Crooks Ditch Telegram

Hey Kaitlyn, Joseph here. I was out when French authorities arrested the CEO of Telegram. I have a lot to say about it (maybe for a podcast?). In the meantime, I found criminals of all stripes are leaving the platform in the wake of the arrest. In part, because maybe Telegram will start providing user data to the police. The full story follows below.

An array of different types of criminals, including hackers, fraudsters, and drug dealers, are deleting their Telegram accounts or migrating contacts off the app after the arrest and subsequent charging of Telegram CEO Pavel Durov, according to multiple screenshots of Telegram messages and conversations with criminals on the platform.

Although there isn’t an indication of a mass exodus from Telegram, the news shows that significant criminals plan to move from the social network-focused Telegram, to more dedicated encrypted messaging apps. Some fear that their Telegram data could land in the hands of authorities, or that their accounts could be wiped after Durov’s statements that Telegram will take content moderation on the platform seriously.

This segment is a paid ad. If you’re interested in advertising, let's talk.

We’re big fans of this newsletter, which means we’re big fans of you for reading it. Cheers to all you awesome people.

Love, your favorite tech marketing agency,
Codeword

“I would be most concerned with losing the contacts I have on the oldest account but slowly we're moving them to Signal,” the hacker linked to the recent wave of Snowflake breaches, and who previously used the handle ZFA, told 404 Media in a Telegram message. 

“Final call! I am deleting my account,” one Telegram message, written by someone who appears to deal in know-your-customer (KYC) bypasses, says. “If anyone has chats with me that important I urge you to save them inmediately! [sic].”

“Reason for deleting: Safety Reasons, due to the arrest of Telegram CEO!” the message adds. 

One part of the charges against Durov relate to Telegram’s refusal to hand over data in response to lawful orders. Durov has since said that Telegram is “committed to turn moderation on Telegram from an area of criticism into one of praise.” That brings up the possibility that Telegram will start to seriously engage with law enforcement requests for data, in the way many other communication apps, like Discord or Twitter, do.

Valdemar Balle, an open source intelligence analyst at non-profit association Digitalt Ansvar, provided 404 Media with multiple screenshots that he said showed Danish-language drug dealers encouraging users to join a backup Signal group.

“IMPORTANT INFORMATION,” one of those translated messages starts. “As many have already noticed, Telegram groups are gradually attracting a lot of outside attention. Therefore, we acted quickly and have already created a backup directly on the app ‘SIGNAL.’ So, stay one step ahead like us and join our Signal groups and profiles!”

“I’ve seen multiple instances of drug dealers losing trust in the platform and becoming cautious about the future,” Balle said in an online chat. “I’ve observed several cases where administrators of large narco-groups on Telegram are creating backup groups on Signal and Session, preparing for a potential migration.” Session is a less well known encrypted messaging app which some of 404 Media’s criminal sources have used in the past.

Meredith Whittaker, president of the Signal Foundation, did not respond to a request for comment. Session co-founder Kee Jeffreys told 404 Media in a statement that “We take the misuse of Session very seriously and actively work to prevent it. However, like other end-to-end encrypted communication platforms such as Signal and Threema, we operate within certain technical limitations. If not for those limitations, all online communication would be potentially subject to surveillance, and it would be impossible for anybody to share any information securely. End-to-end encrypted communication platforms protect everyday people from hackers and other bad actors who might want to monitor their conversations.”

Jeffreys also said that Session has seen a “small spike” in users since Durov's arrest. “However, the overwhelming majority of people using tools like Session are everyday people who value privacy, and we believe this is true of those who are seeking an alternative to Telegram at the moment," Jeffreys added.

Telegram works fundamentally differently to more dedicated messaging apps like Signal. Telegram in many ways is more of a social network, capable of massive channels (which are not end-to-end encrypted) that users follow for updates on a single person or organization. That broadcast capability is some of the attraction of Telegram to criminals. Drug dealers can blast their latest deals. Ransomware gangs can advertise their next big breach. But that doesn’t apply to everyone moving their contacts from Telegram to Signal: “No, I'm mostly a low radar person,” ZFA said when asked if not having a broadcast channel would be an issue.

French authorities arrested Durov on August 24 when he landed at a French airport. Politico reports that the investigation started when an undercover agent engaged a suspected sexual predator on Telegram, who later admitted to raping a young girl. When authorities requested the real identity of the user, Telegram refused, and investigators pivoted to the people behind Telegram itself, Politico writes. Once the investigation expanded, authorities collected information about ongoing investigations into potential crimes that involved Telegram more widely, Politico adds. The French military police, the National Gendarmerie, had made 2,460 unanswered requests to Telegram, Libération reported. (The Gendarmerie is linked to the widespread hacking of Encrochat, an encrypted messaging platform heavily used by drug traffickers, but also people not suspected of a crime, such as lawyers).

Specifically, French authorities have charged Durov with being complicit in administrating a platform to enable an illicit transaction; refusing to communicate information necessary for legally authorized intercepts; and enabling crimes such as child abuse, drug trafficking, and fraud.

At first, Telegram said in a tweet that “Telegram’s CEO Pavel Durov has nothing to hide and travels frequently in Europe,” and that “It is absurd to claim that a platform or its owner are responsible for abuse of that platform.” After the charges Durov changed tone slightly, writing in a Telegram post that “While 99.999% of Telegram users have nothing to do with crime, the 0.001% involved in illicit activities create a bad image for the entire platform, putting the interests of our almost billion users at risk.” He did, however, add that the charges are “misguided.”

Durov also announced the removal of Telegram’s People Nearby feature, which lets users discover one another based on their physical proximity. Durov wrote the feature “was used by less than 0.1% of Telegram users, but had issues with bots and scammers.” 404 Media previously reported that it was possible to use the tool to track the physical location of users you were not actually next to. Durov also said Telegram has disabled new media uploads to Telegraph, which was essentially the app’s longer form blogging feature. But those features are likely not the main problems with Telegram’s lack of content moderation. Instead, large group chats and channels distribute masses of illegal content or are used to coordinate crimes in the physical world, according to 404 Media’s regular reviews of content on Telegram.

The company also updated its website to explicitly say users can report private chats to its moderators, TechCrunch reported. The site previously said that “All Telegram chats and group chats are private amongst their participants. We do not process any requests related to them.” The site now reads “All Telegram apps have ‘Report’ buttons that let you flag illegal content for our moderators—in just a few taps.”