|Developer(s)||Telegram FZ LLC|
Telegram Messenger Inc.
|Initial release||14 August 2013|
|Platform||Android, iOS, Windows, macOS, Linux, Web platform|
|Available in||19 languages|
|License||GNU GPLv2 or GPLv3 (clients), proprietary (server)|
|Headquarters||London, United Kingdom|
Dubai, United Arab Emirates
Telegram is a freeware, cross-platform, cloud-based instant messaging (IM) system. The service also provides end-to-end encrypted video calling, VoIP, file sharing and several other features. It was launched for iOS on 14 August 2013 and Android in October 2013. The servers of Telegram are distributed worldwide to decrease frequent data load with five data centers in different regions, while the operational center is based in Dubai in the United Arab Emirates. Various client apps are available for desktop and mobile platforms including official apps for Android, iOS, Windows, macOS and Linux (although registration requires an iOS or Android device and a working phone number). There are also two official Telegram web twin apps – WebK and WebZ – and numerous unofficial clients that make use of Telegram's protocol. All of Telegram's official components are open source, with the exception of the server which is closed-sourced and proprietary.
Telegram provides end-to-end encrypted voice and video calls and optional end-to-end encrypted "secret" chats. Cloud chats and groups are encrypted between the app and the server, so that ISPs and other third-parties on the network can't access data, but the Telegram server can. Users can send text and voice messages, make voice and video calls, and share an unlimited number of images, documents (2 GB per file), user locations, animated stickers, contacts, and audio files. In January 2021, Telegram surpassed 500 million monthly active users. It was the most downloaded app worldwide in January 2021 with 1 billion downloads globally as of late August 2021.
Telegram was launched in 2013 by brothers Nikolai and Pavel Durov. Previously, the pair founded the Russian social network VK, which they left in 2014 after claiming it was taken over by President Putin's allies. Pavel Durov sold his remaining stake in VK and left Russia after resisting government pressure. Nikolai Durov created the MTProto protocol that is the basis for the messenger, while Pavel Durov provided financial support and infrastructure through his Digital Fortress fund. Telegram Messenger states that its end goal is not to bring profit, but it is not structured as a non-profit organization.
Telegram is registered as an American LLC. It does not disclose where it rents offices or which legal entities it uses to rent them, citing the need to "shelter the team from unnecessary influence" and protect users from governmental data requests. Pavel Durov said that the service was headquartered in Berlin, Germany, between 2014 and early 2015, but moved to different jurisdictions after failing to obtain residence permits for everyone on the team. After Pavel Durov left Russia, he is said to be moving from country to country with a small group of computer programmers consisting of 15 core members. According to press reports, Telegram had employees in Saint Petersburg. The Telegram team is based in Dubai as of 2017. Users can report apps issues and recommend development ideas on the dedicated "Bugs and Suggestions" platform.
In October 2013, Telegram announced that it had 100,000 daily active users. On 24 March 2014, Telegram announced that it had reached 35 million monthly users and 15 million daily active users. In October 2014, South Korean governmental surveillance plans drove many of its citizens to switch to Telegram. In December 2014, Telegram announced that it had 50 million active users, generating 1 billion daily messages, and that it had 1 million new users signing up on its service every week, traffic doubled in five months with 2 billion daily messages. In September 2015, Telegram announced that the app had 60 million active users and delivered 12 billion daily messages.
In February 2016, Telegram announced that it had 100 million monthly active users, with 350,000 new users signing up every day, delivering 15 billion messages daily. In December 2017, Telegram reached 180 million monthly active users. In March 2018, Telegram reached 200 million monthly active users. On 14 March 2019, Pavel Durov claimed that "3 million new users signed up for Telegram within the last 24 hours." Durov did not specify what prompted this flood of new sign-ups, but the period matched a prolonged technical outage experienced by Facebook and its family of apps, including Instagram.
According to the U.S. Securities and Exchange Commission, the number of monthly Telegram users as of October 2019 is 300 million people worldwide.
On 24 April 2020, Telegram announced that it had reached 400 million monthly active users. On 8 January 2021, Durov announced in a blog post that Telegram had reached "about 500 million" monthly active users.
Telegram accounts are tied to telephone numbers and are verified by SMS. Account creation requires an iOS or Android device regardless of the platform intended to be used. Users can add multiple devices to their account and receive messages on all of them. Connected devices can be removed individually or all at once. The associated number can be changed at any time and when doing so, the user's contacts will receive the new number automatically. In addition, a user can set up a username as an alias that allows them to send and receive messages without exposing their phone number. Telegram accounts can be deleted at any time and they are deleted automatically after six months of inactivity by default, which can optionally be changed from 1 month at the shortest up to 12 months at most with a range between. Users can replace exact "last seen" timestamps with broader messages such as "last seen recently".
The default method of authentication that Telegram uses for logins is SMS-based single-factor authentication. A one-time passcode that is sent via SMS to the user's phone number is required to log into the account by default. Users also have the option to create a password as a form of two-step verification.
Telegram's default messages are cloud-based and can be accessed on any of the user's connected devices. Users can share photos, videos, audio messages and other files (up to 2 gigabytes per file). Users can send messages to other users individually or in groups of up to 200,000 members. Sent messages can be edited up to 48 hours after they have been sent and can be deleted at any time on both sides. Messages in all chats, including groups and channels, can be set to auto-delete after 24 hours, 7 days or a month, although this will only apply to messages sent after the auto-delete timer is enabled.
Telegram offers drafts which sync across user devices, such as when a user starts typing a message on one device and can later continue on another. The draft will persist in the editing area on any device until it is sent or removed. All chats, including groups and channels, can be sorted into custom folders set by the user. Users have the option to schedule messages in personal chats to be sent when the other side comes online. Users can also import chat history, including both messages and media, from WhatsApp, Line and Kakaotalk due to data portability, either making a new chat to hold the messages or adding them to an existing one.
Telegram users can share their live location in a chat for either 15 minutes, one hour, or eight hours. If multiple users share their live location within a group, they are shown on an interactive map. Sharing the 'live location' can be stopped at any time.
Messages can also be sent with client-to-client encryption in so-called secret chats. These messages are encrypted with the service's MTProto protocol. Unlike Telegram's cloud-based messages, messages sent within a secret chat can be accessed only on the device upon which the secret chat was initiated and the device upon which the secret chat was accepted. Messages sent within secret chats can, in principle, be deleted at any time and can optionally self-destruct.
Secret chats have to be initiated and accepted via an invitation, upon which the encryption keys for the session are exchanged. Users in a secret chat can verify that no man-in-the-middle attack has occurred by comparing pictures that visualize their public key fingerprints.
According to Telegram, secret chats have supported perfect forward secrecy since December 2014. Encryption keys are periodically changed after a key has been used more than 100 times or has been in use for more than a week. Old encryption keys are destroyed.
Secret Chats are only available on the Android, iOS and macOS clients of the app.
In September 2015, Telegram added channels. Channels are a form of one-way messaging where admins are able to post messages but other users are not. Any user is able to create and subscribe to channels. Channels can be created for broadcasting messages to an unlimited number of subscribers. Channels can be publicly available with an alias and a permanent URL so anyone can join. Users who join a channel can see the entire message history. Users can join and leave channels at any time. Depending on a channel's settings, messages may be signed with the channel's name or with the username of the admin who posted them. Non-admin users are unable to see other users who've subscribed to the channel. The admin of the channel can view statistics about channel activity as each message has its own view counter, showing how many users have seen this message, including views from forwarded messages. As of May 2019, the creator of a channel can add a discussion group, a separate group where messages in the channel are automatically posted for subscribers to communicate. This enables comments for posts in the channel.
In December 2019, Bloomberg moved their messenger-based newsletter service from WhatsApp to Telegram after the former banned bulk and automated messaging. The news service is attempting to grow its audience outside the U.S.
At the end of March 2017, Telegram introduced its own end-to-end encrypted voice calls. Connection is established as peer-to-peer whenever possible, otherwise the closest server to the client is used. According to Telegram, there is a neural network working to learn various technical parameters about a call to provide better quality of the service for future uses. 
Telegram added group voice chats in December 2020. Any group or channel admin can launch a chat, which will be open to all members and ongoing even if no one is currently using it. Admins can mute members by default or selectively as well create invite links that will add people as muted by default. Members can use the Raise Hand button to signal their desire to speak. A push-to-talk option is available on mobile versions, as well as key shortcuts to mute and unmute oneself on Telegram Desktop. Admins of groups or channels have the option to join as their group or channel, hiding their personal account. Users can also record chats with a red dot shown as a warning during the recording period.
Telegram announced in April 2020 that they would include group video calls by the end of the year. On 15 August 2020, Telegram added video calling with end-to-end encryption. Picture-in-picture mode is also available so that users have the option to use the other functions of the app while remaining on the call. In June 2021, Telegram implemented group video calls across all of its clients. Users can stream video from their camera, share their screen or do both simultaneously. The company stated that the group calls are capped at 30 people temporarily and the limit will be raised "soon". Group calls have support for selective screen sharing, split screen view and improved noise suppression. In July 2021, an update of Telegram introduced the ability for up to 1000 people to watch the streamed video.
In June 2015, Telegram launched a platform for third-party developers to create bots. Bots are Telegram accounts operated by programs. They can respond to messages or mentions, can be invited into groups and can be integrated into other programs. It also accepts online payments with credit cards and Apple Pay. Dutch website Tweakers reported that an invited bot can potentially read all group messages when the bot controller changes the access settings silently at a later point in time. Telegram pointed out that it considered implementing a feature that would announce such a status change within the relevant group. There are also inline bots, which can be used from any chat screen. In order to activate an inline bot, user needs to type in the message field a bot's username and query. The bot then will offer its content. User can choose from that content and send it within a chat.
Bots can also handle transactions provided by Paymentwall, Yandex.Money, Stripe, Ravepay, Razorpay, QiWi and Google Pay for different countries. Bots also power Telegram's gaming platform, which utilizes HTML5, so games are loaded on-demand as needed, like ordinary webpages. Games work on iPhones 4 and newer and on Android 4.4 devices and newer.
In April 2021, the Payments 2.0 upgrade enabled bot payments within any chat, using third-party services such as Sberbank, Tranzoo, Payme, CLICK, LiqPay and ECOMMPAY to process the credit card information.
In February 2018, Telegram launched their social login feature to its users, named Telegram Login. It features a website widget that could be embedded into websites, allowing users to sign into a third party website with their Telegram account. The gateway sends users' Telegram name, username, and profile picture to the website owner, while users' phone number remains hidden. The gateway is integrated with a bot, which is linked with the developer's specific website domain.
Comments.App, is a tool for commenting on pages, channel posts, it lets you add a comments widget to your website. With the widget in place, Telegram users will be able to log in with just two taps and leave comments with text and photos, as well as like, dislike and reply to comments from others. They can also subscribe to comments and get notifications from @DiscussBot. Widgets are configurable. Developers can change the color theme, use different colors for names, change the design to a dark theme, change the maximum number of comments on the page, change the height, assign moderators, and block user spam; the mode of filled and outlined icons is also supported.
In June 2021, an update introduced a new bot menu where users can browse and send commands while in a chat with a bot.
Instant View is a way to view web articles with zero pageload time. With Instant View, Telegram users can read articles from mass media or blogs in a uniform and readable way. Instant View pages support text and media of any type and work even if the original website was not optimized for mobile devices.
Telegraph is a publishing tool used to create formatted posts with photos and embedded media. It is designed in a minimalist style, the article pages do not contain any controls. Each article on the website is separate, there is no possibility to merge articles into groups or hierarchies. For each article, the author specifies a title and optionally a subtitle, usually used for the author's name. In addition, the title of the article indicates the date of the first publication, which the author of the article cannot influence.
Text formatting options are also minimal: two levels of headings, single-level lists, bold, italics, quotes, and hyperlinks are supported. Authors can upload images and videos to the page, with a limit of 5mb. When an author adds links to YouTube, Vimeo, or Twitter, the service allows you to embed their content directly in the article.
When an article is first published, the URL is generated automatically from its title. Non-Latin characters are transliterated, spaces are replaced with hyphens, and the date of publication is added to the address. For example, an article titled "Telegraph (blog platform)" published on November 17 would receive the URL
Telegram has more than 20,000 stickers. Stickers are cloud-based, high-resolution images intended to provide more expressive emoji. When typing in an emoji, the user is offered to send the respective sticker instead. Stickers come in collections called "packs", and multiple stickers can be offered for one emoji. Telegram comes with one default sticker pack, but users can install additional sticker packs provided by third-party contributors. Sticker sets installed from one client become automatically available to all other clients. Sticker images use WebP file format, which is better optimized to be transmitted over the internet. The Telegram clients also support animated emoji.
In July 2018, Telegram introduced their online authorisation and identity management system, Telegram Passport, for platforms that require real-life identification. It asks users to upload their own official documents such as passport, identity card, driver license, etc. When an online service requires such identification documents and verification, it forwards the information to the platform with the user's permission. Telegram stated that it does not have access to the data, while the platform will only share the information to the authorised recipient. However, the service was criticised for being vulnerable to online brute force attacks.
Polls are available on Android, iOS, and desktop applications. Polls have the option to be anonymous or visible. A user can enter multiple options into the poll. Quiz mode can also be enabled where a user can select the right answer for their poll and leave it to the group to guess. Quiz bots can also be added to track correct answers and even provide a global leaderboard.
People Nearby can help users meet new friends by turning on phone GPS location and opting-in contacts and through Groups Nearby people can create a local group by adding location data to groups.
Telegram uses a symmetric encryption scheme called MTProto. The protocol was developed by Nikolai Durov and other developers at Telegram and is based on 256-bit symmetric AES encryption, 2048-bit RSA encryption and Diffie–Hellman key exchange.
As with most instant messaging protocols, Telegram uses centralized servers. Telegram Messenger LLP has servers in a number of countries throughout the world to improve the response time of their service. Telegram's server-side software is closed-source and proprietary. Pavel Durov said that it would require a major architectural redesign of the server-side software to connect independent servers to the Telegram cloud.
For users who signed in from the European Economic Area (EEA) or United Kingdom, the General Data Protection Regulations (GDPR) are supported by storing data only on servers in the Netherlands, and designating a London-based company as their responsible data controller.
Telegram has various client apps, some developed by Telegram Messenger LLP and some by the community. Most of them are free and open-source and released under the GNU General Public Licence version 2 or 3. The official clients support sending any file format extensions. The built-in media viewer supports common media formats - JPEG, PNG, WebP for images and H.264 and HEVC in videos in MP4 container and MP3, FLAC, Vorbis, Opus and AAC for audio.
In 2021, the Telegram team announced a direct build of its Android app. Telegram for Android is available directly from the Telegram website.
It is automatically updated and will most likely get new versions faster than the apps in the Play Store and App Store.
Also, a distinctive feature of this version is the ability to view channels/groups on a specific topic without censorship, which cannot be viewed from an app distributed from Google Play or the Apple Store due to their policies.
|Name||Platform(s)||Official||Source code license||Support for secret chats||Notes|
|Telegram||Android 2.3 or later||Yes||GPLv2 or later||Yes||Supports tablets and Android Wear smart watches. Support synchronisation between multiple devices.|
|Telegram Messenger||iOS 9.0 or later, watchOS 5.0 or later||Yes||GPLv2 or later||Yes||Launched in August 2013 for iPhone and iPod Touch and relaunched in July 2014 with support for iPad and Apple Watch.|
|Telegram X||Android||Yes||Proprietary||Yes||An alternative Telegram client written from scratch, with higher speed, slicker animations, themes and more efficient battery use.
iOS version is written with Swift. Android version based on TDLib. The iOS version was discontinued, with its code merged with the main Telegram app.
|Telegram Messenger||Windows Phone||Yes||GPLv2 or later||Yes||Provide synchronization between all platforms|
|Telegram Desktop||Windows, macOS, and Linux||Yes||GPLv3 with OpenSSL exception||No||Qt-based desktop client. The Windows client is a traditional desktop app published in three flavors (with installer, portable, Windows Store app). The desktop version cannot be used anymore to register and log in, this feature is officially supported by the mobile app only.|
|Telegram||macOS||Yes||GPLv2||Yes||Native macOS client.|
|Telegram Web / Webogram||Web||Yes||GPLv3||No||Web-based version of Telegram. Also published on the Chrome Web Store. The web version cannot be used anymore to register and log in, this feature is officially supported by the mobile app only.|
|Unigram||Windows 10, HoloLens, Surface Hub, Xbox One, Xbox Series X/S||No||GPLv3||Yes||Based on TDLib.|
|OwlGram||Android||No||GPLv2||Yes||An alternative client based on Telegram Stock (8.2.7).|
|Nekogram||Android||No||GPLv2||Yes||An alternative client based on Telegram Stock (6.0.0).|
Telegram has public APIs with which developers can access the same functionality as Telegram's official apps to build their own messaging applications. In February 2015, creators of the unofficial Whatsapp+ client released the Telegram Plus app, later renamed to Plus Messenger, after their original project got a cease-and-desist order from WhatsApp. In September 2015, Samsung released a messaging application based on these APIs.
Telegram also offers an API that allows developers to create bots, which are accounts controlled by programs. Such bots are used, among other things, to emulate and play old games in the app and inform users about vaccine availability for COVID-19.
In addition, Telegram offers functions for making payments directly within the platform, alongside an external service such as Stripe.
The company was initially supported by its CEO's personal funds after the sale of his stake in VK. In January 2018, it launched an ICO and collected $1.7 billion from investors such as Kleiner Perkins, Sequoia Capital and Benchmark. After the shutdown of the TON project, the company needed to repay the investors the money that was not spent on the development during 2018 and the beginning of 2019, when the project was active.
On 15 March 2021, Telegram conducted a 5 years public bonds placement worth $1 billion. The funding was required to cover the debts amounting to $625.7 million, including $433 million to investors who bought futures for Gram tokens in 2018 and included purchasers such as David Yakobashvili. On 23 March, Telegram also sold additional bonds worth $150 million to the Abu Dhabi Mubadala Investment Company and Abu Dhabi Catalyst Partners. A day later, the Mubadala Investment Company stated that Russia's sovereign wealth fund participated in its deal undisclosed through the Russia-UAE joint investment platform to buy convertible bonds. A Telegram spokesperson stated: "RDIF is not in the list of investors we sold bonds to. We wouldn’t be open to any transaction with this fund" and "[t]he funds that did invest, including Mubadala, confirmed to us that RDIF was not among their LPs." According to the contract, the holders of the bonds will be provided an option to convert them to shares at a 10% discount if the company conducts an open IPO. The company's CEO has stated that the move aimed to "enable Telegram to continue growing globally while sticking to its values and remaining independent". According to press reports, prior to the bonds placement Durov had rejected an investment offer for a 5-10% stake in the company as well as several undisclosed ones, valuing the company in a $30–40 billion range.
Telegram has stated that the company will never serve advertisements in private chats. In late 2020, Durov announced that the company was working on its own ad platform, and will integrate non-targeted ads in public one-to-many channels, that already sell and display ads in the form of regular messages. Ads began to appear in channels with more than 1000 followers in October 2021. Durov has stated that Telegram is considering a paid subscription that would hide ads, while allowing users to directly support the app.
Durov announced that Telegram will also consider adding paid features aimed at enterprise clients. According to him, these features will require more bandwidth and the added cost will be covered by the feature prices, in addition to covering some of the costs incurred by regular users.
In 2017, in an attempt to monetize Telegram without advertising, the company began the development of a blockchain platform dubbed either "The Open Network" or "Telegram Open Network" (TON) and its native cryptocurrency "Gram". The project was announced in mid-December 2017 and its 132-page technical paper became available in January 2018. The codebase behind TON was developed by Pavel Durov's brother Nikolai Durov, the core developer of Telegram's MTProto protocol. In January 2018 a 23-page white paper and a detailed 132-page technical paper for TON blockchain became available.
Durov planned to power TON with the existing Telegram user base, and turn it into the largest blockchain and a platform for apps and services akin to a decentralized WeChat, Google Play, and App Store. Besides, the TON had the potential to become a decentralized alternative to Visa and MasterCard due to its ability to scale and support millions of transactions per second. In January and February 2018 the company ran a private sale of futures contracts for Grams, raising around $1.7 billion. No public offering took place.
The development of TON took place in a completely isolated manner, and the release was postponed several times. The test network was launched in January 2019. The launch of the TON main network was scheduled for October 31. Yet on October 30, the U.S. Securities and Exchange Commission obtained a temporary restrictive order to prevent the distribution of Grams to initial purchasers; the regulator considered the legal scheme employed by Telegram as an unregistered securities offering with initial buyers acting as underwriters.
The judge hearing the Telegram v. SEC case, P. Kevin Castel, agreed with the SEC's vision and kept the restrictions on Gram distribution in force. The ban applied to non-U.S.-based purchasers as well, because Telegram couldn't prevent the re-sale of Grams to U.S. citizens on a secondary market, as the anonymity of users was one of the key features of TON. Following that, Durov announced the end of Telegram's active involvement with TON. On June 26, the judge approved the settlement between Telegram and SEC. The company agreed to pay an $18.5 million penalty and return $1.22 billion to Gram purchasers. In March 2021, Telegram launched a bonds offering to cover the debt and fund further growth of the app.
Telegram has been used for illegal activities such as spreading hate messages, illegal pornography, contact between criminals and trading of illegal goods and services such as drugs, contraband and stolen personal data.
In September 2015, in response to a question about the use of Telegram by Islamic State of Iraq and the Levant (ISIS), Pavel Durov stated: "I think that privacy, ultimately, and our right for privacy is more important than our fear of bad things happening, like terrorism." Durov sarcastically suggested to ban words because terrorists use them for communication. ISIS recommended Telegram to its supporters and members and in October 2015 they were able to double the number of followers of their official channel to 9,000. In November 2015, Telegram announced that it had blocked 78 public channels operated by ISIS for spreading propaganda and mass communication. Telegram stated that it would block public channels and bots that are related to terrorism, but it would not honor "politically-motivated censorship" based on "local restrictions on freedom of speech" and that it allowed "peaceful expression of alternative opinions." ISIS's usage of Telegram reignited the encryption debate and encrypted messaging applications faced new scrutiny.
In August 2016, French anti-terrorism investigators asserted that the two ISIS-directed terrorists who murdered a priest in Saint-Étienne-du-Rouvray in Normandy, France, and videoed the murder, had communicated via Telegram and "used the app to coordinate their plans for the attack". ISIS's media wing subsequently posted a video on Telegram, showing the pair pledging allegiance. A CNN news report stated that Telegram had "become known as a preferred means of communication for the terror group ISIS and was used by the ISIS cell that plotted the Paris terror attacks in November" after the attacks. The British tabloid Daily Mirror called Telegram a "jihadi messaging app".
In July 2017, Director General of Application and Informatics of the Indonesian Ministry of Communication and Informatics, Semuel Abrijani Pangerapan, said eleven Telegram DNS servers were blocked because many channels in the service "promoted radicalism, terrorism, hatred, bomb assembly, civil attack, disturbing images, and other propaganda contrary to Indonesian laws and regulations." In August 2017, Indonesia lifted the block after countermeasures against negative content were deployed in association with Telegram LLP.
In November 2019, Telegram participated in Europol's Internet Referral Action Day. As a result, Telegram expanded and strengthened its terrorist content detection and removal efforts. Over 43,000 terrorist-related bots and channels were removed from Telegram. According to U.S. officials, the crackdown on Telegram was especially effective and seems to be having lasting impact. According to Europol, Telegram has put forth considerable effort in removing abusers of its platform.
An article published by Mother Jones magazine on 19 January 2020 says that the Anti-Defamation League has called Telegram a white supremacist "safe haven" and a valuable tool for right-wing extremists. The article said neo-Nazi and fascist hate groups were using the Telegram app to organize a gun rally in Richmond, Virginia, on 20 January 2020. The neo-Nazi white separatist paramilitary hate group The Base switched over to Telegram after being blocked on most social media platforms, including Twitter, YouTube, and Gab. After a number of arrests of The Base members in January 2020, a note appeared on its official Telegram account warning people to stop posting. In August 2019 white supremacist Christopher Cantwell posted anti-Semitic comments on Telegram.
The Anti-Defamation League notes that Telegram was founded by the same two Russian brothers who founded VKontakte (VK), which is known for its lack of moderation when it comes to white supremacy. While Telegram's terms of service prohibit the promotion of violence, they have allowed violent videos posted by mass shooters Brenton Tarrant (Christchurch, New Zealand) and Stephan Balliet (Halle, Germany), although other social media platforms had removed them. The League also points to the RapeWaffen Division channel, which openly advocates rape and murder as part of a race war.
Telegram has also been used by the alt-right organization Proud Boys to coordinate throughout the United States. In the United Kingdom, Telegram is one of the main platforms for far-right publication TR.news, maintained by Tommy Robinson, and Britain First, whose pages were blocked by major social media platforms. Weblinks related to these channels received more views on Telegram in 2018 and 2019 than some well-known mainstream news outlets, including The Guardian or the Daily Mail. However, with a relatively small user base and no algorithmic timeline, such groups struggle to build a larger audience on Telegram.
In January 2021, Telegram confirmed that it blocked "hundreds" of neo-Nazi and white supremacist channels with tens of thousands of followers for inciting violence. A 2021 Institute for Strategic Dialogue report on the far-right in Ireland found that messages from Irish far-right groups on the app increased from a total of 801 in 2019 to over 60 000 in 2020.
On August 27, 2021, the U.S. House of Representatives select committee investigating the 2021 United States Capitol attack demanded records from Telegram (alongside 14 other social media companies) going back to the spring of 2020.
The app has been used for distribution of pornographic material, including child and teenage pornography. Telegram's internal reporting system has an option to report content that contains 'Child Abuse', including specific messages in groups and channels. The company has a verified channel called "Stop Child Abuse", where daily statistics on the number of groups and channels banned for sharing illegal materials are posted. It also provides an email address dedicated to reports of content related to child abuse.
In January 2021, North Macedonian media outlets reported that a now-banned Telegram group, with more than 7,000 members, titled "Public Room" ("Јавна соба") was used to share nude photos of women, often young teenage girls. Along with the shared photographs, anonymous accounts shared private information of the women, including phone numbers and social media profiles, encouraging members of the group to contact the women and ask for sexual favors. This was done without prior agreement or knowledge of the women, causing intense public backlash and demand for the group to be shut down. The President of North Macedonia Stevo Pendarovski, along with the Prime Minister of North Macedonia Zoran Zaev, demanded an immediate reaction from Telegram and threatened to completely restrict access to the app in the country if no actions were taken. The group was banned after reports from users and media, although no public statement was made.
In 2021, a bot was found selling leaked phone numbers from Facebook.
The chairman of the public organization "Electronic Democracy" Volodymyr Flents on 11 May 2020 announced that a Telegram bot appeared on the Web, which sold the personal data of Ukrainian citizens. It is estimated that the bot contains data from 26 million Ukrainians registered in the Dіia application. However, subsequently, Deputy Prime Minister and Minister of Digital Transformation Mikhail Fedorov denied any data from the app being leaked.
Telegram reportedly banned more than 350,000 bots and channels in 2020, including those that contained child abuse and terrorism-related content.
Telegram has been blocked temporarily or permanently by some governments including Iran, China and Pakistan. The Russian government blocked Telegram for several years before lifting the ban in 2020. The company's founder has said he wants the app to have an anti-censorship tool for Iran and China similar to the app's role in fighting censorship in Russia.
In September 2021, prior to the regional elections in Russia, Telegram suspended several bots spreading information about the election, including a bot ran by the opposition party and critics of reigning president Vladimir Putin's regime, citing election silence as the reason, though a blog post by the company's CEO implied the company was following Apple and Google, which "dictate the rules of the game to developers". The block of the main Smart Voting bot was criticized by allies of Alexei Navalny, a Kremlin critic and former opposition leader. Navalny's spokeswoman Kira Yarmysh called the block and the deletion of the tactical voting app from app stores "censorship [...] imposed by private companies". In a later blog post, Durov directly stated that the block was a result of pressure from Google and Apple as refusal to comply with their policies would result "in an immediate shutdown of Telegram for millions of users". The post included a screenshot showing an internal email sent by the App Store to developers, demanding the takedown of content related to Navalny.
Telegram's security model has received notable criticism by cryptography experts. They criticized how the general security model permanently stores all contacts, messages and media together with their decryption keys on its servers by default and that it does not enable end-to-end encryption for messages by default. Pavel Durov has argued that this is because it helps to avoid third-party unsecured backups, and to allow users to access messages and files from any device. Cryptography experts have furthermore criticized Telegram's use of a custom-designed encryption protocol that has not been proven reliable and secure. However, in December 2020, a study titled "Automated Symbolic Verification of Telegram’s MTProto 2.0" was published, confirming the security of the updated MTProto 2.0 and reviewing it. The paper provides "fully automated proof of the soundness of MTProto 2.0’s authentication, normal chat, end-to-end encrypted chat, and re-keying mechanisms with respect to several security properties, including authentication, integrity, confidentiality and perfect forward secrecy" and "proves the formal correctness of MTProto 2.0". This partially addresses the concern about the lack of scrutiny while confirming the security of the protocol's latest version.
The desktop clients (excluding macOS client) do not feature options for end-to-end encrypted messages. When the user assigns a local password in the desktop application, data is locally encrypted also. Telegram has defended the lack of ubiquitous end-to-end encryption by claiming the online-backups that do not use client-side encryption are "the most secure solution currently possible".
Critics have also disputed claims by Telegram that it is "more secure than mass market messengers like WhatsApp and Line", because WhatsApp applies end-to-end encryption to all of its traffic by default and uses the Signal Protocol, which has been "reviewed and endorsed by leading security experts", while Telegram does neither and stores all messages, media and contacts in their cloud. Since July 2016, Line has also applied end-to-end encryption to all of its messages by default, though it has also been criticized for being susceptible to replay attacks and the lack of forward secrecy between clients.
In 2013, an author on the Russian programming website Habr discovered a weakness in the first version of MTProto that would allow an attacker to mount a man-in-the-middle attack and prevent the victim from being alerted by changed key fingerprint. The bug was fixed on the day of the publication with a $100,000 payout to the author and a statement on the official blog.
The Electronic Frontier Foundation (EFF) listed Telegram on its "Secure Messaging Scorecard" in February 2015. Telegram's default chat function received a score of 4 out of 7 points on the scorecard. It received points for having communications encrypted in transit, having its code open to independent review, having the security design properly documented, and having completed a recent independent security audit. Telegram's default chat function missed points because the communications were not encrypted with keys the provider didn't have access to, users could not verify contacts' identities, and past messages were not secure if the encryption keys were stolen. Telegram's optional secret chat function, which provides end-to-end encryption, received a score of 7 out of 7 points on the scorecard. The EFF said that the results "should not be read as endorsements of individual tools or guarantees of their security", and that they were merely indications that the projects were "on the right track".
In December 2015, two researchers from Aarhus University published a report in which they demonstrated that MTProto 1.0 did not achieve indistinguishability under chosen-ciphertext attack (IND-CCA) or authenticated encryption. The researchers stressed that the attack was of a theoretical nature and they "did not see any way of turning the attack into a full plaintext-recovery attack". Nevertheless, they said they saw "no reason why [Telegram] should use a less secure encryption scheme when more secure (and at least as efficient) solutions exist". The Telegram team responded that the flaw does not affect message security and that "a future patch would address the concern". Telegram 4.6, released in December 2017, supports MTProto 2.0, which now satisfied the conditions for IND-CCA. MTProto 2.0 is seen by qualified cryptographers as a vast improvement to Telegram's security.
In April 2016, accounts of several Russian opposition members were hijacked by intercepting the SMS messages used for login authorization. In response, Telegram recommended using the optional two-factor authentication feature. In May 2016, the Committee to Protect Journalists and Nate Cardozo, senior staff attorney at Electronic Frontier Foundation, recommended against using Telegram because of "its lack of end-to-end encryption [by default] and its use of non-standard MTProto encryption protocol, which has been publicly criticized by cryptography researchers, including Matthew Green".
On 2 August 2016, Reuters reported that Iranian hackers compromised more than a dozen Telegram accounts and identified the phone numbers of 15 million Iranian users, as well as the associated user IDs. Researches said the hackers belonged to a group known as Rocket Kitten. Rocket Kitten's attacks were similar to ones attributed to Iran's Islamic Revolutionary Guards Corps. The attackers took advantage of a programming interface built into Telegram. According to Telegram, these mass checks are no longer possible because of limitations introduced into its API earlier in 2016.
Login SMS messages are known to have been intercepted in Iran, Russia and Germany, possibly in coordination with phone companies. Pavel Durov has said that Telegram users in "troubled countries" should enable two-factor authentication by creating passwords in order to prevent this.
In June 2017, Pavel Durov in an interview claimed that U.S. intelligence agencies tried to bribe the company's developers to weaken Telegram's encryption or install a backdoor during their visit to the U.S. in 2016.
In 2018, Telegram sent a message to all Iranian users stating that the Telegram Talai and Hotgram unofficial clients are not secure.
Telegram promised since at least March 2014 that "all code will be released eventually", including all the various client applications (Android, iOS, desktop, etc.) and the server-side code. As of May 2021, Telegram still hasn't published their server-side source code. In January 2021, Durov explained his rationale for not releasing server-side code, citing reasons such as inability for end-users to verify that the released code is the same code run on servers, and a government that wanted to acquire the server code and make a messaging app that would end competitors.
On 9 June 2019, The Intercept released leaked Telegram messages exchanged between current Brazilian Minister of Justice and former judge Sérgio Moro and federal prosecutors. The hypothesis is that either mobile devices were hacked by SIM swap or the targets’ computers were compromised. The Telegram team tweeted that it was either because the user had malware or they were not using 2-step verification.
On 12 June 2019, Telegram confirmed that it suffered a denial-of-service attack which disrupted normal app functionality for approximately one hour. Pavel Durov tweeted that the IP addresses used in the attack mostly came from China.
In December 2019, multiple Russian businessmen suffered account takeovers that involved bypassing SMS single-factor authentication. Security company Group-IB suggested SS7 mobile signalling protocol weaknesses, illegal usage of surveillance equipment, or telecom insider attacks.
On 30 March 2020, an Elasticsearch database holding 42 million records containing user IDs and phone numbers of Iranian users was exposed online without a password. The accounts were extracted from an unofficial government-sanctioned version of Telegram. It took 11 days for the database to be taken down, but the researchers say the data was accessed by other parties, including a hacker who reported the information to a specialized forum.
In September 2020, it was reported that Iran's RampantKitten ran a phishing and surveillance campaign against dissidents on Telegram. The attack relied on people downloading a malware-infected file from any source, at which point it would replace Telegram files on the device and 'clone' session data. David Wolpoff, a former Department of Defense contractor, has stated that the weak link in the attack was the device itself and not any of the affected apps: "There’s no way for a secure communication app to keep a user safe when the end devices are compromised."
In July 2021, researchers from Royal Holloway, University of London and ETH Zurich published an analysis of the MTProto protocol, concluding that the protocol could provide a "confidential and integrity-protected channel" for communication. They also found that attackers had the theoretical ability to reorder messages coming from the client to the server though the attacker would not be able to see the content of the messages. Several other theoretical vulnerabilities were reported as well, in response to which Telegram released a document stating that the MITM attack on the key exchange was impossible as well as detailing the changes made to the protocol to protect from it in the future. All issues were patched before the paper's publication with a security bounty paid out to the researchers.
In September 2021, a Russian researcher published details about a bug with the self-destruct feature that allowed the user to recover deleted photos from their own device. The bug was patched prior to publication and Telegram representatives offered a €1,000 bug bounty. The researcher did not sign the NDA that came with the offer and did not receive the award, opting to disclose the bug instead.
Telegram has organized two cryptography contests to challenge its own security. Third parties were asked to break the service's cryptography and disclose the information contained within a secret chat between two computer-controlled users. A reward of respectively US$200,000 and US$300,000 was offered. Both of these contests expired with no winners. Security researcher Moxie Marlinspike, founder of the competing Signal messenger, and commenters on Hacker News criticized the first contest for being rigged or framed in Telegram's favor and said that Telegram's statements on the value of these contests as proof of the cryptography's quality are misleading. This was because the cryptography contest could not be won even with completely broken algorithms such as MD2 (hash function) used as key stream extractor, and primitives such as the Dual EC DRBG that is known to be backdoored.
Telegram was the main subject surrounding the 2019 Puerto Rico riots that ended up in the resignation of then-Governor Ricardo Rosselló. Hundreds of pages of a group chat between Rosselló and members of his staff were leaked. The messages were considered vulgar, racist, and homophobic toward several individuals and groups, and discussed how they would use the media to target potential political opponents.
Images threatening attacks in London and other major world capitals have been posted on jihadi messaging app Telegram