Over the weekend, an excerpt from a recent interview with Telegram founder Pavel Durov went semi-viral on X (formerly Twitter). In the videoDurov tells right-wing personality Tucker Carlson that he is the only product manager at the company and only employs “about 30 engineers.”
Security experts say that while Durov boasted that his Dubai-based company was “super efficient,” what he said was actually a red flag for users.
“No end-to-end encryption, massive numbers of vulnerable targets and servers located in the UAE? It seems like this would be a security nightmare,” Matthew Green, a cryptography expert at Johns Hopkins University, told TechCrunch.
Green was referring to the fact that — by default — chats on Telegram are not end-to-end encrypted like on Signal or WhatsApp. A Telegram user must initiate a “Secret Chat” to enable end-to-end encryption, making messages unreadable on Telegram or anyone other than the intended recipient. Also, over the years, many people have questioned the quality of Telegram’s encryption, since the company uses its own proprietary encryption algorithm, created by Durov’s brother, as he said in an extended version of the Carlson interview.
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation and a longtime expert on the security of users at risk, said it’s important to remember that Telegram, unlike Signal, is much more than just a messaging app.
“What makes Telegram different (and much worse!) is that Telegram is not just a messaging app, it’s also a social media platform. As a social networking platform, it relies on a huge amount of user data. Indeed, it is in the content of all communications that are not specifically given one-to-one messages [end-to-end] encrypted,” Galperin told TechCrunch. “Thirty engineers” means there is no one to fight legal requests, no infrastructure to deal with issues of abuse and content control.”
“And I would argue that the quality of those 30 engineers is not that great,” Galperin continued. “Also, if I were a threat actor, I would definitely consider this encouraging news. Every striker loves an opponent who is not too personal and overworked.”
In other words, Telegram is unlikely to be very effective at fighting hackers, especially government-backed ones, with such a small staff.
Telegram did not respond to a request for comment, which included questions about whether the company has a chief security officer and how many of its engineers work full-time to secure the platform.
Last week, well-known cybersecurity expert SwiftOnSecurity wrote to X that “the cost to run a company that has all the right cyber security tools and staff is absolutely obscene.”
“It’s hard to describe the numbers I’ve seen. Even if we say that this is a gray area. But it is [an] incredible number of employees and costs,” wrote SwiftOnSecurity.
Overall, even the biggest companies on the planet probably aren’t spending enough money, time and energy to secure themselves. Telegram has nearly a billion users, according to Durov. It is one of the most popular platforms for people working in crypto (moving millions of dollars), extremists, hackers and disinformation peddlers.
This makes it an incredibly interesting target for both criminals and government hackers. And it has – at most – only a handful of people dedicated to cyber security.
For years, security experts I have warned that people should not see Telegram as a truly secure messaging app. Given what Durov recently said, it may be even worse than experts thought.
