1
What happened?
Almost a year ago, our colleagues from Important Stories magazine published Investigation “How to connect Telegram to the FSB device.” English version of the article out On the website of the International Consortium of Investigative Journalists (OCCRP).
The authors concluded that the intelligence service could “build a network of communications between users” of Telegram. It does not matter whether they are in Russia or abroad. That is, all users of the messenger are vulnerable to the threat. These conclusions are based on two main arguments:
- The presence of an unencrypted device identifier (auth_key_id) in user traffic;
When an app creates an encrypted message on a user’s phone or computer, it begins the message with an unencrypted authorization key ID called auth_key_idwhich actually acts as a device identifier – and it doesn’t matter whether the person is communicating in a regular or secret chat.
This vulnerability was investigated by digital security expert Michal Wozniak (we’ll talk about him later). As he explained to Important Stories, in practice, the person through whom the messaging traffic passes can track device identifiers. According to Wozniak, in addition to other data, such as IP addresses and the time when messages were sent, this maybeallows you to locate a person and get other valuable information such as which devices are connected.
- Connections with the FSB of Vladimir Vedeneev, owner of the Global Network Management company, which serves “almost the entire infrastructure” of Telegram.
Important Stories established that a significant part of the Telegram server infrastructure is maintained by a company from the islands of Antigua and Barbuda, Global Network Management (GNM), which also has a representative office in Russia. It also has the router in the server room – a key component of the network equipment through which messaging traffic passes.
The owner of GNM is Vladimir Vedenev. At least in 2018, as it turned out, he also served as CFO of Pavel Durov. And the IP addresses of messaging servers, which, as the authors of the investigation were able to prove, were under the control of GNM, until 2020 were owned by the main telecom operator from St. Petersburg, Globalnet. The website “Important Stories” claimed that until 2024 Vedenev was a co-owner of Globalnet, and then “rewrote it to his relatives.” They own 96% of the company, with the remaining stake owned by Durov’s long-time business partner, Roman Venediktov, a former military man.
In 2022, Vedeneev and Venediktov, which previously called itself the only telecom operator providing direct access to Telegram in Russia and the CIS countries, introduced a system for monitoring user traffic using Deep Packet Inspection (DPI) technology. In addition, among Globalnet’s clients was GlavNIVTs, an unofficial analytical center that monitors citizens on the Internet for Russian law enforcement agencies. It turned out that Vedeneev was in contact with another company – the counterparty of the FSB – Elektrontelecom.
After the investigation was published, “Important Stories” returned several times to the topic of communications between the Messenger and the intelligence service. In particular, editor-in-chief Roman Anin Published an interviewWhich I took from Vladimir Videnev even before the release of the first article.
And now there is a new episode in the development of the plot: an independent examination, as they write in “Important Stories,” certain Serious security vulnerability in Telegram. However, the publication did not mention other conclusions of the author of the examination. Although he confirmed the vulnerability, he doubted that the FSB had access to the infrastructure of the telegram server operator and that the intelligence service’s contacts with Videnev had been proven.
2
What kind of independent examination is this?
This was ordered by Vladimir Vedenev himself. In 2025, he filed a lawsuit against Roman Annen in Switzerland. And at the same time – to OCCRP in the USA.
To support his position in these proceedings, the businessman asked Symonic Software to conduct an independent examination. Its author is the founder of the avatar software company Nadim Kobeissi.
He is a French-Lebanese researcher specializing in applied cryptography. In 2018 he defended Doctoral thesis (PhD) at the French National Research Institute INRIA, dedicated to developing methods for formal verification of cryptographic protocols. The work included understanding Signal protocols and secret chats in Telegram. Kobeshi in general is one of sequential general Critics of the Apostle Security Model Pavel Durov.
Meduza makes sure you can read what you want, despite Roskomnadzor’s restrictions. Our instructions will help you bypass the ban: Simpler and More difficult. And of course for you Need a VPN! In order not to miss anything important and not to lose contact with Medusa, download Our application. We are close and we care!
3
What conclusions did he reach at this time?
Reproduced by Nadim Kobeissi Technical study Polish IT expert Michal “Rysek” Woźniak, former director of information security at OCCRP. This is what the important stories in her investigation indicated. Kopici has already confirmed Wozniak’s main conclusions:
- Authorization key identifier in telegram (auth_key_id) actually acts as an identifier for the specific device on which the messenger is installed (phone, tablet or computer);
- auth_key_id Directly visible in user traffic;
- fixed auth_key_id They are saved when you restart the application, change the IP address, or connect to another telegram server;
- Change the old time auth_key_id to the new in a way that can be easily compared with each other if you constantly monitor user traffic.
That is, traffic can be monitored through these identifiers, and compared to the user’s IP addresses, the date and time of network activity, and distinctive features of the data sent or received (such as volume or density). Thus, for example, tracking the movements of owners of certain devices, even if they are connected to different Wi-Fi networks or have changed SIM cards.
However, knowing who communicated with whom on Telegram and recreating the user’s social communications system, according to Al Qubaisi, is almost impossible.
4
Why is it impossible?
Because Telegram uses a centralized server architecture. If messages were transmitted directly from one user to another, creating a social graph, i.e. a diagram of a given customer’s connections within the messenger, would be a trivial task.
But Telegram acts as an intermediary: it decrypts the incoming message using one authorization key, then encrypts it using another key and sends it to the recipient. This is the message sent from the Telegram servers can pack Along with other data sent to the recipient: channel updates, service notifications and posts from other chats. All this will interfere with the search for the recipient of the message, even if you have access to all Telegram traffic.
Any conclusion about mutual communication between users based solely on traffic analysis will be probabilistic and not completely certain, says Nadim Kobeissi.
6
Is this the expert’s only complaint about the “Big Stories” investigation?
No, he is particularly critical of the investigation’s methodology. Nadim Kobeissi points out that the connection between one of the telegraph infrastructure providers and the Russian intelligence services was proven using indirect evidence.
In particular, the investigation points to Vladimir Vedeneev (owner of Global Network Solutions, which manages part of the Telegram infrastructure) and his ties with GlobalNet, a Russian telecommunications company. The investigation indicates that GlobalNet clients include GlavNIVTs (a Russian government research center said to be linked to intelligence services) and that another company partly owned by Vedeneev (Electrontelecom) provides services to FSB departments.
However, these communications are merely “guilt by association,” mediated by several intermediary links, and are not direct evidence of intelligence services access to the Telegram infrastructure. The logical chain is based on several conclusions: (1) Vedeneev’s company operates part of the Telegram infrastructure; (2) Vedeniev founded a separate company (GlobalNet) that had government clients; (3) Therefore, Russian intelligence services may have access to Telegram traffic. This model of thinking is essentially speculative.
By comparison, Kobesi points out that Signal messenger uses Amazon’s infrastructure, and the latter has multi-million-dollar contracts with the CIA, NSA and other US intelligence agencies. But this does not mean that the CIA has special capabilities to spy on Signal users.
Other examples include WhatsApp, iMessage and Microsoft Teams – all of these messaging programs also use the infrastructure of companies that have government contracts and employ former US intelligence officers.
9
Did Telegram developers acknowledge the vulnerability?
No. In this post, published A few weeks ago, they claim to track the identity auth_key_id It provides no additional benefit to the passive observer of user movement:
Any observer is able to see you auth_key_idIt also sees your IP address, the names of the servers you’re connected to, traffic patterns, DNS queries, and more. Hiding a frequently changed ID card is like closing a single window in a building made almost entirely of glass.
That is, Telegram employees simply ignore the conclusions of Michal Wozniak and Nadim Kobeissi that these changeable identifiers can be easily compared with each other by constantly monitoring user traffic.
Denis Dmitriev