On Aug. 28, 2024, French authorities indicted Pavel Durov, the CEO and co-founder of Telegram, a cloud-based, cross-platform social media and instant messaging service. Durov, 39, was arrested four days prior after he arrived at Le Bourget airport near Paris on a private plane from Azerbaijan. In a news release on Aug. 26, 2024, the Paris Public Prosecutor’s Office outlined the scope of a criminal investigation into Telegram it launched on July 8, 2024. The charges include complicity in running an online platform that allows illegal activity, possession of child sexual abuse material, sales of drugs and malicious hacking tools, fraud and money laundering. Three other charges relate to providing cryptology tools without proper declarations to French authorities. One charge also alleges Telegram refused to turn over information or documents lawfully requested by authorities. Citing a French administrative document, Politico EU reported Telegram did not answer a judicial request to identify a Telegram user related to a child sexual abuse case, which led to the issuance of an arrest warrant for Durov. Telegram disputed the charges, writing that it abides by European Union (EU) laws and the Digital Services Act. It added that its moderation is within industry standards and that it is “absurd to claim that a platform or its owners are responsible for abuse.” After he was indicted, Durov was released from custody on a 5 million euro bail but has been barred from leaving France.
Durov, who was born in St. Petersburg, Russia, founded the VKontakte (VK) social network in 2006, a social networking site modeled after Facebook. He founded Telegram in 2013 with his older brother, Nikolai. Durov left Russia in 2014 after selling his stake in VK and repeated run-ins with Russian authorities. He reportedly holds French and United Arab Emirates (UAE) citizenship, maintaining a peripatetic lifestyle. Telegram runs on a relatively small engineering staff, and the platform claims to have more than 950 million active users worldwide. Durov has been a vocal free speech advocate, and his arrest has stirred allegations that France is trying to stifle free speech, particularly from the right-leaning political spectrum. Those people have included the billionaire owner of the social networking platform X, formerly known as Twitter, Elon Musk, who posted “#FreePavel” on his own account. The charges mentioning cryptography have also raised questions from experts in that field, as governments have expressed concern that cryptography shields visibility into illegal activity.
Telegram is known for its hands-off moderation, although the company claims to have moderation standards in place that are in line with its peers. As such, researchers have found and continue to find a variety of offensive and illegal content on Telegram. The messenger has attracted robust interest from the cybercriminal community, which uses Telegram to transact in financial data, malware, access credentials, personally identifiable information (PII), proxy services and more. In this post, we will describe some of Telegram’s background, how Durov’s arrest may affect cybercriminal use of Telegram and other possible short-term effects.
Technical Background
Telegram users can send messages individually or in groups, engage in video chats and send or receive large data files up to 2 GB. A distinguishing feature of Telegram is its capacity to host an unlimited number of channel subscribers and up to 200,000 group members in public or private channels.
Telegram's encryption model varies by chat type: Cloud Chats and Secret Chats. Cloud Chats employ server-client encryption, where the data is encrypted in the cloud in multiple data centers around the world. Although that data could be accessed with a court order, Telegram has intentionally designed it to be difficult for authorities. In its guidance about how it processes data requests, the company writes that the decryption keys for the content have been split into parts that are stored in different jurisdictions and not in the same place as the content. Thus to get the data, several court orders from different jurisdictions “are required to force us to give up any data.” Telegram says it has not disclosed any user data to any third party or government. However, Telegram will process third-party takedown requests for illegal content on public channels.
Messages in Telegram’s Secret Chats are not stored on Telegram's servers. Users can set messages to self-destruct after a specified time, and these messages cannot be forwarded to others. This design helps prevent the spread of information beyond the intended recipient, which is crucial for maintaining the confidentiality of communications. Additionally, Secret Chats utilize end-to-end (E-to-E) encryption through the MTProto protocol, a proprietary protocol developed by Telegram.
Key features of MTProto in Secret Chats include asymmetric encryption for the initial key exchange process, ensuring that only the chat participants can decrypt the messages; symmetric encryption, where messages are encrypted using a key that changes with each message, known as Perfect Forward Secrecy; and message authentication, which verifies the integrity and origin of the data being transferred, thus preventing any third-party alterations. Collectively, these features ensure that Secret Chats are secure and private, safeguarding the data from interception by any external parties, including Telegram itself. However, despite the Secret Chat feature, security experts have long taken issue with how Telegram has portrayed itself as a secure messenger even though E-to-E encryption is not enabled by default. Matthew Green, a cryptographer and professor at Johns Hopkins University, writes that Secret Chats have to be enabled for every single private conversation, and both parties must enable it while they’re both online. Two other popular messengers, Signal and WhatsApp, use the open source Signal protocol and enable E-to-E encryption by default. The issue is that Telegram users may not understand this nuance and think their messages are secure when in actuality, there’s a copy of the messages on a Telegram server that could, in theory, be accessed by authorities, malicious actors or others. Telegram allows users to create accounts using a virtual phone number, which can be acquired through various online services. This level of anonymity is particularly appealing to malicious hackers who wish to avoid revealing any identifiable information. In contrast, WhatsApp requires a valid phone number linked to a subscriber identity module (SIM) card, which can be more easily traced.
Additionally, Telegram provides a robust application programming interface (API) for bots, enabling the automation of tasks, management of groups or integration with other services. Threat actors can leverage these bots for a range of purposes, including managing data leaks, coordinating distributed denial-of-service (DDoS) attacks or automating communication within a community. Lastly, Telegram has cultivated a reputation as being more secure and privacy-focused, despite criticisms regarding its non-default E-to-E encryption. This perception makes it an attractive platform for those concerned about privacy, even if the truth is more nuanced.
Cybercriminal Activity
Much of the cybercrime that people and companies experience comes after cybercriminals have already transacted with each other. This activity, known as cybercrime-as-a-service, refers to goods and services that threat actors offer and sell to each other. Pre-Telegram, this activity was predominantly done in online markets hosted using hidden Tor services. Tor, which is short for the onion router, is a privacy protocol and system that can be used to obscure the real IP address of a website and make it difficult for authorities to trace. Large one-stop-shop illegal online marketplaces still exist but are becoming less common due to the associated operational security risks. Law enforcement is more adept at investigating and uncovering people behind the markets, and there is a high degree of technical competency required to avoid making configuration or other mistakes and compromise a market’s integrity or its user base. For example, even if a site uses Tor’s hidden services, operators must still buy web hosting or a domain service, which means there may be a digital trail for investigators to trace. There are some long-running cybercriminal forums where accomplished threat actors still operate, with more sophisticated offerings such as proof-of-concept (PoC) exploit code for vulnerabilities. But those forums tend to be more heavily moderated and do not feature the scrappy kind of financial fraud that pervades Telegram.
Particularly for lower-level, lesser-skilled threat actors, Telegram has become one of the most popular online destinations for cybercrime-related goods and services: stolen payment card numbers, SIM swapping services, residential IP proxies, stolen gift cards, phishing services and data breaches. There’s still a risk in selling illegal goods — even on Telegram — as there are other ways to uncover the real identities of threat actors, such as through researching online monikers, phone numbers, email addresses, cryptocurrency addresses and other identifiers. But as described earlier, there are many advantages of Telegram for threat actors. The lack of moderation means most threat actors can quickly set up shop and transact without hassle.
As described earlier, the ability to launch new channels and broadcast to unlimited people makes Telegram appealing to threat actors. Sellers can spin up new channels and shut them down if they feel there’s a risk, and there are no infrastructure costs to pay. Registering with virtual numbers or burner numbers reduces the risk to an acceptable one for many. Another advantage is that Telegram offers immediate scale. Rather than creating a cybercrime forum from scratch, which requires time, investment and advertising, Telegram already offers a huge user base, and there are no registration barriers. Users only need to register with a phone number and then they have access to the whole range of public Telegram channels. For those looking to market a good or service, bot services are sold that can push an advertisement to hundreds of other channels, again providing scale and reach. Lastly, although there are desktop versions of Telegram for Windows, macOS and Linux, it is mostly used on mobile devices, which again augments its reach and scale as opposed to a forum that’s difficult to view on mobile devices.
From a cyber threat intelligence perspective, Telegram is a rich source for threat actor activity as well as insight into the types of in-demand goods and services. To get a sense of the scale, Intel 471 tracks new channels if there is a tangent to cybercriminal activity. We have collected intelligence from more than 5,400 Telegram channels (not all of these channels are still active). Monitoring these channels can provide real-time insight into how threat actors are targeting an organization and into the risk it poses, such as account compromises, compromised payment cards and more.
Reaction to Durov’s Arrest
The news about Durov’s arrest quickly echoed in the Russian-language underground. Within the first few days since his detention, we observed more than 200 posts and 800 instant messages about the topic on the hacker forums, Telegram groups and channels we monitor. Users actively reposted the news and launched multiple discussion threads. Some participants sympathized with the detainee, while others accused Durov of betraying his home country of Russia and referred to the arrest as “karma.” One threat actor on a low-level forum said they moved from Telegram to the Signal messenger, but that migration appeared to be a one-off.
At a higher level, some Russian government officials referred to the arrest. Former Russian President Dmitry Medvedev posted a message that suggested Durov miscalculated by thinking that leaving Russia would solve his problems.
Russia has its own complicated history with Telegram. The country’s communications agency, Roskomnadzor, attempted to ban Telegram in 2018 after Telegram failed to comply with an order from Moscow's Tagansky Court to provide the keys to decrypt user messages. The agency also pressed Telegram to rein in certain kinds of content. The ban, however, caused significant protests, and the application continued to be used. The ban was lifted by Roskomnadzor in June 2020.
Telegram has had a significant influence on the Ukraine-Russia war. After Russia intensified its aggression with a full-scale invasion of Ukraine Feb. 24, 2022, videos and reports posted on Telegram from Ukraine often undermined narratives that Russia pushed. It also brought immediate attention to Russian atrocities in Ukraine, showcasing visceral images of destruction and suffering that may have not been allowed on other platforms. Two years on, Telegram has continued to be a critical publishing and communications mechanism by both sides, with Ukraine using it to disseminate information about air raids and other public safety information, and Russian soldiers using it to communicate.
Hacktivists Activate
Following Durov’s arrest, several pro-Russian hacktivist actors and groups announced on Aug. 25, 2024, a DDoS attack against French digital infrastructure. The Народная Cyberармия (Eng. People’s CyberArmy) aka CyberArmyRussia and UserSec groups allegedly joined the campaign, which used the #freedurov hashtag. Disrupted resources allegedly included the websites of the French National Agency for the Safety of Medicines and Health Products at ansm.sante.fr, the Court of Cassation at courdecassation.fr and the Administrative Court of Paris at paris.tribunal-administratif.fr. On Aug. 26, 2024, the hacktivist groups RipperSec and CGPLLNET claimed via the @RipperSec Telegram channel to have joined the campaign. The groups allegedly launched DDoS attacks against the online French teaching platform Bonjour de France at bonjourdefrance.com, Le Havre University at univ-lehavre.fr and the distance learning platform Cned at cned.fr.
Assessment
Technically, it appears to be business-as-usual on Telegram. French authorities do not appear to have undertaken nor disclosed technical steps to curtail the functionality of the platform in parallel with its investigation. Even if it did, Russia’s failed Telegram ban already demonstrates that it has built a global messaging infrastructure designed for resiliency with data centers around the world. According to its website, Telegram has previously been headquartered in several cities, including Berlin, London and Singapore, and says that “we’re currently happy with Dubai, although we are ready to relocate again if local regulations change.” In the near term, we do not expect significant changes in cybercriminal activity if moderation continues at the same level and no operational security risks emerge.
More broadly, the criminal charges filed against Durov will likely result in lengthy court proceedings. If it is perceived that France is attacking free speech, that could become the primary issue rather than the one that French officials have outlined, which is Telegram’s refusal to engage authorities to address proliferating criminal and cybercriminal activity. To be clear, all large social media platforms, ranging from Facebook to Instagram to X, face moderation challenges and challenges around abuse of their platforms for illegal activity. In the U.S., this has caused Congress to call the CEOs of major companies such as Facebook and Google to testify. Those platforms, however, have well-defined procedures in place to work with law enforcement, and the investigation and removal of some of the most grievous content, such as child sexual abuse material, is a priority. By undertaking criminal charges against the CEO of a large platform, France is taking an aggressive and untested approach. Whether criminally charging the billionaire owner of one of the world’s most used social media platforms results in the change France is seeking is now the question.
