Telegram, the platform favored by cybercriminals and disinformation

Many of Telegram’s eight million Spanish users received a message Wednesday night from the app’s founder and CEO, Pavel Durov. The Russian magnate mentioned the “dangerous regulations” announced on Tuesday by Spanish Prime Minister Pedro Sánchez, which include restricting social media use for those under 16 and assigning legal responsibility to their executives for potential platform violations. “These measures could turn Spain into a surveillance state under the guise of protection,” he wrote. What he failed to mention is that Telegram is immune to surveillance, both its own and that of third parties, as it contributes to the spread of hoaxes and disinformation in Spain and other countries, and has been a preferred communication channel for cybercriminals for years.

The reputation of the app founded by Durov leaves much to be desired. Authorities know that Telegram is very popular with criminals. For this reason, and for failing to take any action to address it, Durov, who holds Russian, French, and Emirati passports, was arrested on August 24, 2024, outside Paris as soon as he stepped off his private jet. He was accused, among other things, of complicity in the distribution of child pornography on the instant messaging network he runs. The charges he faces could carry a sentence of up to 10 years in prison. Meanwhile, despite the ongoing investigation by French authorities, the businessman returned to Dubai in March of last year, where he had gone into exile in 2014.

Durov embodies the archetype of the techno-oligarch who proclaims himself a champion of freedom. In 2006, at just 22 years old, he founded the Russian version of Facebook, VKontakte (VK). At 30, he fell from grace and, harassed by Vladimir Putin’s security services, was forced to sell his shares. Far from simply enjoying life and spending his fortune, he decided to launch Telegram, which today boasts some 1 billion monthly active users, according to figures provided by the company itself. “When I turned 11 in 1995, I made a promise to myself to become smarter, stronger, and freer every day. Today, Telegram turns 11 and is ready to make that same promise,” he said on his own platform a few days before his arrest in Paris.

These pronouncements contrast sharply with reality. The lack of control over what happens on the platform has turned it into a tool for cybercrime. In 2024, Spain’s Civil Guard dismantled a banking phishing network (stealing credentials through deception) that used Telegram as a communication channel for cybercriminals. The network used channels with explicit titles such as “Stealing everything from grandmas.”

A lot of child pornography is also circulating on Telegram. Until two years ago, it went completely unpunished. But Durov’s arrest has suddenly led to the company cooperating more with the police, including the Spanish police, which has helped dismantle some pedophile networks.

There is cybercrime, but less of it

More things happen on Telegram. The app’s very features make it ideal for carrying out clandestine activities. Telegram’s automated bots allow cybercriminals to manage inquiries from their clients, offering their services in an automated way (for example, selling passwords or launching a ransomware attack, or hijacking devices).

It also allows for the processing of cryptocurrency payments and the distribution of illegal goods, such as stolen bank cards, records of info-stealers (malicious programs that steal confidential information), phishing kits, or distributed denial-of-service (DDoS) attacks, all without human intervention. Furthermore, its unlimited storage capacity facilitates the sharing of leaked databases or stolen corporate documents.

A report by cybersecurity firm Kaspersky has found, however, that criminals are beginning to quit Telegram. After tracking 800 criminal channels blocked between 2021 and 2024, analysts conclude that, although these channels are surviving longer than before, the platform is tightening its policies, and this has significantly accelerated the rate of closures.

“Telegram remains a useful tool for scammers, but the risk-reward ratio is changing,” explains Vladislav Belousov, an analyst at Digital Footprint, the Kaspersky team that produced the report. “Although some channels are staying online longer than before, the increasing volume of blocks makes it impossible to guarantee stability. When a store or service disappears overnight and reappears only to be taken down again weeks later, maintaining a business becomes very difficult. We are already seeing the first signs of migration,” he adds.

The report also notes that hacktivism contributes to the blocking of particularly compromised channels by filing complaints.

Telegram presents other challenges for cybercriminals. A key one is the lack of end-to-end encryption by default, a feature found in services like WhatsApp and Signal, which ensures that only the sender and recipient can see the messages they exchange. Cybercriminals also cannot manage their communications from their own servers due to Telegram’s centralized infrastructure and closed-source server code, which prevents verification of its actual operation.

For all these reasons, established cybercrime groups, such as BFRepo, with nearly 9,000 members, or Angel Drainer, which specializes in selling malware as a service, have begun to shift their main activity to other platforms or even to private messaging developed by themselves.

Hornet’s nest of misinformation

In recent years, Telegram has become the preferred channel for disinformation spreaders and agitators. Its lax content moderation policy, which allows almost anything, combined with the possibility of reaching tens of thousands of users in its distribution channels, makes this instant messaging service the perfect conduit for massively disseminating poorly or completely unverified material, the legal prosecution of which is less obvious than in the case of other materials (child pornography, malware, etc.).

Two weeks ago, following the fatal train accident in Adamuz, in southern Spain, all sorts of hoaxes filled with outlandish theories circulated on this platform. Last summer, Telegram was also used to organize “hunts” for immigrants in Torre Pacheco, in the southeastern Spanish region of Murcia. Dozens of young people traveled to that town with their phones full of messages from far-right groups calling for the “cleansing of Spain.”

Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition