Security experts say that while Durov was bragging about his Dubai-based company being “super efficient,” what he said was a red flag for users.
Johns Hopkins University cryptography expert Matthew Green said that vast numbers of vulnerable targets and servers are located in the UAE without end-to-end encryption. “Seems like that would be a security nightmare.”
Green was referring to the fact that, by default, Telegram chats are not end-to-end encrypted like those on Signal or WhatsApp.
A Telegram user has to start a “Secret Chat” to switch on end-to-end encryption, making the messages unreadable to Telegram or anyone other than the intended recipient. Also, many people have cast doubt over the quality of Telegram’s encryption over the years, given that the company uses its own proprietary encryption algorithm, created by Durov’s brother, as he said in an extended version of the Carlson interview.
Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation and a longtime expert in the security of at-risk users, said it’s important to remember that Telegram, unlike Signal, is much more than just a messaging app.
“What makes Telegram different (and much worse!) is that Telegram is not just a messaging app, it is also a social media platform. As a social media platform, it is sitting on an enormous amount of user data. Indeed, it is sitting on the contents of all communications that are not one-on-one messages that have been specifically [end-to-end] encrypted,” Galperin told TechCrunch.
“Having 30 engineers’ means that there is no one to fight legal requests, no infrastructure for dealing with abuse and content moderation issues.”
“And I would even argue that the quality of those 30 engineers isn’t that great,” Galperin continued. “Also, if I were a threat actor, I would consider this to be encouraging news. Every attacker loves a profoundly understaffed and overworked opponent.”
In other words, Telegram’s small staff makes it unlikely that it will be very effective at fighting hackers, especially government-backed ones.
Telegram’s spokesperson confirmed the company has 30 developers working on the apps and infrastructure, but claims to have an additional 30 people on its “core team.”
Telegram spokesperson Remi Vaughn denied having data centres in the UAE.
Last week, the well-known cybersecurity expert SwiftOnSecurity wrote on X, "The cost to run a company that has all the right cyber security tools and staff is absolutely obscene.”
“It’s hard to describe the numbers I’ve seen—even saying this is a gray area—but it is [an] incredible headcount and spend,” SwiftOnSecurity wrote.
According to Durov, Telegram has almost one billion users. It’s one of the most popular platforms for crypto traders (who move millions of dollars), extremists, hackers, and disinformation peddlers.
That makes it an incredibly interesting target for both criminal and government hackers. However, only a handful of people are dedicated to cybersecurity.
For years, security experts have warned that people should not see Telegram like a genuinely secure messaging app. Given what Durov said it may be even worse than they thought.
Telegram spokesman said the quote was a misunderstanding of what Durov meant. Telegram has 30 developers building the apps and its infrastructure, but Telegram's core team is approximately 60 people.
He said this team is intentionally small and filled with experts in their fields. As a result, Telegram can respond much faster than companies with huge teams and long chains of command.In addition to those 60 core team members, Telegram has separate moderation and abuse teams.
He said Telegram had no servers in the UAE and no user data is stored there and its encryption protocols are fully documented and its apps are open source.
"Any researcher can verify the integrity and implementation of Telegram's encryption. Many researchers have done so including those from the University of Udine, Italy: "
He pointed out that no viable means of breaking the encryption Telegram uses has ever been found and Telegram is the only popular messenger to support reproducible builds on both iOS and Android, allowing researchers to verify the apps we publish are built from that same code.