Cybersecurity vendors say threat activity on Telegram has grown rapidly in recent years, and they don't expect the arrest of founder and CEO Pavel Durov to change that trend.
The arrest of Telegram's founder and CEO has sparked debates across the technology landscape. But infosec professionals largely agree the platform plays a significant role in facilitating cybercrime activities such as malware distribution, hacktivism and selling stolen credentials.
Last month, French authorities arrested Pavel Durov for allegedly enabling an array of illegal activities on the messaging platform, from drug trafficking and money laundering to the possession of child sexual abuse materials. Durov founded the cloud-based platform in 2013, and it's become widely used for its social media and instant messaging services.
While Telegram is used for legitimate purposes, cybersecurity vendors say it's also become a haven for threat actors. Durov is accused of facilitating those illegal activities through the platform's lack of content moderation and security checks.
Threat intelligence company Intel 471 expanded on the charges and Telegram's prominent role in cybercriminal activity in a blog post last month. The threat intelligence firm said the platform "is known for hands-off moderation." However, Intel 471 said Telegram rebuked such claims in a post on X, stating its standards align with its peers and that its rules abide by European Union laws and the Digital Services Act.
The blog post also provided technical details of how Telegram works. One facet that proliferates illegal activity is a feature known as Secret Chats. Intel 471 highlighted how decryption keys are stored in different servers with different jurisdictions, which makes it more difficult for law enforcement to act.
"Telegram's encryption model varies by chat type: Cloud Chats and Secrets. Cloud Chats employ server-client encryption, where the data is encrypted in the cloud in multiple data centers around the world. Although that data could be accessed with a court order, Telegram has intentionally designed it to be difficult for authorities," Intel 471 wrote in the blog post.
Jeremy Kirk, executive editor at Intel 471, expanded on Telegram's role in illicit activities to TechTarget Editorial. Kirk listed several appealing traits Telegram offers to cybercriminals. One example is secure, person-to-person communications with Secret Chats, which are encrypted.
He also highlighted how Telegram features allow it to act as more of a social network, allowing users to create "groups" that can accommodate up to 200,000 members. Additionally, users can create "channels" as well with unlimited subscribers. In those groups, cybercriminals continually stream advertisements for illegal services, he added.
Intel471 has observed threat actors selling SIM swapping services, bank account details, credentials, stolen credit cards and more. "There are other features that are useful as well, such as the ability to send large files up to 2 GB and bot functionality. The scale of Telegram allows threat actors to reach out to other cybercriminals who might be interested in their services," Kirk said.
Regarding how long cybercriminals have been using Telegram, Kirk said Intel 471 has collected intelligence on more than 5,500 channels linked to malicious hacking, financial fraud and other activities over the past few years. Aside from the recent charges against Durov, Kirk said many countries have been trying to get Telegram to be more compliant with law enforcement and intelligence agency requests.
"Broadly, most social media platforms have to deal with issues with users abusing their platforms, so this is a challenge that is not unique to Telegram. Telegram stands out, however, since obvious cybercriminal activity on the platform is prolific and easy to find," Kirk said.
A big part of the charges against Durov involved a lack of content moderation. While Telegram will process takedown requests for illegal content posted on public channels, Kirk said users can create private or group channels where Telegram does not process any legal requests. Additionally, he said that while intelligence agencies have been concerned that the platform is used by extremists to communicate, Telegram doesn't respond to requests for user communications or data.
Following Durov's arrest, the Verge reported that Telegram changed the language on its FAQ regarding how private chats were moderated. The company previously said, "We do not process any requests related to" private chats, but the FAQ has been updated with reporting and takedown request options. However, infosec experts agree that's not going to have much effect on the platform's widespread abuse.