Chats and punishment Journalists and rights groups accuse Telegram of FSB ties and exposing user data — just how worried should users be?
In recent days, the messaging app Telegram has come under scrutiny in two high-profile investigations. On June 6, the human rights group Department One reported that Russia’s Federal Security Service (FSB) has charged people with treason for contacting bots or feedback accounts linked to Ukrainian Telegram channels. Then, on June 10, the investigative outlet iStories reported ties between Russian intelligence agencies and individuals responsible for Telegram’s server infrastructure — and raised concerns that they may have access to sensitive user data. Meduza reviewed both investigations and gathered expert commentary to understand what this could mean for user privacy on the platform.
What did the investigations reveal?
A new investigation by the human rights group Department One found that, as part of a criminal case opened by Russia’s Federal Security Service (FSB) in the spring of 2022, security agents have been intercepting Telegram messages. In connection with the case, which concerns the alleged collection of information by Ukrainian intelligence that “threatens the security of the Russian Federation,” the FSB has been monitoring communications between Russian users and bots or feedback accounts linked to Ukrainian Telegram channels.
It’s not clear how exactly the FSB is gaining access to these private messages. However, human rights advocates note that at the time individuals are arrested and charged with treason, the authorities already have copies of their conversations with Ukrainian channels. “This may point to the use of undisclosed cyber-espionage tools or cooperation between Telegram and the Russian authorities,” said Department One head Dmitry Zair-Bek.
In a separate investigation, iStories found that a significant portion of Telegram’s server infrastructure is maintained by a company called Global Network Management (GNM), which is registered in Antigua and Barbuda — but also has a physical presence in Russia. The company also owns a router within Telegram’s server infrastructure — a critical piece of network hardware through which messenger traffic flows. GNM is owned by Vladimir Vedeneev, who also served as Telegram’s chief financial officer as of 2018.
The IP addresses of Telegram’s servers, which the investigation found are currently controlled by GNM, previously belonged — until 2020 — to GlobalNet, a backbone telecom operator based in St. Petersburg. Vedeneev is a co-owner of GlobalNet alongside Roman Venediktov, a former military officer and longtime business associate of Telegram founder Pavel Durov.
In 2022, Vedeneev and Venediktov’s company — which had previously described itself as the only provider offering direct access to Telegram in Russia and the CIS — deployed Deep Packet Inspection (DPI) technology to monitor user traffic. Among its clients is GlavNIVTs, an analytics center that unofficially spies on citizens on the Internet for Russian law enforcement and security agencies. Vedeneev is also linked to Electrontelecom, another company that works with the FSB.
iStories also flagged a Telegram feature that, while not hidden, raises serious concerns. Whenever the app generates an encrypted message on a user’s phone or computer — whether in a regular or “secret” chat — it automatically includes an unencrypted device identifier at the beginning of the message, known as “auth_key_id.”
This vulnerability was analyzed by digital security expert Michał “rysiek” Woźniak (his detailed report on auth_key_id is available here). As Woźniak explained, any intermediary routing Telegram traffic could potentially track these device identifiers. Combined with other metadata — like IP addresses and timestamps — this might make it possible to determine a user’s location or link devices exchanging messages.
How did the companies respond?
Pavel Durov’s company offered only a few brief statements.
In a comment to the outlet Vot Tak, Telegram’s press office said that “all Telegram servers are owned by Telegram and maintained by Telegram staff” and that “unauthorized access is not possible.” The company added, “Telegram has no employees or servers in Russia. In the entire history of Telegram, not once has it handed over private messages to third parties, and its encryption has never been broken.”
In a separate comment to BBC News Russian, Telegram stated that it “has contracts with dozens of different service providers around the world,” but that none of them “has access to Telegram’s data or confidential infrastructure.”
GNM told Varlamov News that its owner, Vladimir Vedeneev, has never held any official position at Telegram, and that references to him as chief financial officer in past documents were “technical and formal in nature.” GNM emphasized that it “does not have access to Telegram data, encryption keys, or message content.”
As for the device identifier auth_key_id, the company said it “does not contain any unique user identifier.” The company also said,
“Even if network traffic is intercepted, it is impossible to determine who is communicating with whom or to decrypt messages without the encryption key. […] No GNM equipment has been used to analyze, filter, or monitor Telegram traffic. […] [GNM] does not cooperate with Russian state agencies, does not engage in surveillance, has no ties to intelligence services, and strictly complies with the laws of the countries where it operates.”
The Kremlin crushed Meduza’s business model and wiped out our ad revenue. We’ve been blocked and outlawed in Russia, where donating to us or even sharing our posts is a crime. But we’re still here — bringing independent journalism to millions of our readers inside Russia and around the world.
Meduza’s survival is under threat — again. Donald Trump’s foreign aid freeze has slashed funding for international groups backing press freedom. Meduza was hurt too. It’s yet another blow in our ongoing struggle to survive.
You could be our lifeline. Please, help Meduza survive with a small recurring donation.
What do experts and activists have to say?
The investigations into Telegram prompted responses from several well-known experts who study the platform’s technical infrastructure and the broader landscape of Internet censorship in Russia. Here’s what some of them had to say:
Investigative journalist Andrey Zakharov
Through SORM, the FSB can see who in Russia is connecting to Telegram (as long as the person isn’t using a VPN). Based on packet size, it can tell whether they’re making calls or sending messages — but it can’t read the content or listen in, since those are encrypted. That said, Telegram has many vulnerabilities, which in its case often aren’t bugs but features — like the lack of end-to-end encryption, which allows users to access their chats on a new device. One such vulnerability is the open auth_key_id included at the beginning of every message. Telegram doesn’t even try to hide this — it’s clearly spelled out in the MTProto encryption protocol documentation by Nikolai Durov.
Auth_key_id is also visible through SORM, and Russian authorities may have used it to track people in occupied parts of Ukraine (credit to David Frenkel from Mediazona for pointing out this 2022 publication). It’s important to clarify: all telecom operators [in Russia] are required to install SORM equipment, regardless of whether they hold contracts with the FSB or privately oppose Putin.
Mediazona journalist David Frenkel
If someone — like the Russian authorities — is monitoring all Internet connections in a region, then it’s easy to track when a specific user sends or receives messages [using the auth_key_id]. These auth_key_ids can also be visible to someone with access to Telegram’s servers — like Vedeneev.
In 2022, this method of surveillance was described in a case involving partisans in Kherson. Russian security agents told one detainee they would release him on the condition that he send them screenshots of any new conversations with his associates. They also said they would know if he received a new message but didn’t send a screenshot. Based on Telegram’s technical documentation, this is entirely possible: the server sends messages tagged with a fixed device number. So, it’s possible to see that a device is sending or receiving messages, and where the person is located (the IP address), but not what the message says or who it’s for.
However there are also other methods — beyond the obvious vulnerabilities — that can be used to deanonymize users or even determine whether someone is in a specific chat. These rely on statistical traffic analysis, and in that sense, Telegram is no different from other messengers. There’s plenty of academic research on this — here’s one recent paper.
There are also simpler explanations [for how the authorities might have gotten access to the messages mentioned in the Department One investigation]: “honeypots” (fake resources, which independent researchers recently wrote about), software vulnerabilities, or just carelessness and mistakes by correspondents — mistakes they don’t always want to admit.
Former Telegram manager Anton Rosenberg
User chats are stored in Telegram’s proprietary non-relational database management system called text-engine. The data files on disk are encrypted, and the disks themselves are also encrypted. But of course, Telegram itself has both sets of encryption keys (and Pavel [Durov] confirmed this in his August 2017 article, Why Isn’t Telegram End-to-End Encrypted by Default?). A third party who removes a disk from the server wouldn’t be able to decrypt the data — but at the level of the running database, the messages are, in fact, unencrypted. Since I worked on anti-spam efforts, I had access to them.
Anti-Corruption Foundation political director Leonid Volkov
I was deeply disappointed both by the iStories piece on Telegram and by the way people uncritically amplified it. That’s not how this should be done.
Turning it into a scandal — “ahhh Telegram is handing everything to the FSB” — just because (a) the LIR from which Telegram buys its IP addresses was founded by a Russian national, and (b) that Russian also owns a small provider that, like every single provider in Russia, has installed SORM — is, frankly, an unprofessional and sensationalist stretch.
There’s no evidence that the company providing Telegram with server infrastructure has access to user messages, let alone that it passes them to the FSB. Claims like that require evidence that’s an order of magnitude more compelling than what iStories presents. Spreading panic based on shaky (and inaccurate) accusations is just foolish.
And most importantly — there’s the elephant in the room, holding Occam’s razor in its trunk. The FSB doesn’t need any technological backdoors into Telegram’s infrastructure when there’s Durov, who, as we’ve seen time and again, is clearly willing to make sweeping compromises, fulfill Kremlin demands, and play behind-the-scenes games with Putin and other dictators.
The Bell
[What does the iStories investigation mean for the safety of Telegram users?] In practical terms — not much. Even if we assume that the FSB has access to the infrastructure handling Telegram’s Russian traffic (the servers in question are located outside Russia), this alone doesn’t give them any surveillance capabilities beyond what they already have through the SORM system installed at all Russian Internet providers.
If Vedeneev’s company controls only the IP addresses through which Telegram traffic passes (as iStories proved), it would be able to manage the routing of that traffic. But that only provides access to the same data available to an Internet provider — and thus, to the security services via SORM — or to a VPN service, a technical expert from [the digital rights group] Roskomsvoboda explained to The Bell. That’s not a huge amount of information: just your IP address, your session duration on Telegram, and the volume of traffic. To access the rest of the data — for example, the contents of messages — you need encryption keys that only Telegram itself could provide. But that’s not what’s being discussed here.
Even if we assume that all Telegram traffic passes through this infrastructure, and that the FSB has unrestricted access to it (neither of which the investigation claims), the most it would give the security services is the same kind of metadata on Telegram’s international users that they already collect on Russian users through SORM. It would not allow the FSB to read any messages.
Lawyer Sarkis Darbinyan
There is something new in this investigation — namely, that a certain Mr. Vedeneev (and his LIR structure) is the main contractor working with Durov, and that Vedeneev had ties to government contracts and the FSB. That’s a key point, because up until now, Durov has repeatedly emphasized that Telegram — even without end-to-end encryption in regular chats like WhatsApp — is a more secure option precisely because it doesn’t cooperate with government agencies, doesn’t collect metadata, and doesn’t have backdoors. Durov has said that the absence of end-to-end encryption in Telegram’s standard chats isn’t due to any malicious intent, but rather for user convenience — so people can transfer their chat history between devices.
As for message protection, Durov has claimed that it’s ensured in part by a distributed data storage architecture, with servers located in different countries supposedly making it impossible for any one government to access them all at once and thus gain access to users’ conversations. Of course, Durov never mentioned that [Telegram’s] IP addresses are supplied by Mr. Vedeneev, a figure who, given his background and business activities, seems a dubious one.
You can connect the dots from there. The facts we now have certainly cast a shadow over the messenger and raise doubts about Durov’s credibility. It’s possible that someone does have access to these chats. We know that Vedeneev is a trusted party. But we don’t know whether he or his company actually understand Telegram’s internal encryption algorithms. In short, there are reasonable doubts about all this. At the same time, to be fair, no one has yet proven that Telegram regularly collaborates with Russian security agencies or that anyone has access to all users’ messages.
The iStories investigation doesn’t directly prove any leaks or cooperation. Even if we assume that the FSB has full access to the entire infrastructure through which Telegram traffic passes, this alone wouldn’t give them any surveillance capabilities beyond what Russian special services already have through the SORM system installed at every telecom node.
Mikhail Klimarev, director of the Internet Protection Society
So far (and I stress SO FAR), we haven’t seen a single message that was actually leaked from Telegram [to the FSB, as Department One reported]. But as Andrey Zakharov wrote — this isn’t a bug, it’s a feature. Telegram isn’t really a messaging app anymore. It’s more like a social network. And yes — it’s true that users can be identified in Telegram through their TelegramID, a unique number assigned to every user upon registration. Otherwise, how would one user be able to message another without some kind of identifier?
And yes — if you post in public chats or comment on posts, that TelegramID becomes visible.
From there, someone can search for that ID in other public chats, compare it against leaked data, and do a whole lot more. But that’s not really an issue if you’re just messaging someone you know and they’re replying. Your TelegramID remains unknown to anyone else, and all messages are encrypted in transit against interception by third parties. And if you enable “secret chats,” even Durov himself can’t read them. It’s basically like Signal — just without all the preaching about “protection.”
So how is the FSB catching people [in the cases mentioned by Department One]? The answer is simple: it’s called a honeypot. Or bait. Or whatever else you want to call it. FSB agents just create bots themselves and spread them everywhere as supposed “contact bots” for the SBU or the Russian Volunteer Corps. Then people write to them, and the agents either trick them into setting themselves up — giving up a phone number, a bank card — or they use OSINT tools through bots [like] “Eye of God,” of which there are now a million. That’s how they catch people.
Blaming an operator [as iStories does in its investigation] for having something to do with traffic just because that traffic passes through their infrastructure is, to put it mildly, a stretch. Accusations about who worked where a hundred years ago won’t hold up in court either. Lots of people have worked all over the place — I’ve been in tech for 35 years, and I’ve worked everywhere.
And most importantly — [the iStories investigation] mentions something about user IDs leaking in plaintext. That’s something that needs to be double-checked — a vulnerability like that wouldn’t go unnoticed by the legion of hackers out there. […] But right off the bat, my gut tells me this is a bit of a reach — like they’re forcing the facts to fit the narrative. Overall, I expected more evidence and fewer emotions from the investigation.
