Incident summary. The materials summarized here describe a Telegram-based operation that used a private supergroup and a broadcast channel (“leaked kindom”), together with a sales bot and support accounts, to market paid access to folders of child sexual abuse material. The primary operator identified in the case file is @MRFOLDER1. Buyers were directed through Stripe Checkout (USD pricing), with cryptocurrency and Apple Pay also referenced in the communications. A public X (Twitter) account, @kellyjessie23, linked its biography to a Telegram invite—consistent with funneling traffic from social media into Telegram. Telegram exports, API-derived membership snapshots, open-source account metadata, and preserved payment-page captures were consolidated into hash-verified packages for authorized review. The matter was reported to the FBI via IC3, NCMEC CyberTipline, Stripe, X (formerly Twitter), and Telegram (abuse).
This static site summarizes methodology and integrity controls. It does not host media, chats, or evidence files.
Reconstructed flow
The sequence below summarizes how traffic and purchases moved across platforms in the case materials (redacted; not a verbatim transcript).
- Advertised on X (Twitter). The account @kellyjessie23 drew users in from the public web; the profile bio included a Telegram invite link into the distribution side of the operation.
- Telegram. After following that link, users landed in the Telegram groups/channels (“leaked kindom”) associated with @MRFOLDER1. In documented chats, the suspect or support contact steered the buyer toward the automated purchase path.
- Sales bot. The buyer was given the link to the Telegram sales bot @Onlynsfw_packs_bot to browse folder listings and receive a payment/checkout link for the selected CSAM package.
- Stripe Checkout. The buyer completed payment on the generated Stripe hosted checkout page (Stripe Checkout session); other methods (e.g. cryptocurrency, Apple Pay) were referenced in supporting messages.
Search this index
Full-text search across the same bundled redacted text used on the other pages (client-side, no network after load).
Telegram distribution groups (2)
Two distinct Telegram entities were identified, both operated by @MRFOLDER1 (User ID 5928355498).
| Group | Channel ID | Type | Members / Subscribers | Messages | Created |
|---|---|---|---|---|---|
| Group 1 — Supergroup leaked kindom | 3368344320 | private_supergroup | 24 | Desktop export | Unknown (pre-dates evidence window) |
| Group 2 — Broadcast Channel leaked kindom (broadcast) | 3461376041 | broadcast_channel | 478 | 85 | 2025-11-17T16:35:35 UTC |
Contents
- Executive report — Full forensic report with subject IDs, platform infrastructure, network analysis.
- Methodology — Tools and data sources (high-level).
- Chain of custody — Hash verification for both groups (DOJ/NIST compliant).
- Membership — Telegram user IDs, usernames, display names, and flags per group (telephone numbers omitted).
- Possible penalties — Federal statutory penalties, sentencing enhancements, and collateral consequences for the offenses documented in this investigation.
- Search — Full-text search across bundled, redacted text.
Important
Criminal allegations belong with law enforcement. This index does not assert guilt, and it limits published identifiers to what is needed for a technical record.