CEO's Arrest Will Likely Not Dampen Cybercriminal Interest in Telegram

The recent arrest and indictment of Telegram CEO Pavel Durov in France will likely have little short-term impact on use of the platform among cybercriminals and nation-state backed hacking groups.

In the past few years, Telegram has emerged as a haven for bad actors to communicate with each other, sell personal information, unload credit card details and user credentials, and for malware distribution. Many also use the platform for command and control (C2), to manage botnets, to communicate with ransomware victims, to coordinate attacks, and generally as an alternative to the Dark Web.

In a report earlier this year, Guardio described Telegram as playing a large role in democratizing phishing operations. "This messaging app has transformed into a bustling hub where seasoned cybercriminals and newcomers alike exchange illicit tools and insights creating a dark and well-oiled supply chain of tools and victims' data," Guardio had noted. "Free samples, tutorials, kits, even hackers-for-hire — everything needed to construct a complete end-to-end malicious campaign."

Security researchers expect little will change following Durov's arrest on charges related to bad actors using his platform for child abuse, drug traffic and for other nefarious activities. French authorities have also charged Russia-born Durov — who is now a French citizen — with not responding to law-enforcement requests for Telegram's assistance in bringing to justice criminals who are using the platform for illicit and illegal activity.

While this could lead to Telegram "cleaning house" of malicious elements, it may not move the needle on cybercrime activity, experts say.

Little Short-Term Impact on Cybercrime

Durov's Aug. 24 arrest has been controversial and triggered considerable debate over free speech issues and the extent to which CEOs like Durov should be held liable for the behavior of users on their platforms. French President Emmanuel Macron himself has stressed Durvo's arrest and subsequent indictment are not an attack on free speech.

"France is deeply committed to freedom of expression and communication, to innovation, and to the spirit of entrepreneurship," Macron said in a post on X, formerly known as Twitter. "The arrest of the president of Telegram on French soil took place as part of an ongoing judicial investigation. It is in no way a political decision."

Durov is currently out on a roughly $5.5 million bond but cannot leave France. He is required to report twice a week to a French court.

In the meantime, crackdown or not, criminals tend to adapt quickly to changing circumstances and may simply increase their operational security measures while continuing to leverage the platform.

"The impact of the CEO's arrest on cybercriminal use of Telegram will likely be minimal in the short term," says Stephen Kowski, field CTO at SlashNext Email Security+. "However, if the arrest leads to increased scrutiny or changes in Telegram's policies, we could see a gradual shift to alternative communication channels."

Adam Gavish, co-founder and CEO at DoControl, notes that Telegram innately provides OpSec for users, for a few key reasons. First, it offers end-to-end encryption and self-destructing messages, which provide a sense of security and anonymity. Second, it allows large file transfers, making it easy to share stolen data. And third, its channel and group features let cybercriminals easily broadcast messages to many followers or collaborate in private groups. Telegram itself says it can support group sizes of 200,000 members, which is larger than what many other social media platforms allow. The fact that users can sign up for the service with just a virtual phone number is another major bonus for threat actors.

 Cybercriminals are also disincentivized from moving shop. "While there are other platforms cybercriminals could use, Telegram has reached a critical mass in terms of adoption," Gavish says. "It's become a go-to marketplace for buying and selling stolen data, sharing hacking tools, and coordinating attacks. Cybercriminals have established extensive networks there, so moving to a new platform would be disruptive."

One situation where criminals might be forced to seek alternate channels is if it turns out that the Russian government has some sort of a backdoor to snoop on messages traversing the platform, says Rik Turner, an analyst at Omdia. In that case, fears that Durov could be pressured into revealing that backdoor to Western intelligence services, in exchange for a lighter sentence, could prompt quite a few people to seek alternative channels, he says.

Gavish agrees that the arrest could make a small set cybercriminals more cautious about using Telegram for high-stakes operations. "But a mass exodus is unlikely unless we see concrete evidence that Telegram's security has been compromised," he stresses.