Over the weekend, a clip of a recent interview with Telegram founder Pavel Durov went semi-viral on X (formerly Twitter). In the video, Durov tells right-hander Tucker Carlson that he is the only product manager at the company and that he only employs “about 30 engineers.”
Security experts say that while Durov boasted that his Dubai-based company was “super efficient,” what he said was actually a red flag for users.
“No end-to-end encryption, huge number of vulnerable targets and servers located in the UAE? It seems like it would be a security nightmare,” Matthew Green, a cryptography expert at Johns Hopkins University, told TechCrunch.
Green was referring to the fact that by default Telegram chats are not end-to-end encrypted like they are on Signal or WhatsApp. A Telegram user must initiate a “Secret Chat” to enable end-to-end encryption, making messages unreadable by Telegram or anyone other than the intended recipient. Also, over the years, many people have doubted the quality of Telegram’s encryption, given that the company uses its own proprietary encryption algorithm created by Durov’s brother, as he said in an extended version of the interview with Carlson.
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation and a longtime expert on the security of at-risk users, said it’s important to remember that Telegram, unlike Signal, is much more than just a messaging app.
“What makes Telegram different (and much worse!) is that Telegram is not just a messaging app, it’s also a social media platform. As a social media platform, it sits on a huge amount of user data. In fact, it is based on the content of all non-one-to-one communications that were specifically [end-to-end] encrypted,” Galperin told TechCrunch. “‘Thirty engineers’ means no one to fight legal claims, no infrastructure to deal with abuse and content moderation issues.”
“And I would even say that the quality of those 30 engineers is not that good,” Galperin continued. “Also, if I were a threatening actor, I would definitely consider this encouraging news. Every striker loves a deeply undermanned and overworked opponent.”
In other words, Telegram is unlikely to be very effective against hackers, especially government-backed ones, with such a small staff.
Telegram did not respond to a request for comment, which included questions about whether the company has a chief security officer and how many of its engineers work full-time securing the platform.
Last week, renowned cybersecurity expert SwiftOnSecurity wrote to X that “The cost of running a company that has all the necessary cybersecurity tools and staff is absolutely obscene.”
“It’s hard to describe the numbers I saw. Even saying it’s a gray area. But it is [an] amazing staff and cost,” SwiftOnSecurity wrote.
In general, even the biggest companies on the planet probably don’t spend enough money, time and energy to secure themselves. Telegram has almost one billion users, according to Durov. It is one of the most popular platforms for people working in crypto (who move millions of dollars), extremists, hackers and misinformation peddlers.
This makes it an incredibly interesting target for both criminal and government hackers. And there are – at most – only a handful of people dedicated to cyber security.
For years, security experts have warned that people should not look at Telegram as a truly secure messaging app. Given what Durov said recently, it could be even worse than experts thought.
