The technical infrastructure that underpins Telegram is controlled by a man whose companies have collaborated with Russian intelligence services. An investigation by IStories

Telegram, the wildly popular chat and messaging app, is the pride of the Russian IT industry. According to Pavel Durov, the enigmatic entrepreneur who created the service twelve years ago, it now has over a billion monthly active users around the world.

Among the reasons for this success is Telegram’s reputation for security, coupled with Durov’s image as a free speech champion who has defied multiple governments.

“Unlike some of our competitors, we don’t trade privacy for market share,” he wrote this April. “In its 12-year history, Telegram has never disclosed a single byte of private messages.”

But IStories’ new investigation reveals a critical vulnerability.

When we investigated who controls the infrastructure that keeps Telegram’s billions of messages flowing, we found a man with no public profile but unparalleled access: Vladimir Vedeneev, a 45-year-old network engineer.

Vedeneev owns the company that maintains Telegram’s networking equipment and assigns thousands of its IP addresses. Court documents show that he was granted exclusive access to some of Telegram’s servers and was even empowered to sign contracts on Telegram’s behalf.

There is no evidence that this company has worked with the Russian government or provided any data. But two other closely linked Vedeneev companies — one of which also assigns Telegram IP addresses, and another which did so until 2020 — have had multiple highly sensitive clients tied to the security services. Among their clients is the FSB intelligence agency; a secretive “research computing center” that helped plan the invasion of Ukraine and developed tools to deanonymize internet users; and a flagship state-owned nuclear research laboratory.

Without you, there is no us
Support IStories — it helps us to continue telling the truth
Donate
“If true, this reporting highlights the dangerous disconnect between what many believe about Telegram’s security and privacy features, and the reality," said John Scott-Railton, a Senior Researcher at The Citizen Lab. "When people don't know what is actually going on, but assume they have metadata privacy, they can unknowingly make risky choices, bringing danger to themselves and the people they’re communicating with. This is doubly true if the Russian government sees them as a threat."

A Ukrainian IT specialist who spoke with IStories on condition of anonymity said that the Russian military has used “man-in-the-middle” type surveillance in his country after capturing network infrastructure.

"You get physical access to the data transmission channel and install your equipment there,” he said. “In such an attack, the hackers aren’t even interested so much in the user's correspondence. They get metadata to analyze. And that means IP addresses, user locations, who exchanges data packets with whom, the kind of data it is… really, all possible information.”

Durov is currently under investigation in France after being arrested last August on charges related to the circulation of illegal content on Telegram. The company has since implemented a number of measures to crack down and step up its collaboration with the authorities. Durov has been released under judicial supervision and is allowed to travel.

He did not reply to requests for comment. Vedeneev spoke with IStories but declined to make any of his comments public.

Russia’s Federal Security Service (FSB) has learned to intercept messages sent by Russians to bots or feedback accounts associated with certain Ukrainian Telegram channels, potentially exposing anyone communicating with such outlets to treason charges, Russian human rights NGO First Department warned on Friday.

Russia’s principal domestic intelligence agency has gained access to correspondence made with Ukrainian Telegram channels including Crimean Wind and Vision Vishnun, according to First Department, which said that the FSB’s hacking of Ukrainian Telegram channels had come about during a 2022 investigation into the Ukrainian intelligence agencies “gathering information that threatens the security of the Russian Federation” via messengers and social networks including Telegram.

The case is being handled by the FSB’s investigative department, though no suspects or defendants have been named in the case, according to First Department.

When the FSB identifies individual Russian citizens who have communicated with or transmitted funds to certain Ukrainian Telegram channels, it contacts the FSB office in their region, which then typically opens a criminal case for treason against the implicated person.

“We know that by the time the defendants in cases of ‘state treason’ are detained, the FSB is already in possession of their correspondence. And the fact that neither defendants nor a lawyer are named in the main case allows the FSB to hide how exactly it goes about gaining access to that correspondence,” First Department said.

Recent Western government revelations about EvilCorp flesh out how Russian ransomware actors and the Russian government use each other to navigate a world they perceive as dangerous.

Note added April 30 2025:

Originally posted October 16, 2024 in a very different global geopolitical context, this analysis remains relevant today. Subsequent revelations, especially a set of leaked messages from the Black Basta group – a successor to the Conti group – reaffirm the complexity of relations between Russian ransomware actors and security officials. (The Natto Team discussed the value of leaks here). The Black Basta leaks show that group's members as:

 Receiving Protection: Black Basta chief “Tramp” – who chose as his moniker the Russian version of the current US president’s name – boasted of receiving high-level help from Russian authorities after Armenian officials arrested him in June 2024.   

But Still Vulnerable: Tramp speculated in July 2024 that someone from their circle had snitched on him, “tempted” by the rewards the US State Department has offered for information on Tramp. He also received tipoffs from criminal acquaintances and from “my law enforcement people,” telling him that Russian officials faced international pressure to crack down on Russian cybercriminals: “those who get paid by Interpol here will start making our lives hell.” In September 2024, Black Basta coder “YY” told Tramp that Russian officials had raided YY's home, impounded his car, and “marinated” him in custody for a time. 

 Under Pressure to Work for the Russian State: ​​In a November 14 2022 chat, “Tramp” said, “I have guys in Lubyanka [FSB headquarters] and the GRU [military intelligence agency] – I have been “feeding” them for a long time. They only want to take people on to work for them. They won’t even talk about [prison] sentences or anything. You can go in to work every day at 8 am and leave at 6 pm, just like in a ‘white’ [legitimate] job.” 

 Tracking Geopolitics: In May 2024, after Black Basta paralyzed IT systems at US-based Ascension Healthcare, Black Basta ransom negotiator “Tinker” pondered the group's extortion strategy in light of US election-year politics. He mused that, if anyone died as a result of the group’s attack on a healthcare entity – particularly a Christian hospital system like Ascension – US citizens would demand that their government do whatever it took to induce Russia to crack down on the criminals. Tinker speculated that the Joe Biden administration might make serious concessions to Russia, such as reducing military aid to Ukraine, in return for Russia’s cracking down on the criminals. 

For the Natto Team’s own assessment of Russian-US “ransomware diplomacy,” see here and here.

It will be interesting to observe how Russian cybercriminals interpret recent developments in US-Russian relations.

The FBI and Microsoft have seized more than 100 web domains they say Russian intelligence used for cyber-espionage, according to court documents unsealed Thursday.

The simultaneous actions targeted the Star Blizzard espionage operation, which targeted government and civil society around the world.

The Russia-based actor Star Blizzard (formerly known as SEABORGIUM, also known as Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie) continues to successfully use spear-phishing attacks against targeted organizations and individuals in the UK, and other geographical areas of interest, for information-gathering activity.

The UK National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), the US National Security Agency (NSA), the US Cyber National Mission Force (CNMF), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC-NZ) assess that Star Blizzard is almost certainly subordinate to the Russian Federal Security Service (FSB) Centre 18.

The British government accused a unit of Russia’s Federal Security Service (FSB) on Thursday of using cyberattacks in a “sustained but unsuccessful” campaign to undermine democratic institutions in the country.

“Russia used sophisticated malware to steal sensitive information from our allies, laundering it through a network of infected computers in the United States in a cynical attempt to conceal their crimes.  Meeting the challenge of cyberespionage requires creativity and a willingness to use all lawful means to protect our nation and our allies,” stated United States Attorney Peace.  “The court-authorized remote search and remediation announced today demonstrates my Office and our partners’ commitment to using all of the tools at our disposal to protect the American people.”

The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB’s ultimate targets. Snake’s custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts.

The document, part of a cache of leaks recently circulated on the internet, suggests the hackers had the ability to cause an explosion and sought instruction from the FSB.

An investigation into the FSB’s digital surveillance and disinformation contractor

On December 30, 2021, in Moscow, Russian Foreign Minister Sergey Lavrov pinned the Order of Friendship on the suit of his Hungarian counterpart Péter Szijjártó. Although the medal was presented by Lavrov, it was Russian President Vladimir Putin himself who decided to award it. Not coincidentally, the medal, which is in the form of a wreath of olive branches encircling a globe, includes the inscription “Peace and Friendship” in Cyrillic on the back, is the highest Russian state decoration that can be awarded to a foreigner.

For almost two decades, hackers with Snake have been forcing their way into government networks. They are considered one of the most dangerous hacker groups in the world. Who they work for, though, has always been a matter of pure speculation. But reporters with the German public broadcasters BR and WDR  have discovered some clues, and they all lead to the Russian secret service FSB.