Telegram’s Infrastructure Ties to Russia Raise Privacy Concerns

Telegram’s reputation as a privacy-first messaging platform is under scrutiny following a new investigation. The report reveals that the core infrastructure powering the app is managed by Viktor Vedeneev, a Russian network engineer with deep ties to companies linked to the FSB security agency and Russia’s defense sector. Vedeneev’s company controls thousands of Telegram IP addresses, key servers, and networking equipment. Court records obtained by journalists show that Vedeneev had exclusive access to Telegram’s infrastructure and was authorized to sign contracts on the company’s behalf.

However, the investigation did not find any evidence that Vedeneev’s involvement resulted in data sharing or surveillance. While no direct evidence was found that Telegram data was shared with Russian authorities, two of Vedeneev’s other companies have serviced highly sensitive government institutions, including Russia’s intelligence agencies and a research center involved in planning the invasion of Ukraine. Telegram has not been accused of wrongdoing, but the report raises questions about whether third-party infrastructure relationships could create risks to user privacy.

Telegram representatives stated that “as a global company, Telegram has contracts with dozens of different service providers around the world. However, none of these service providers have access to Telegram data or sensitive infrastructure.” They further went on to say that all Telegram servers belong to the company and are maintained by employees: “Unauthorized access is impossible. Throughout its entire history, Telegram never disclosed any private messages to a third party — and its encryption has never been breached.”

Security researchers say these links expose a major contradiction between Telegram’s public image and its operational reality. John Scott-Railton, a senior researcher, said the findings highlight a “dangerous disconnect” between user assumptions about Telegram’s security and the actual vulnerabilities in its infrastructure. Telegram founder Pavel Durov has long positioned the app as a safe haven for free expression, claiming the platform has “never disclosed a single byte of private messages.”

However, experts point out that the app’s encryption design still allows for metadata exposure, including device identifiers and user IP addresses — data that could be exploited to track user activity. Telegram’s MTProto encryption protocol attaches an unencrypted identifier to every encrypted message, which can help observers monitor specific user devices and IP locations. This is particularly concerning in scenarios where governments or intelligence agencies have physical access to the network infrastructure.

Despite claiming to have no infrastructure in Russia, leaked border records previously showed that Durov visited the country more than 50 times between 2015 and 2021, according to the report. The investigation underscores the complexities and potential risks associated with relying on third-party infrastructure for critical services. While Telegram has maintained its stance on privacy and security, the revelations about its infrastructure management raise important questions about the app’s operational practices and the potential for vulnerabilities in its system. Users and regulators alike will need to carefully consider these findings as they evaluate the security and privacy of their communications.