Reception of Telegram Security Features

This article provides a chronological account of the reception of and responses to various security features on the messaging app Telegram.

2013

In 2013, an author on the Russian programming website Habr discovered a weakness in the first version of MTProto that would allow an attacker to mount a man-in-the-middle attack and prevent the victim from being alerted by a changed key fingerprint. The bug was fixed on the day of the publication with a $100,000 payout to the author and a statement on Telegram's official blog. ^[1]

2014

On 26 February 2014, the German consumer organization Stiftung Warentest evaluated several data-protection aspects of Telegram, along with other popular instant-messaging clients. Among the aspects considered were: the security of the data transmission, the service's terms of use, the accessibility of the source code, and the distribution of the app. Telegram was rated 'problematic' (kritisch) overall. The organization was favorable to Telegram's secure chats and partially free code but criticized the mandatory transfer of contact data to Telegram's servers and the lack of an imprint or address on the service's website. It noted that while the message data is encrypted on the device, it could not analyze the transmission due to a lack of source code. ^[2]

In March 2014, Telegram promised that "all code will be released eventually", including all the various client applications (Android, iOS, desktop, etc.) and the server-side code. ^[3] As of May 2021, Telegram had not published their server-side source code. ^[4] In January 2021, Durov explained his rationale for not releasing server-side code, citing reasons such as inability for end-users to verify that the released code is the same code run on servers, and a government that wanted to acquire the server code and make an instant messaging network that would end competitors. ^[5]

2015

The Electronic Frontier Foundation (EFF) listed Telegram on its "Secure Messaging Scorecard" in February 2015. Telegram's default chat function received a score of 4 out of 7 points on the scorecard. It received points for having communications encrypted in transit, having its code open to independent review, having the security design properly documented, and having completed a recent independent security audit. Telegram's default chat function missed points because the communications were not encrypted with keys the provider did not have access to, users could not verify contacts' identities, and past messages were not secure if the encryption keys were stolen. Telegram's optional secret chat function, which provides end-to-end encryption, received a score of 7 out of 7 points on the scorecard. ^[6] The EFF said that the results "should not be read as endorsements of individual tools or guarantees of their security", and that they were merely indications that the projects were "on the right track". ^[6]

In December 2015, two researchers from Aarhus University published a report in which they demonstrated that MTProto 1.0 did not achieve indistinguishability under chosen-ciphertext attack (IND-CCA) or authenticated encryption. ^[7] The researchers stressed that the attack was of a theoretical nature and they "did not see any way of turning the attack into a full plaintext-recovery attack". Nevertheless, they said they saw "no reason why [Telegram] should use a less secure encryption scheme when more secure (and at least as efficient) solutions exist". ^[8] The Telegram team responded that the flaw does not affect message security ^[9] and that "a future patch would address the concern". ^[10] Telegram 4.6, released in December 2017, supports MTProto 2.0, which now satisfied the conditions for IND-CCA. ^{[11] [12]} MTProto 2.0 is seen by qualified cryptographers as a vast improvement to Telegram's security. ^[11]

2016

In May 2016, critics disputed claims by Telegram that it is "more secure than mass market messengers like WhatsApp and Line", ^[13] as WhatsApp claims to apply end-to-end encryption to all of its traffic by default and uses the Signal Protocol, which has been "reviewed and endorsed by leading security experts", while Telegram does neither and stores all messages, media and contacts in their cloud. ^{[14] [11]} Since July 2016, Line has also applied end-to-end encryption to all of its messages by default, ^[15] though it has also been criticized for being susceptible to replay attacks and the lack of forward secrecy between clients. ^[16]

In April 2016, several Russian opposition members' accounts were hijacked by intercepting the SMS messages used for login authorization. ^[17] In response, Telegram recommended using the two-factor authentication feature. ^[17] In May 2016, the Committee to Protect Journalists and Nate Cardozo, senior staff attorney at Electronic Frontier Foundation, recommended against using Telegram because of "its lack of end-to-end encryption [by default] and its use of non-standard MTProto encryption protocol, which has been publicly criticized by cryptography researchers, including Matthew Green". ^[14]

On 2 August 2016, Reuters reported that Iranian hackers compromised more than a dozen Telegram accounts and identified the phone numbers of 15 million Iranian users, as well as the associated user IDs. Researchers said the hackers belonged to a group known as Rocket Kitten. Rocket Kitten's attacks were similar to ones attributed to Iran's Islamic Revolutionary Guards Corps. The attackers took advantage of a programming interface built into Telegram. According to Telegram, these mass checks are no longer possible because of limitations introduced into its API earlier in 2016. ^[18]

Login SMS messages are known to have been intercepted in Iran, Russia and Germany, possibly in coordination with phone or telecom companies. ^{[17] [19] [20]} Pavel Durov has said that Telegram users in "troubled countries" should enable two-factor authentication by creating passwords in order to prevent this. ^{[17] [19]}

2017

In June 2017, Pavel Durov in an interview said that U.S. intelligence agencies tried to bribe the company's developers to weaken Telegram's encryption or install a backdoor during their visit to the U.S. in 2016. ^{[21] [22]}

2018

In 2018, Telegram sent a message to all Iranian users stating that the Telegram Talai and Hotgram unofficial clients are not secure. ^[23]

2019

On 9 June 2019, The Intercept released leaked Telegram messages exchanged between current Brazilian Minister of Justice and former judge Sérgio Moro and federal prosecutors. ^[24] The hypothesis is that either mobile devices were hacked by SIM swap or the targets' computers were compromised. ^[25] The Telegram team tweeted that it was either because the user had malware or they were not using two-step verification. ^[26]

On 12 June 2019, Telegram confirmed that it suffered a denial-of-service attack which disrupted normal app functionality for approximately one hour. Pavel Durov tweeted that the IP addresses used in the attack mostly came from China. ^[27]

In December 2019, multiple Russian businessmen suffered account takeovers that involved bypassing SMS single-factor authentication. Security company Group-IB suggested SS7 mobile signalling protocol weaknesses, illegal usage of surveillance equipment, or telecom insider attacks. ^{[28] [29]}

2020

On 30 March 2020, an Elasticsearch database holding 42 million records containing user IDs and phone numbers of Iranian users was exposed online without a password. The accounts were extracted from not Telegram but an unofficial version of Telegram, in what appears to be a possibly government-sanctioned fork. It took 11 days for the database to be taken down, but the researchers say the data was accessed by other parties, including a hacker who reported the information to a specialized forum. ^{[30] [31] [32]}

In September 2020, it was reported that Iran's RampantKitten espionage group ran a phishing and surveillance campaign against dissidents on Telegram. ^[33] The attack relied on people downloading a malware-infected file from any source, at which point it would replace Telegram files on the device and 'clone' session data. David Wolpoff, a former Department of Defense contractor, has stated that the weak link in the attack was the device itself and not any of the affected apps: "There's no way for a secure communication app to keep a user safe when the end devices are compromised." ^[34]

2021

In July 2021, researchers from Royal Holloway, University of London and ETH Zurich published an analysis of the MTProto protocol, concluding that the protocol could provide a "confidential and integrity-protected channel" for communication. They also found that attackers had the theoretical ability to reorder messages coming from the client to the server though the attacker would not be able to see the content of the messages. Several other theoretical vulnerabilities were reported as well, in response to which Telegram released a document stating that the MITM attack on the key exchange was impossible as well as detailing the changes made to the protocol to protect from it in the future. All issues were patched before the paper's publication with a security bounty paid out to the researchers. ^{[35] [36] [37]}

In September 2021, a Russian researcher published details about a bug with the self-destruct feature that allowed the user to recover deleted photos from their own device. The bug was patched prior to publication and Telegram representatives offered a €1,000 bug bounty. The researcher did not sign the NDA that came with the offer and did not receive the award, opting to disclose the bug. ^{[38] [37] [39] [40] [41]}

2023

In March 2023, the Norwegian National Security Authority (NSM) advised against the use of Telegram and TikTok on business devices (especially the ones used for government related activities), the assessment has been commissioned and supported by the Ministry of Justice and Public Security, Emilie Enger Mehl. Regarding Telegram, the report cites its lack of end-to-end encryption by default, its Russian origins and third-party open source intelligence as major critical points. ^[42]

2024

In July 2024, ESET reported a vulnerability allowed malicious files being sent to users masked in multimedia. ^[43]

2025

In June 2025, an IStories investigation revealed that key parts of Telegram's technical infrastructure are operated by companies owned by a network engineer who has collaborated with the Russian intelligence services, raising concerns over potential metadata access and user surveillance. ^{[44] [45] [46] [47]}

1. "Crowdsourcing a More Secure Future". Telegram. 21 December 2013. Archived from the original on 26 December 2018. Retrieved 12 May 2021.
2. "WhatsApp und Alternativen: Datenschutz im Test" [WhatsApp and alternatives: data protection tested]. Stiftung Warentest (in German). 26 February 2014. Archived from the original on 12 May 2019. Retrieved 22 December 2020.
3. "Telegram F.A.Q." 9 March 2014. Archived from the original on 9 March 2014. Retrieved 21 January 2019.
4. "Telegram F.A.Q." 14 January 2019. Archived from the original on 14 January 2019. Retrieved 21 January 2019.
5. "Durov's Chat". Telegram. Archived from the original on 12 January 2021. Retrieved 12 January 2021.
6. "Secure Messaging Scorecard". Electronic Frontier Foundation. 17 February 2015. Archived from the original on 28 July 2016. Retrieved 20 July 2016.
7. Jakobsen & Orlandi 2015 , p. 6 harvnb error: no target: CITEREFJakobsenOrlandi2015 (help)
8. Jakobsen & Orlandi 2015 , p. 1 harvnb error: no target: CITEREFJakobsenOrlandi2015 (help)
9. "FAQ for the Technically Inclined: What about IND-CCA?". Telegram. Archived from the original on 28 January 2017. Retrieved 25 March 2017.
10. Clary, Grayson (4 January 2016). "The Flaw in ISIS's Favorite Messaging App". The Atlantic. Archived from the original on 12 May 2019. Retrieved 25 March 2017.
11. Turton, William (24 June 2016). "Why You Should Stop Using Telegram Right Now". Gizmodo. Gawker Media. Archived from the original on 8 July 2016. Retrieved 22 December 2020.
12. "FAQ for the Technically Inclined". Telegram. Archived from the original on 28 January 2017. Retrieved 9 December 2017.
13. "FAQ: How secure is Telegram?". Telegram official website. Archived from the original on 9 February 2014. Retrieved 10 February 2014.
14. "Why Telegram's security flaws may put Iran's journalists at risk". Committee to Protect Journalists. 31 May 2016. Archived from the original on 19 August 2016. Retrieved 20 July 2016.
15. Sawers, Paul (30 June 2016). "Ahead of IPO, mobile messaging giant Line introduces end-to-end encryption by default". VentureBeat. Archived from the original on 12 May 2019. Retrieved 22 December 2020.
16. Espinoza, Tolley & Crandall 2017 harvnb error: no target: CITEREFEspinozaTolleyCrandall2017 (help)
17. Lokot, Tetyana (2 May 2016). "Is Telegram Really Safe for Activists Under Threat? These Two Russians Aren't So Sure". Advox. Global Voices. Archived from the original on 12 May 2019. Retrieved 4 May 2016.
18. "Keep Calm and Send Telegrams!". Telegram. 3 August 2016. Archived from the original on 8 November 2020. Retrieved 17 August 2020.
19. Menn, Joseph; Torbati, Yeganeh (2 August 2016). "Exclusive: Hackers accessed Telegram messaging accounts in Iran – researchers". Reuters. San Francisco/Washington: Thomson Reuters. Archived from the original on 18 May 2019. Retrieved 3 August 2016.
20. Lipp, Sebastian; Hoppenstedt, Max (26 August 2016). "Exklusiv: Wie das BKA Telegram-Accounts von Terrorverdächtigen knackt". Motherboard (in German). Vice Media Inc. Archived from the original on 11 December 2016. Retrieved 5 December 2022.
21. "Telegram founder: U.S. intelligence agencies tried to bribe us to weaken encryption". FastCo News. 15 June 2017. Archived from the original on 19 July 2017. Retrieved 15 June 2017.
22. Leyden, John (14 June 2017). "Telegram chat app founder claims Feds offered backdoor bribe". The Register. Situation Publishing. Archived from the original on 12 May 2019. Retrieved 15 June 2017.
23. هشدار تلگرام درباره ناامن بودن "هاتگرام" و "طلاگرام" (in Persian), 17 December 2018, archived from the original on 20 November 2020, retrieved 18 January 2019
24. "Secret Brazil Archive — An Investigative Series by The Intercept". The Intercept. Archived from the original on 28 November 2020. Retrieved 10 June 2019.
25. "Como hackers tiveram acesso a conversas privadas de Sergio Moro?". noticias.uol.com.br (in Brazilian Portuguese). Archived from the original on 3 July 2019. Retrieved 10 June 2019.
26. @telegram (11 June 2019). "Indeed, there's no evidence of any hack. Most likely to have been either malware or someone not using a 2-step verification password" (Tweet) – via Twitter.
27. "Telegram founder links cyber attack to China". 13 June 2019. Archived from the original on 11 July 2019. Retrieved 13 June 2019.
28. Brewster, Thomas. "Mystery Russian Telegram Hacks Intercept Secret Codes To Spy On Messages". Forbes. Archived from the original on 1 November 2020. Retrieved 13 December 2019.
29. TV Rain Inc. (4 December 2019). "Group-IB: российские предприниматели пожаловались на взлом переписки в Telegram". tvrain.ru (in Russian). Archived from the original on 13 August 2020. Retrieved 13 December 2019.
30. "Report: 42M Iranian "Telegram" User IDs & Phone Numbers Leaked Online". Comparitech. 30 March 2020. Archived from the original on 4 December 2020. Retrieved 8 April 2020.
31. Stahie, Silviu (7 April 2020). "Elasticsearch Database with 42 Million Records of Iranian Citizen Found Exposed Online". Security Boulevard. Archived from the original on 6 December 2020. Retrieved 8 April 2020.
32. Stahie, Silviu (7 April 2020). "Elasticsearch Database with 42 Million Records of Iranian Citizen..." HOTforSecurity. Archived from the original on 24 October 2020. Retrieved 8 April 2020.
33. "RampantKitten: An Iranian Surveillance Operation unraveled". Check Point Software. 18 September 2020. Archived from the original on 28 October 2020. Retrieved 19 September 2020.
34. "Check Point researchers: Iranian hackers can bypass encrypted apps like Telegram". Security Magazine. 22 September 2020. Archived from the original on 22 October 2020. Retrieved 25 September 2020.
35. "Security Analysis of Telegram (Symmetric Part)". Github. 16 July 2021. Archived from the original on 16 July 2021. Retrieved 16 July 2021.
36. "MTProto Analysis: Comments for the technically inclined". Telegram. 16 July 2021. Archived from the original on 16 July 2021. Retrieved 16 July 2021.
37. "Cryptographers unearth vulnerabilities in Telegram's encryption protocol". Cyberscoop. 16 July 2021. Archived from the original on 16 July 2021. Retrieved 16 July 2021.
38. Sharma, Ax (4 October 2021). "Researcher refuses Telegram's bounty award, discloses auto-delete bug". ArsTechnica. Archived from the original on 8 October 2021. Retrieved 8 October 2021.
39. "Конфиденциальность пользователей Telegram снова нарушена. Представители мессенджера требуют не раскрывать подробностей". habr.com. 29 September 2021. Archived from the original on 7 October 2021. Retrieved 8 October 2021.
40. "bug bounty EUR1,000.pdf". Google Docs. Archived from the original on 7 October 2021. Retrieved 8 October 2021.
41. "NVD – CVE-2021-41861". nvd.nist.gov. Archived from the original on 8 October 2021. Retrieved 8 October 2021.
42. "Anbefaler ikke Tiktok eller Telegram på tjenesteenheter" [Do not recommend Tiktok or Telegram on service devices]. Nasjonal sikkerhetsmyndighet (in Norwegian). 23 March 2023. Archived from the original on 26 March 2023. Retrieved 26 March 2023.
43. "Cursed tapes: Exploiting the EvilVideo vulnerability on Telegram for Android".
44. Anin, Roman; Kondratyev, Nikita (2025-06-10). "Telegram, the FSB, and the Man in the Middle". iStories . Translated and edited by OCCRP. Archived from the original on 2025-06-12. Retrieved 2025-07-21.
45. "Telegram Responds to IStories Investigation on Messenger Servers". iStories . 2025-06-10. Archived from the original on 2025-06-12. Retrieved 2025-07-21.
46. "Investigation Uncovers Telegram's Potential Links to Russia's FSB". The Moscow Times . 2025-06-10. Archived from the original on 2025-06-13. Retrieved 2025-07-21.
47. Alexander Borodikhin; David Frenkel (2025-06-11). "End‑to‑end suspicion. An iStories‑OCCRP investigation raises serious doubts about Telegram's Russia ties, but evidence remains elusive". Mediazona . Archived from the original on 2025-06-20. Retrieved 2025-07-21.