The technical infrastructure that underpins Telegram is controlled by a man whose companies have collaborated with Russian intelligence services. An investigation by IStories
Telegram, the wildly popular chat and messaging app, is the pride of the Russian IT industry. According to Pavel Durov, the enigmatic entrepreneur who created the service twelve years ago, it now has over a billion monthly active users around the world.
Among the reasons for this success is Telegram’s reputation for security, coupled with Durov’s image as a free speech champion who has defied multiple governments.
“Unlike some of our competitors, we don’t trade privacy for market share,” he wrote this April. “In its 12-year history, Telegram has never disclosed a single byte of private messages.”
But IStories’ new investigation reveals a critical vulnerability.
When we investigated who controls the infrastructure that keeps Telegram’s billions of messages flowing, we found a man with no public profile but unparalleled access: Vladimir Vedeneev, a 45-year-old network engineer.
Vedeneev owns the company that maintains Telegram’s networking equipment and assigns thousands of its IP addresses. Court documents show that he was granted exclusive access to some of Telegram’s servers and was even empowered to sign contracts on Telegram’s behalf.
There is no evidence that this company has worked with the Russian government or provided any data. But two other closely linked Vedeneev companies — one of which also assigns Telegram IP addresses, and another which did so until 2020 — have had multiple highly sensitive clients tied to the security services. Among their clients is the FSB intelligence agency; a secretive “research computing center” that helped plan the invasion of Ukraine and developed tools to deanonymize internet users; and a flagship state-owned nuclear research laboratory.
Without you, there is no us
Support IStories — it helps us to continue telling the truth
Donate
“If true, this reporting highlights the dangerous disconnect between what many believe about Telegram’s security and privacy features, and the reality," said John Scott-Railton, a Senior Researcher at The Citizen Lab. "When people don't know what is actually going on, but assume they have metadata privacy, they can unknowingly make risky choices, bringing danger to themselves and the people they’re communicating with. This is doubly true if the Russian government sees them as a threat."
A Ukrainian IT specialist who spoke with IStories on condition of anonymity said that the Russian military has used “man-in-the-middle” type surveillance in his country after capturing network infrastructure.
"You get physical access to the data transmission channel and install your equipment there,” he said. “In such an attack, the hackers aren’t even interested so much in the user's correspondence. They get metadata to analyze. And that means IP addresses, user locations, who exchanges data packets with whom, the kind of data it is… really, all possible information.”
Durov is currently under investigation in France after being arrested last August on charges related to the circulation of illegal content on Telegram. The company has since implemented a number of measures to crack down and step up its collaboration with the authorities. Durov has been released under judicial supervision and is allowed to travel.
He did not reply to requests for comment. Vedeneev spoke with IStories but declined to make any of his comments public.
Russia’s Federal Security Service (FSB) has learned to intercept messages sent by Russians to bots or feedback accounts associated with certain Ukrainian Telegram channels, potentially exposing anyone communicating with such outlets to treason charges, Russian human rights NGO First Department warned on Friday.
Russia’s principal domestic intelligence agency has gained access to correspondence made with Ukrainian Telegram channels including Crimean Wind and Vision Vishnun, according to First Department, which said that the FSB’s hacking of Ukrainian Telegram channels had come about during a 2022 investigation into the Ukrainian intelligence agencies “gathering information that threatens the security of the Russian Federation” via messengers and social networks including Telegram.
The case is being handled by the FSB’s investigative department, though no suspects or defendants have been named in the case, according to First Department.
When the FSB identifies individual Russian citizens who have communicated with or transmitted funds to certain Ukrainian Telegram channels, it contacts the FSB office in their region, which then typically opens a criminal case for treason against the implicated person.
“We know that by the time the defendants in cases of ‘state treason’ are detained, the FSB is already in possession of their correspondence. And the fact that neither defendants nor a lawyer are named in the main case allows the FSB to hide how exactly it goes about gaining access to that correspondence,” First Department said.
Discover how to intercept data stolen by cybercriminals via Telegram bots and learn to use it to clarify related threat landscape.
While analyzing malware samples uploaded to ANY.RUN’s Interactive Sandbox, one particular case marked as “phishing” and “Telegram” drew the attention of our security analysts.
Although this analysis session wasn’t attributed to any known malware family or threat actor group, the analysis revealed that Telegram bots were being used for data exfiltration. This led us to apply a message interception technique for Telegram bots, previously described on the ANY.RUN blog.
The investigation resulted in a clear and practical case study demonstrating how intercepting Telegram bot communications can aid in profiling the threat actor behind a relatively obscure phishing campaign.
Key outcomes of this analysis include:
Examination and technical analysis of a lesser known phishing campaign
Demonstration of Telegram API-based data interception techniques
Collection of threat intelligence (TI) indicators to help identify the actor
Recommendations for detecting this type of threat
Introduction Telegram, as previously reported by KELA, is a popular and legitimate messaging platform that has evolved in the past few years into a major platform for cybercriminal activities. Its lack of strict content moderation has made the platform cybercriminals’ playground. They use the platform for distribution of stolen data and hacking tools, publicizing their […]
The arrest of Telegram’s chief executive in France has ignited a debate about moderation on his app.
About nine months ago while researching a story, I found myself added to a large Telegram channel which was focused on selling drugs.
I was then added to one about hacking and then one about stolen credit cards.
I realised my Telegram settings had made it possible for people to add me to their channels without me doing anything. I kept the settings the same to see what would happen.
The investigation into Telegram boss Pavel Durov that has fired a warning shot to global tech titans was started by a small cybercrime unit within the Paris prosecutor's office, led by 38-year-old Johanna Brousse.
The arrest of Durov, 39, last Saturday marks a significant shift in how some global authorities may seek to deal with tech chiefs reluctant to police illegal content on their platforms.
The arrest signalled the mettle of the J3 cybercrime unit, but the true test of its ambitions will be whether Brousse can secure a conviction based on a largely untested legal argument, lawyers said.
Telegram is vital to hacktivist groups and their operations. They would have limited platforms to operate on without Telegram, they try X but are often shut-down and they would likely get drowned out if they tried to operate on underground forums.
Threat Actors Retaliate After Durov’s Arrest Discover the latest security threats and database leaks, including unauthorized VPN access and email breaches, in the cyber underground world.Stay informed about emerging cyber threats, such as unauthorized access to databases and sensitive information leaks, affecting global companies and organizations.Learn about the latest cyber incidents, including DDoS attacks and malware threats targeting cryptocurrency wallets and financial institutions.