ENHANCING HACKTIVIST THREAT ACTOR PROFILING ON TELEGRAM USING LARGE LANGUAGE MODELS AND KNOWLEDGE GRAPHS

Abstract

This research proposes a structured framework for profiling hacktivist threat actors on Telegram by integrating the Intelligence Cycle with Large Language Models (LLMs) and knowledge graphs. The study begins with the identification and collection of Telegram data through OSINT methods, followed by preprocessing and structured labeling to prepare a high-quality dataset. Multiple LLMs are evaluated and the best-performing model is selected to extract cyber threat intelligence entities and relationships. These outputs are used to construct a knowledge graph that maps actor behavior, tools, targets, and affiliations. The graph enables automated threat actor profiling through contextual querying and LLM-based summarization. Final profiles are presented in standardized reports and validated through multi-layered evaluation, including technical metrics and expert feedback. The proposed approach demonstrates improved accuracy, interpretability, and scalability for CTI tasks involving informal and dynamic social media data.