Channels with no visible admin, disappearing messages, secret chats with end-to-end encryption, the built-in Wallet bot that enables direct cryptocurrency transactions without leaving the app, and the ability to create fake profiles with stolen or AI-generated photos. It's basically a turnkey recruitment platform.
The pattern is consistent enough that it's almost a script. The channel appears in your recommendations, often because you're already following geopolitical news channels — the algorithm cross-pollinates. The channel offers remote work, vague descriptions, no specific company name. You respond, you're contacted via direct message, and you're given a small paid task. Photograph a bank branch. Report on traffic patterns at a specific intersection. Something that feels innocuous.
Here's where the trap closes. They pay you — usually in USDT on the TRC-twenty network, which is Tether on the Tron blockchain, chosen because it's fast, cheap to transfer, and relatively difficult to trace compared to something on Ethereum. Now you've accepted money from an Iranian entity. You've performed a task. You are now, whether you understood it at the time or not, compromised.
The next ask is slightly more sensitive. A military checkpoint. An Iron Dome battery. Port activity in Haifa or Ashdod. And if you hesitate, they have the leverage — we have proof you took money from Iran. Report this and you go to prison for espionage. Keep working for us and nobody finds out.
By that point, for many people, the calculation feels inescapable. Which is exactly how the IRGC designed it. This isn't improvisation — it's a structured operational playbook that Mabna has refined over years.
The case that sticks with me is M., an Israeli from Petah Tikva who was indicted in March twenty twenty-five. He was recruited through a Telegram channel called Work from Home Israel. He photographed military bases. He was paid five hundred dollars in USDT. That's it. Five hundred dollars and a Telegram channel, and now he's facing espionage charges.
That's the thing — the financial vulnerability piece Daniel mentioned is central to how these operations work. They're not targeting intelligence professionals. They're targeting people who need money, who see "remote work" and think it's a legitimate opportunity. By the time the red flags become impossible to ignore, they're already in too deep.
Now, I want to walk through the exact pipeline the IRGC uses, because the details matter — and they explain why a citizen like Daniel might spot something the authorities miss. The discovery phase is step one. You're on Telegram following channels like Abu Ali Express or Yossi Yehoshua or any of the major Israeli journalists who now use Telegram as their primary broadcast platform. Telegram's recommendation engine notices you're interested in geopolitical content and surfaces related channels. Some of those are legitimate adversarial sources — Hezbollah-affiliated channels, Iranian state media channels. And mixed in with those, occasionally, are the recruitment fronts.
The recommendation algorithm is doing a lot of unintentional work for Mabna here. Because the recruitment channels are deliberately designed to look like they belong in the same ecosystem. They use similar naming conventions, similar posting frequencies, similar visual aesthetics. They blend in. And Telegram's content moderation is famously minimal — there's no algorithmic takedown of suspicious recruitment channels the way you might see on Meta platforms.
Step two is the initial contact. You click into the channel, you see posts offering remote work — "flexible hours, no experience needed, payment in cryptocurrency." If you respond, you're moved to a direct message conversation. This is where the operational security kicks in for the handler. They're using disappearing messages, they're using a fake profile with a photo that's almost certainly either stolen from social media or AI-generated, and they're speaking in Hebrew that's good but not native — often with subtle grammatical tells that someone paying close attention might notice.
The Hebrew quality is an interesting forensic marker, actually. Mabna has Hebrew speakers, but they're not always native-level. You'll see things like slightly off preposition usage, or verb conjugations that are technically correct but not how a native speaker would phrase something colloquially. It's the linguistic equivalent of an uncanny valley — close enough to pass casual inspection, but slightly wrong if you're looking for it.
Daniel, I suspect, was looking for it. He mentioned the channel bore an uncanny resemblance to known recruitment groups. That's pattern recognition at work — the vague job descriptions, the crypto payment, the lack of a real company name, and those subtle linguistic tells.
Step three is the first task. And this is where the operational brilliance — and I hate using that word for something so malign, but it's accurate — really shows. The first task is always something that could plausibly be legitimate market research. "Take a photo of the branch of Bank Leumi on Herzl Street and tell us how many people are waiting in line." That sounds like a mystery shopping gig. It's not obviously espionage.
What it actually does is establish a behavioral pattern. You've now demonstrated willingness to follow instructions from this handler. You've provided photographic intelligence, even if it's low-grade. And most importantly, you've accepted payment. Step four is the crypto transfer — USDT to a wallet address they provide, often through Telegram's own Wallet bot, which means the entire transaction happens inside the app. No external exchange, no KYC check, no friction.
The Wallet bot integration is one of those platform features that was presumably built for legitimate convenience — sending money to friends, paying for Telegram Premium, that sort of thing — but it's been a gift to illicit operators. Because it means the victim never has to figure out how to set up a crypto wallet. The handler just says "open Wallet in Telegram, here's the address," and the victim does it in thirty seconds. The barrier to receiving illicit payment is essentially zero.
Step five is escalation. The next task is more sensitive — a military facility, a port, a power station. And step six, if the target resists, is blackmail. "We have records of your payments. We have your photos. You've been working for Iranian intelligence. If you go to the authorities, you'll be prosecuted. If you keep working for us, you'll keep getting paid and nobody will know.
The blackmail isn't a bluff. Under Israeli law, accepting payment from a foreign intelligence service for any task, even an apparently innocent one, can constitute a security offense. The targets often don't know that — but the handlers absolutely do.
We've established the mechanism. It's systematic, it's scalable, and it exploits both the platform and the target's financial vulnerability with surgical precision. But here's the uncomfortable question: what actually happens after you hit submit on that report to the INCD? And does the current system encourage or discourage future reporting?
Let's talk about the reporting experience itself, because I think this is where Daniel's frustration lives. The Israel National Cyber Directorate has an official reporting portal. You can submit tips via a web form or by email. It's straightforward — you describe what you saw, you can attach screenshots, you provide your contact information if you want follow-up. And then you get back... well, Daniel described it as a courteous but uninformative thank-you message.
I've done this too. Twice, same as Daniel. And the messages were identical — not just similar, but clearly the same template with the name field swapped out. "Thank you for your vigilance, your report has been received, we take all reports seriously." No case number, no indication of whether this was already on their radar, no follow-up. Just an acknowledgment that someone's autoresponder is working.
That's the black box. You've just handed over potentially actionable intelligence — a Telegram channel that matches the exact operational pattern of an IRGC recruitment front — and the response is functionally identical to what you'd get for reporting a phishing email. There's no way to know if your tip was useful, if it was redundant, if it was forwarded to Shin Bet, if it was filed and forgotten.
The psychological effect is worth naming explicitly. Daniel said he felt a bit ridiculous. I recognize that feeling. You start second-guessing yourself — surely the authorities already know about this channel, surely I'm the hundredth person to report it, surely I'm wasting everyone's time including my own. And that internal monologue is exactly what leads to reporting fatigue.
The criminology literature on this is pretty clear. There was a study out of the UK a few years back — I think it was the College of Policing — that found that citizens who reported suspicious activity and received no meaningful feedback were something like forty percent less likely to report again within a two-year window. The silence doesn't just fail to encourage future reporting — it actively discourages it.
Which creates a perverse incentive. The system is telling you, through its silence, that your vigilance is not valued. Even if, behind the scenes, your tip was exactly the corroborating data point that moved a case from monitoring to action. You'll never know, so from your perspective, you shouted into the void and the void sent back a form letter.
This is particularly dangerous in a small country like Israel, where the intelligence apparatus relies on citizen reporting as part of its early-warning fabric. The Ministry of Defense runs public campaigns — Report Suspicious Activity, things like that. The INCD has its reporting portal. The police have hotlines, including the one-oh-four number for security suspicions. The infrastructure exists precisely because the agencies know they can't be everywhere. They need citizens to be sensors.
Citizens are the sensors. That's not a metaphor — it's the actual operational model. And sensors that don't get feedback degrade over time. They stop reporting. Or worse, they start reporting everything indiscriminately because they can't calibrate what's useful, which just adds noise to an already overwhelmed system.
Which brings us to the data on tip handling, because this is really what Daniel's asking about. In twenty twenty-four, the Israel Police received over twelve thousand tips related to suspected espionage or terrorism via their online portal. Of those, approximately three thousand eight hundred were forwarded to investigative units. The rest were either duplicates, irrelevant, or already under active investigation.
Roughly thirty percent made it past the first triage. That's actually higher than I would have guessed. But here's the thing — the INCD doesn't publish its tip-to-action conversion rate. And similar agencies that do publish those numbers, like the FBI's Internet Crime Complaint Center and the UK's National Cyber Security Centre, report that somewhere between two and five percent of tips lead to actionable intelligence.
Two to five percent. Which means ninety-five to ninety-eight percent of tips don't result in direct action. But — and this is crucial — that doesn't mean those tips were useless. They might have corroborated existing intelligence. They might have been logged in a database that gets queried six months later when a related case emerges. They might have contributed to a pattern analysis that identified a new recruitment methodology. The problem is that the reporter never knows which category their tip fell into.
The agencies are drowning. During the twenty twenty-four war period, the INCD reported a four hundred percent increase in citizen reports. Four hundred percent. Most of those are well-intentioned but irrelevant — people reporting things they saw on social media that turned out to be nothing, or reporting the same high-profile channel that five thousand other people already flagged. The agencies have to triage, and they prioritize based on threat level, credibility, and existing intelligence.
A single tip about a suspicious Telegram channel — even a detailed one — is unlikely to be prioritized unless it contains specific, actionable details. A specific target. A crypto wallet address. Something that gives investigators a thread to pull on. A generic report — "I saw a channel that looks suspicious" — is much harder to act on, even if the reporter's instincts are correct.
This is where I think there's a practical dimension to Daniel's question that's worth pulling out. He's not just asking whether reporting is worth it in principle. He's asking how to make a report that actually matters. Because if you're going to take the time to document something and send it in, you want to maximize the chance that it lands somewhere useful rather than getting lost in the triage pile.
And the answer, based on what we know about how these systems work, is that specificity is everything. If you encounter a suspected recruitment channel, don't just say "this looks like an IRGC front." Include the channel name, the Telegram invite link, screenshots of the initial messages, the crypto wallet address if it's visible, the subscriber count, the channel creation date. That turns a vague tip into what intelligence analysts would call structured information — something that can be cross-referenced, logged, and acted on.
Daniel almost certainly did this, or something close to it. He's detail-oriented by nature — I've seen how he documents things. But even with a well-structured report, the silence on the other end is the same. And that's the systemic problem. The feedback loop is broken not because the agencies are incompetent or indifferent, but because the system wasn't designed to close the loop. It was designed to receive tips, not to nurture tipsters.
There's a legitimate operational security argument for the silence. If the INCD started sending detailed follow-ups — "thank you, we've referred your tip to Shin Bet's counterintelligence division, case number such-and-such" — that could reveal investigative priorities, methodologies, or the fact that a particular channel is under active surveillance. In the worst case, if the reporter themselves is compromised or the communication is intercepted, the feedback becomes an intelligence leak.
I take the point, but I don't think anyone's asking for operational details. Daniel's not expecting a classified
Let's establish the pattern, because it's consistent enough now that it's basically a playbook. The IRGC's cyber unit, Mabna, has been running these Telegram-based recruitment operations since at least twenty twenty-two, but the tempo shifted dramatically after October seventh. Israeli police reported in early twenty twenty-five that dozens of citizens had been indicted, with hundreds more under investigation.
The playbook is almost formulaic. A Telegram channel appears — often surfaced by the recommendation algorithm to people already following geopolitical news channels. It offers remote work. Vague descriptions, no company name, payment in cryptocurrency. You respond, you're moved to a direct message, and you're given a small task. Photograph a bank branch. Report on traffic patterns at a specific intersection. Something that feels like market research.
Then they pay you. USDT on the TRC-twenty network — Tether on Tron — because it's fast, cheap, and harder to trace than something on Ethereum. And now the trap is set. You've accepted money from an Iranian entity. You've performed a task. Whether you understood what was happening or not, you are now compromised.
The next ask escalates. A military checkpoint. An Iron Dome battery. Port activity in Haifa. If you hesitate, they have the leverage — we have proof you took money from Iran. Report this and you face espionage charges. Keep working and nobody finds out.
That's the thing Daniel mentioned — the financial vulnerability piece. These operations aren't targeting intelligence professionals. They're targeting people who see "remote work" and think it's legitimate. By the time the red flags are unmistakable, they're already in too deep.
Daniel spotted one of these channels in the wild. He described it as bearing an uncanny resemblance to known recruitment groups — vague job descriptions, crypto payment, no real company name, and those subtle linguistic tells in the Hebrew that Herman mentioned. He reported it to the INCD through their official portal and got back a polite, templated thank-you message. Twice, for two different reports.
His question — the one that sits at the center of this episode — is disarmingly simple. What actually happens after you hit submit? Was that tip useful, or did it vanish into a bureaucratic black hole? And if you never hear back, why would you bother reporting the next one?
That's the tension. Civic duty versus the silence on the other end. And the silence, as we'll see, has consequences that go well beyond one person feeling a bit foolish.
The case that illustrates this whole pipeline with almost textbook clarity is M., the man from Petah Tikva indicted in March twenty twenty-five. He was recruited through a Telegram channel called Work from Home Israel. He photographed military bases. He was paid five hundred dollars in USDT. That's the entire story — five hundred dollars and a Telegram channel, and now he's facing espionage charges.
The channel name itself is almost insultingly generic. Work from Home Israel. It sounds like a LinkedIn group. That's part of the design — make it boring enough that it doesn't trigger the mental alarm that something called "Iranian Intelligence Recruitment" obviously would.
Right, and that banality is operational discipline. But let me pull on the Telegram-specific thread, because Daniel asked why Telegram rather than WhatsApp or Signal, and the answer reveals a lot about how Mabna thinks about operational security. WhatsApp is tied to a phone number, and that phone number is typically registered under a real identity in Israel — you need an Israeli number to function in Israeli society, and that number is linked to your WhatsApp account in a way that's trivially subpoena-able. Signal has the same phone-number anchor, plus its user base in Israel is much smaller.
Telegram lets you create an account with a virtual number, a burner SIM from overseas, or even just a username with no visible phone number at all. Channels can have unlimited subscribers with no visible admin. Secret chats are device-specific and don't live on Telegram's servers. And the whole thing is hosted in Dubai, outside the easy reach of Israeli subpoenas.
The Dubai jurisdiction point is not trivial. Telegram's operational headquarters are in the UAE, which has had a complicated and fluctuating relationship with Israel since the Abraham Accords. It's not a jurisdiction where Shin Bet can just send a polite request and get full cooperation the next day. There's friction built into the geography.
Another piece that doesn't get enough attention — Telegram's recommendation algorithm. It's not as sophisticated as TikTok's, but it does surface channels based on what you already follow. If you're following Israeli news channels during a war, the algorithm notices you're interested in geopolitical content and starts recommending adjacent channels. Some of those are legitimate adversarial sources — Hezbollah-affiliated news, Iranian state media. And mixed in with those, occasionally, are the recruitment fronts.
They're camouflaged by the ecosystem. The recruitment channel sits in your recommendations alongside a dozen other channels with similar names, similar posting styles, similar visual aesthetics. It doesn't stand out unless you're looking for it specifically. And Daniel was looking for it — he mentioned the channel bore an uncanny resemblance to known recruitment groups, and I suspect what tipped him off was a combination of things: the vagueness of the job descriptions, the crypto payment, the absence of a real company name, and those subtle linguistic tells in the Hebrew.
The Hebrew is a fascinating forensic marker. Mabna has Hebrew speakers, but they're rarely native-level. You'll see preposition choices that are technically correct but not how an Israeli would naturally phrase something. Verb conjugations that are textbook-accurate but slightly stiff. It's the linguistic equivalent of an uncanny valley — close enough to pass casual inspection, but something feels slightly wrong if you're paying attention.
Daniel, given his background, was paying attention. He's detail-oriented, he knows the pattern, he spotted the tells. So he did exactly what the system asks you to do — he reported it to the INCD through their official portal. And then he did it again for a different channel. Both times, he got back what he described as a courteous but uninformative thank-you message.
I've submitted reports through that same portal. The experience is almost surreal in its blandness. You've just handed over something that might be a live IRGC recruitment front — a channel actively trying to compromise Israeli citizens — and the response is functionally identical to what you'd get for reporting a phishing email. No case number, no indication of whether this was already on their radar, no follow-up. Just an autoresponder with good manners.
That's where the psychological dimension kicks in. Daniel said he felt a bit ridiculous. I recognize that feeling precisely. You start running an internal monologue — surely the authorities already know about this, surely I'm the hundredth person to report it, surely I'm wasting everyone's time including my own. And that monologue is the mechanism by which reporting fatigue sets in.
The criminology literature calls this feedback loop failure. There was a study out of the UK's College of Policing a few years back that found citizens who reported suspicious activity and received no meaningful feedback were roughly forty percent less likely to report again within a two-year window. The silence doesn't just fail to encourage future reporting — it actively discourages it.
Which is perverse, because you might have been exactly the person who provided the missing piece. Your tip might have been the corroborating data point that moved a case from monitoring to action. The channel you reported might have been one that Mabna thought was still undetected. But you'll never know, so from your perspective, you shouted into the void and the void sent back a form letter.
This matters operationally. During the twenty twenty-four war period, the INCD reported a four hundred percent increase in citizen reports. Four hundred percent. The system was flooded. Most of those tips were well-intentioned but irrelevant — people reporting things they saw on social media that turned out to be nothing, or reporting the same high-profile channel that thousands of others already flagged. The agencies have to triage, and they prioritize based on threat level, credibility, and existing intelligence.
A single tip about a suspicious Telegram channel, even a well-documented one, is unlikely to be prioritized unless it contains specific, actionable details. A name, a location, a specific target, a crypto wallet address. Something that gives investigators a thread to pull on immediately. A generic report — "I saw a channel that looks suspicious" — is much harder to act on, even if the reporter's instincts are correct.
That's the asymmetry. The citizen puts in effort — screenshots, channel links, a written description of why this looks like a recruitment front — and gets back what is essentially a receipt. The system acknowledges the transaction but provides no information about the outcome. It's like dropping a letter into a mailbox that has no slot — you can't even confirm it went in.
There's a legitimate operational security argument for the silence, and I want to be fair to the agencies here. If the INCD started sending detailed follow-ups — "thank you, we've referred your tip to Shin Bet's counterintelligence division, case number such-and-such" — that could reveal investigative priorities, methodologies, or the fact that a particular channel is under active surveillance. In the worst case, if the reporter themselves is compromised or the communication is intercepted, the feedback becomes an intelligence leak.
I take the point, but I don't think anyone's asking for operational details. Daniel's not expecting a classified briefing. The question is whether there's a middle ground between "here's everything we're doing" and "here's a form letter that tells you nothing." Something as simple as a case number and a status that updates to "no further action" or "referred for review" — the kind of thing the FBI's IC3 already does, imperfectly.
The IC3 system is an interesting comparison
The IC3 system is an interesting comparison because it shows what's possible even within the constraints of operational security. The FBI's Internet Crime Complaint Center — that's IC3 — gives you a complaint number. You get a confirmation that a human read your report. And in about one in twenty cases, you get follow-up if the case is assigned to an agent. That's not great, but it's something. The twenty twenty-four IC3 report had a striking statistic — seventy-eight percent of complainants said they would report again, but only if they received confirmation that their report was actually read.
Seventy-eight percent. That's a huge number of people who are willing to do the civic thing but just want to know someone on the other end opened the envelope. And the UK's Action Fraud system goes a step further — you get a crime reference number and a link where you can track progress. The tracking is minimal, just "received," "assigned," "closed." But it closes the loop.
Israel's one-oh-four hotline for reporting security suspicions gives callers a case number but no follow-up unless the case escalates. So Israel is not uniquely bad here — the UK and the FBI are in roughly the same neighborhood. Everyone's struggling with the same tension between operational secrecy and the human need for acknowledgment.
Israel has a specific vulnerability that the UK and the US don't share to the same degree. The country is tiny. The intelligence apparatus relies on citizen reporting as a genuine early-warning layer. The Ministry of Defense runs public campaigns — "Report Suspicious Activity" posters, the INCD's reporting portal, the police hotlines. The infrastructure exists because the agencies know they can't cover everything. They need civilians to notice things.
Civilians are noticing things. Twelve thousand tips in twenty twenty-four. But the triage funnel is brutal — about three thousand eight hundred forwarded to investigative units, and of those, if the two-to-five-percent actionable rate holds, we're talking somewhere between seventy-five and a hundred and ninety tips that actually led to something concrete. The other eleven thousand-plus tips went into a database somewhere, and the people who submitted them heard nothing.
Which brings us to the uncomfortable knock-on effect. Every person who reported and got silence is now statistically less likely to report again. And some of those people are exactly the ones you want in your early-warning network — the Daniels of the world, who know the pattern, who can spot the linguistic tells, who take the time to document properly. The system is filtering out expertise in favor of persistence, and that's backwards.
There's a concept in intelligence studies called "the sensor problem." It comes out of signals intelligence originally — if your sensors are badly calibrated, you either miss signals or drown in noise. Citizen reporting is a sensor network, and right now it's uncalibrated. The sensors don't know what's useful, so they either stop reporting or they report everything indiscriminately.
The four hundred percent spike during the war period makes this worse, not better. A flood of tips from well-meaning citizens who are suddenly hyper-vigilant — most of it noise — and the agencies are even less able to provide meaningful feedback because they're overwhelmed. So the people who reported during the war, when the threat was most acute, are the ones most likely to have had a bad experience and least likely to report next time.
What would a better system actually look like? Daniel's implicit question — and I think it's the right one — is whether agencies could provide a simple status update without compromising operational security. Something like "under review," "referred to unit," "no further action." Just enough to tell the reporter that the loop closed.
Australia's ACSC — their cyber security centre — has experimented with automated case tracking for cyber tips. You get a reference number, you can check a portal, you see one of three statuses. It's not detailed, but it's something. And the Australian experience suggests it doesn't create the operational security nightmare that critics predicted, because the statuses are so broad they don't reveal anything about investigative methods.
The counterargument is that even broad statuses can leak information. If you report a channel and it moves to "no further action" within an hour, that tells you the agency already knew about it. If it sits at "under review" for six months, that might tell you it's part of a larger investigation. Patterns across multiple reports could, in theory, be reverse-engineered to map investigative priorities. I'm not sure how realistic that threat is, but it's the argument the agencies make internally.
I think the realism question matters. The IRGC is not running a -analysis of INCD status updates to reverse-engineer Israeli counterintelligence priorities. They have their own intelligence apparatus for that. The threat model here feels like it's been optimized for a theoretical worst case rather than the actual harm being done by the broken feedback loop.
The actual harm is measurable. If reporting fatigue reduces the quality and quantity of citizen tips over time, the agencies lose a sensor network they can't replace with paid personnel. You can't hire enough agents to monitor every Telegram channel that might be a recruitment front. You need civilians. But you're designing a system that treats those civilians as a nuisance to be managed rather than a resource to be cultivated.
That's the core insight. The feedback loop is broken, and fixing it isn't just about being polite to tipsters — it's about optimizing a national security resource. Every Daniel who stops reporting is a sensor that went dark. And in a country where the threat is this persistent and this scalable, you can't afford to lose sensors.
Given all that — the broken feedback loop, the signal-to-noise problem, the perverse incentives — what can you actually do to make a report that matters? Because I think that's the practical question underneath Daniel's frustration.
You can't control whether the INCD sends you a follow-up, but you can control how useful your tip is when it lands on someone's screen. And the difference between a generic report and a structured one is the difference between something that gets triaged into the void and something an analyst can actually work with.
First rule: specificity is everything. If you encounter a channel that matches the recruitment pattern, don't just say "this looks like an IRGC front." Include the channel name, the Telegram invite link, screenshots of the initial messages, and if there's a crypto wallet address visible anywhere — in a pinned message, in the channel description — include that too. A wallet address is a thread an investigator can pull on immediately.
Screenshots with timestamps. Not just the content — the metadata matters. When was the channel created? How many subscribers does it have? Has it been reported by others using Telegram's built-in report function? That last one is something a lot of people don't think to check, but Telegram will tell you if a channel has been flagged by other users. If it has, that's useful context for the agency.
Capture the initial approach messages if you got them. The Hebrew phrasing, the specific job description, the payment terms — all of that is forensic material. Analysts can cross-reference it against known Mabna linguistic patterns, against crypto wallet clusters that have been associated with previous recruitment operations. Your screenshots might be the piece that connects two previously separate cases.
That turns a vague tip into what intelligence analysts call structured information. It's the difference between saying "there's a suspicious person outside the bank" and saying "there's a man in a blue jacket standing at the northeast corner of Herzl and Jabotinsky, he's been there for forty minutes, he's photographing the entrance with a phone in a black case." One of those is actionable, the other isn't.
Daniel, knowing him, probably did a lot of this already. He's detail-oriented by nature. But for the listener who might encounter something similar — document first, report second. Don't just forward the channel link and hope for the best. Build a small intelligence package. It takes five extra minutes and it dramatically increases the odds your tip survives triage.
Second thing: manage your expectations. Your tip is one of thousands. Twelve thousand in twenty twenty-four alone. The agency may already be monitoring that channel. Your report might not be the one that launches an investigation — but it might be the corroborating data point that moves a case from "we're watching" to "we're moving.
You will never know which it was. That's the part that stings, but it's also the reality. Intelligence work is cumulative. Cases are built on layers of evidence, much of it from sources who have no idea their contribution mattered. The screenshot you sent might be the one that confirms a handler's identity six months from now, when it's cross-referenced against something else entirely.
I think of it like this: you're not submitting a tip expecting a receipt. You're adding a data point to a system that aggregates thousands of data points into a picture. Your individual contribution is almost never going to be the hero tip that breaks the case wide open. But that doesn't mean it was useless. It means it was one piece of a mosaic.
The FBI's IC3 data bears this out. Only about one in twenty tips gets follow-up, but the ones that don't still go into the database. They still get queried. They still contribute to pattern analysis. The problem isn't that the tips are useless — it's that the system doesn't tell you they were used.
Which brings us to the third practical point. If you want to be more useful than the average tipster, learn to document properly. Timestamps on every screenshot. Note the channel's subscriber count and creation date — both are visible in Telegram's channel info. Check if the channel has been reported by others. If you received direct messages, screenshot the entire conversation, not just the suspicious parts.
One thing I'd add — if you see the same channel being discussed on other platforms, note that too. If someone on Twitter or Reddit is asking "has anyone else seen this weird remote work Telegram group," that's a signal. Multiple independent reports of the same channel increase its priority in the triage queue. You might not be the first to report it, but you might be the one whose report pushes it over the threshold.
The bigger picture here — and I think this is what Daniel was really driving at — is that citizens are the sensors. That's not a metaphor. The intelligence apparatus cannot monitor every Telegram channel, every WhatsApp group, every online space where recruitment might happen. It relies on civilians to notice things and say something.
The system, imperfect as it is, does work in the aggregate. Dozens of indictments, hundreds under investigation — those numbers don't happen without tips. Some of those tips came from people who felt a bit ridiculous hitting submit, who wondered if they were wasting their time, who never heard back. And their tips still mattered.
The frustration Daniel expressed isn't with the act of reporting. It's with the feedback mechanism. And those are two different things. Reporting was the right instinct. The silence on the other end is a systemic failure, but it's not a reason to stop reporting. It's a reason to report better and to push for a system that closes the loop.
Because here's the thing — as AI-generated content makes it harder to distinguish real recruitment from fake, the role of human pattern recognition becomes more valuable, not less. An AI can generate a thousand fake recruitment channels. But an AI can't tell you that the Hebrew in a particular message feels slightly wrong, that the preposition choice is off, that something in the tone doesn't land like a native speaker. That's human judgment. That's what Daniel brought to the table.
That's worth protecting. The next time you see something that looks like a recruitment channel, report it. Document it properly, manage your expectations, and hit submit knowing you might never hear back. You might be the tip that breaks a case. Or you might just be one more data point in a database. Either way, you did the thing the system asks you to do. And maybe, someday, the system will figure out how to tell you it mattered.
Let's end with the question I think is actually sitting underneath this whole conversation. Could you build a citizen tip tracker — a simple dashboard that shows how many tips were received, how many led to investigations, how many led to indictments — without compromising operational security? Because Daniel's frustration isn't really about personal satisfaction. It's about whether a national security resource is being optimized or squandered.
The Australian experiment suggests it's possible. Their cyber security centre gives you a reference number and three statuses — received, under review, closed. That's it. No operational details, no indication of which unit has it, no timeline. And the critics who said it would leak investigative priorities have been mostly quiet, because the statuses are so broad they don't actually reveal anything useful to an adversary.
The counterargument I've heard is that even broad statuses create patterns over time. If someone submits a hundred reports and tracks which ones move to "closed" quickly versus which ones sit at "under review," they could theoretically map investigative interest. I just don't find that threat model persuasive at the scale we're talking about. Mabna isn't running a -analysis of INCD status updates. They have actual spies for that.
The cost of not closing the loop is also measurable. Every Daniel who stops reporting is a sensor that went dark. You can't hire enough agents to monitor every Telegram channel that might be a recruitment front. You need civilians. But you're designing a system that treats those civilians as a nuisance to be managed rather than a resource to be cultivated.
That's the phrase — a resource to be cultivated. Right now the system treats tips like a fire hose pointed at a filing cabinet. It receives, it sorts, it files. It doesn't nurture. And in the long run, that's more damaging than any theoretical leak from a status dashboard.
The future makes this more urgent, not less. As AI-generated content gets better — and it's getting better fast — distinguishing real recruitment channels from noise is going to get harder for automated systems. But humans who know the pattern, who can feel that something in the Hebrew is slightly off, who recognize the uncanny valley of a near-native speaker — that human judgment becomes more valuable, not less.
The AI can generate a thousand fake recruitment channels. It can't tell you that the preposition in the third sentence is wrong in a way that only a human who grew up speaking Hebrew would notice. That's what Daniel brought to the table. That's what the system stands to lose if it keeps burning out its best sensors.
Here's where I land. The next time you see something that looks like a recruitment channel, report it. Document it properly — screenshots with timestamps, the invite link, the wallet address if it's visible. Manage your expectations. You might never hear back. But you might be the tip that breaks a case, and you'll almost certainly never know if you were.
Maybe that's the thing to sit with. Reporting is an act of civic optimism. You're adding a data point to a system that can't thank you properly, that might not act on your tip for months, that might already know everything you're telling it. You do it anyway, because the alternative is a country where nobody bothers.
Maybe, someday, the system will figure out how to close the loop. A case number. Something that says "we saw this, it mattered." It's not a technical challenge — the Australians proved that. It's a question of institutional will.
Until then, report anyway. You might feel a bit ridiculous hitting submit. But the indictments happen. The cases get built. And somewhere in the triage queue, someone's screenshot is the piece that connects two dots.
Now — Hilbert's daily fun fact.
Take it away, Hilbert.
Hilbert: In the seventeen eighties, the population of the Faroe Islands was approximately four thousand seven hundred people — roughly the same number as the distinct spectral receptor types found in a single mantis shrimp eye.
...right.
That's a sentence that definitely happened.
This has been My Weird Prompts. Thanks to our producer Hilbert Flumingtop for keeping the ship upright. If you want to send us your own prompt — or tell us about a suspicious Telegram channel you reported — email the show at show at my weird prompts dot com.
Or visit us at my weird prompts dot com. We'll be back soon. Report the thing.
