Srsly Risky Biz: Telegram is cooperating with authorities, for now - Risky Bulletin

Summary5 min read

Risky Bulletin: Telegram’s Shift in Cooperation and the Expanding Cyber Scam Ecosystem

Episode: Srsly Risky Biz: Telegram is cooperating with authorities, for now
Release Date: May 22, 2025
Host: Patrick Bray
Guest: Tom Uren, Policy and Intelligence Editor

Introduction

In this episode of Risky Bulletin, Patrick Bray and Tom Uren delve into the evolving landscape of cybercrime, focusing on Telegram’s recent cooperation with authorities in shutting down massive criminal marketplaces. They also explore the critical role Meta plays in the scam economy and discuss alarming findings about the encryption practices of popular Chinese apps. This comprehensive discussion sheds light on the intricate challenges and responses within the cybersecurity realm.

Telegram's Cooperation with Authorities

Shutting Down Criminal Marketplaces

At the heart of this episode is the significant development surrounding Telegram, a platform previously notorious for hosting vast criminal marketplaces. Tom Uren explains, “Telegram shut down two huge guarantee markets,” referring to platforms where criminals trade services such as deep fakes and malware (“[01:15]”). These marketplaces, particularly thriving in Southeast Asia, have amassed staggering figures—one such marketplace facilitated over US$24 billion in cryptocurrency transactions within just three to four years, engaging nearly 900,000 users.

Trigger for Change: Pavel Durov’s Arrest

The turning point for Telegram’s cooperation with authorities stems from the arrest of its CEO, Pavel Durov, in France last August. Uren provides insight into the catalyst: “They realized that over something like nine or ten years, Telegram had just not cooperated with nearly two and a half thousand requests” (“[02:30]”). This persistent lack of cooperation led French prosecutors to charge Durov with facilitating widespread crime, compelling Telegram to alter its stance nearly overnight.

Future of Telegram’s Cooperation

Despite this shift, questions loom over the sustainability of Telegram's newfound cooperation. Uren muses, “Do those motivations continue for him over time, or does he revert back to type?” (“[05:28]”). The introduction of the EU’s Digital Services Act may serve as a regulatory lever to maintain accountability, but uncertainties remain about Telegram’s long-term compliance.

Pavel Durov’s Predicament and Alleged Ties to Russian Intelligence

Adding complexity to the situation, Durov finds himself navigating pressures from multiple fronts. He is reportedly “supporting efforts from the failed candidate to have the election annulled” and claims the French government sought to “silence conservative voices” through Telegram (“[07:08]”). Uren raises suspicions about Durov’s relationships, suggesting, “There’s lots of circumstantial evidence that he's more closely related to Russian intelligence than he portrays” (“[09:38]”). This dual pressure—from European authorities seeking compliance and alleged Russian interests pushing disinformation—puts Durov in a precarious position, threatening the platform’s continued collaboration with law enforcement.

Meta’s Central Role in the Scam Economy

Facilitation of Scam Advertisements

Shifting focus, the discussion turns to Meta (formerly Facebook) and its inadvertent role in sustaining the scam economy. Uren references a Wall Street Journal article highlighting how Meta prioritizes certain types of advertisements over others. Specifically, while Meta intensifies efforts against human trafficking ads, scam advertisements remain alarmingly prevalent (“[11:49]”). This imbalance stems from economic incentives: “The harder they make it, the less money they make,” notes Uren, pointing to the inherent conflict between profitability and stringent ad moderation (“[12:15]”).

Economic Incentives Versus Ethical Responsibility

The conversation underscores the perverse incentives within Meta’s advertising model. Bray adds, “The concern is that they're going to add friction to the process of buying advertisements, and that will just pull their revenue down across the board” (“[13:20]”). Both hosts agree that relying solely on corporate self-regulation is insufficient, emphasizing the necessity for government intervention to enforce due diligence and protect users from predatory scams.

The Need for Regulatory Oversight

Uren articulates, “What is the right balance for a company versus what is the right balance for society?” (“[13:53]”). This distinction highlights the fundamental role of government in setting standards that prioritize societal well-being over corporate profits, advocating for regulations that compel platforms like Meta to take more decisive actions against scam advertisements.

Vulnerable Encryption in Chinese Apps

Study on Encryption Practices

Another critical segment of the episode examines a collaborative study by Princeton University and the Citizen Lab, which analyzed nearly 1,700 Chinese apps available in Chinese app stores. The findings were disconcerting: most of these apps employed severely flawed encryption practices, rendering them vulnerable to exploitation. Uren explains, “They found that mostly there's like nine different families of cryptographic systems, and almost all of them had faults that you could exploit” (“[16:44]”).

Implications for Security and Surveillance

The study raises poignant questions about whether these encryption weaknesses are a result of deliberate government policy or technological shortcomings. With “nearly every app being exploitable in some way,” the potential for man-in-the-middle attacks is high, especially given China’s robust Great Firewall infrastructure. Bray muses on the possible motivations behind such practices, pondering if distrust of Western crypto algorithms plays a role (“[15:41]”).

Balancing Internal Security and Encryption Robustness

Uren posits that China’s priority on internal stability might drive these encryption flaws, stating, “If this is a policy decision, if this is the way that they want their Internet to be, I don't think they've got a choice” (“[18:03]”). This perspective suggests that the Chinese government prioritizes surveillance and control over the security of communications, potentially compromising the integrity of millions of app users.

Conclusion

In this episode, Patrick Bray and Tom Uren provide a thorough analysis of significant developments in the cybersecurity landscape. From Telegram’s reluctant cooperation with authorities following Pavel Durov’s legal troubles to Meta’s inadvertent support of the scam economy, and unsettling encryption practices within Chinese apps, the discussion underscores the complexities and interdependencies that shape cyber policy and intelligence today. The insights shared not only highlight ongoing challenges but also emphasize the critical need for robust regulatory frameworks to mitigate cyber threats and protect digital ecosystems.

Notable Quotes:

Tom Uren: “Telegram shut down the two biggest of these marketplaces... [and] it was because the CEO Pavel Durov was arrested in France last year” ([01:15]).
Patrick Bray: “When you've got nearly a million people participating in a thriving criminal marketplace, it's not like Telegram doesn't know about it” ([04:47]).
Tom Uren: “There is a problem... it makes you realize there is a problem” ([14:34]).
Tom Uren: “If this is a policy decision... I don't think they've got a choice” ([18:03]).

For more in-depth analyses and updates on cybersecurity news, subscribe to the Seriously Risky Business newsletter at Risky Biz.

Loading summary

Transcript43 lines

[00:00]
Tom Uren
Foreign.
[00:06]
Patrick Bray
And welcome to another episode of Seriously Risky Business, the podcast we do here at Risky Business, which is all about cyber policy and intelligence and really, really important stuff like that. My name is Patrick Bray. We would like to thank the William and Flora Hewlett foundation for supporting this policy and intelligence related work that we do here. And we'd also like to thank this week's sponsor, which is Spectrops. And Spectre Ops are the makers of Bloodhound, which is a tremendously useful tool for enumerating attack paths through things like Active Directory. They also do cloud based stuff and Entra ID attack path enumeration as well. But yeah, very cool stuff. If you don't know them, go check them out. Bloodhound, Spectre Ops. All right, so joining me now is Tom Uren, who is our policy and Intelligence editor. And we're going to talk through the newsletter that he's written today, which is going out in the Seriously Risky Business newsletter. You can find subscription links to that one at Risky Biz. And Tom, this week's edition, I guess you'd call it the Scam edition because you've covered a whole bunch of stuff related to the sort of, you know, cyber scam ecosystem.
[01:16]
Tom Uren
Yeah, yeah. So one of the very interesting things was that Telegram shut down to huge. They're called guarantee markets. So these are marketplaces for criminal services. So criminals sell things like deep fakes and malware and all sorts of bits and bobs that you can use if you're trying to scam people. And these marketplaces have kind of grown up around the Southeast Asian scam syndicates and they are absolutely massive. And like, like, for example, the biggest one took, has taken US$24 billion worth of cryptocurrency over the past, I think it's only three or four years, so absolutely huge. Almost 900,000 users. And they basically ran on Telegram. So I think late last year I wrote a piece where the UN produced a report on these types of markets, among other things. And it was just really striking how much Telegram was used to facilitate the running of these marketplaces. And so in the last week, Telegram shut down the two biggest of these marketplaces. And I sort of look at why this has happened because Telegram has traditionally been not the most cooperative when it comes to law enforcement and moderation requests. And the my take is that it's because the CEO Pavel Durov was arrested in France last year, in August last year. And he was arrested because it turns out the French prosecutors, there had been lots of different officers that had tried to get cooperation with Telegram. And none of them, basically none of them ever had. And it wasn't until they had, I guess, collated all the times that they tried, they realized that over something like nine or ten years, Telegram had just not cooperated with over nearly two and a half thousand requests. And so at that point, the prosecutors went, okay, well, I think that's worthy of, like, levying some charges against Durov. And Durov happens to be a French citizen, and so when he visited France, he was arrested. And like, amazingly, almost overnight, there was a sea change at Telegram where they started cooperating with requests.
[03:49]
Patrick Bray
They've charged him with essentially facilitating a whole bunch of crime. And when you. When you start looking at these numbers where, as you say, like, $24 billion in money laundering, you know, involving organizations that are now subject to U.S. treasury sanctions, you sort of think, what were you doing?
[04:06]
Tom Uren
Yeah. It's not as if, like, Telegram's not encrypted in a way where you don't know things are going on. Like, it's not like signal where everything is end to end encrypted. These are public channels where. Public to some degree, where you can join and you can see what's going on. Like, there was that UN report in August last year, I think it was. More recently, there's been reports from Elliptic, which is a blockchain analysis company. Wired's done an article on them. Like, these are not open secrets of 900,000 people. Yeah, exactly.
[04:47]
Patrick Bray
When you've got nearly a million people participating in a thriving criminal marketplace, it's not like Telegram doesn't know about it. And I can understand some social media organizations saying, well, the cost of moderating absolutely everything is going to be too high. But, you know, this is a crime marketplace with nearly a million people in it. You would think that closing it would be a fairly easy decision. And apparently, until you are threatened with spending time in a French prison, you know, it's not something you want to do.
[05:18]
Tom Uren
Yeah. I mean, I think it's interesting your comment. Like, I agree, social media companies can't moderate everything, but this is the largest criminal marketplace ever in history.
[05:29]
Patrick Bray
Yeah. I mean, dark web eats your heart out, basically. I mean, I think at various times through this whole drama, I've referred to Telegraph Telegram as the dark web in your pocket. Right. And, you know, here we are.
[05:40]
Tom Uren
Yeah, yeah. And so the question for me this raises is, how long does Telegram's cooperation continue? So one of the articles I looked at was a wide article that looks at the history of its cooperation and in the past, Telegram has cooperated with police. So I think it was 2017, 2018. It describes it as a high watermark. And at that point, they were looking for funding, and so they were cleaning up things to present a more appealing picture to investors. And so it seems like Durov's natural inclination is to not cooperate, but when he needs to, he will. So in the past, it was funding. Now it's because he's facing, like, very serious legal threats. And so do those motivations continue for him over time, or does he revert back to type? Now, like, cynical me thinks that perhaps there needs to be some sort of leverage that will maintain that in the eu they've got the Digital Services act, which is relatively recent, that I think has more sticks, I guess, to try and encourage that cooperation.
[06:55]
Patrick Bray
I mean, we definitely need a forever stick here. You know, it can't just be that this case resolves and then it's like, hey, fraud time again, and, you know, he just avoids France. Right, because that. That is the concern here.
[07:05]
Tom Uren
Yeah, exactly. I think you've. You've summed up my point beautifully.
[07:09]
Patrick Bray
Yeah, yeah. So, I mean, there's also some other stuff happening with Pavel Durov at the moment where he's kind of picking a fight with the French government over the Romanian election, of all things. Now, the very pro Russian candidate just lost in the Romanian election over the weekend, and this has made Pavel Durov very unhappy. In fact, he is supporting efforts from the failed candidate to, you know, have the election annulled and, you know, blah, blah, blah, blah, blah. But he was also posting before the election that the French government was asking him to silence conservative voices. It looks like really what had happened is the French government had identified various nodes in disinformation networks, bots, essentially, and asked Telegram to take them down. And now, you know, Durov is couching this as, you know, an attempt to silence conservative voices, which, if they're automated bots, I have a problem with calling them voices. So, you know, he is. He. It seems like he is sort of caught between trying to please the Europeans to stay out of prison and trying to please the Russians so he doesn't wind up being pushed out of a window, you know, which doesn't seem like a particularly happy place to be.
[08:17]
Tom Uren
No, it's. I think that that is very much a problem for him. And I think it's interesting that he's not even out of the French court case, that investigation's still going, and he's still trying to satisfy what appears to be his masters in Russia or Russian interests. And so this is part of the reason that I'm concerned about the long term prospects for Telegram staying on the straight and narrow, I guess, if you can call the straight and narrow, like taking down the two largest illegal marketplaces ever.
[08:58]
Patrick Bray
Yeah, I mean, you know, we got to remember too, that Telegram has been embroiled in some scandals in Eastern Europe, or we call it Central Europe now. So, you know, there was an allegation that a lot of vote buying was happening in Moldova via Telegram allegations surfacing that similar kind of things were happening in Romania in the lead up to their most recent election. So, you know, and there it's long been thought that Durov has a close relationship with Russian security services. So I do feel like this guy is really between a rock and a hard place where, okay, maybe he can sacrifice the Cambodian, you know, scam lords, but he still has to play ball with the Russians on disinformation stuff, which is like, what a position to be in, you know, I can't imagine I'd be very happy if I were him.
[09:44]
Tom Uren
Yeah. There's lots of circumstantial evidence that he's more closely related to Russian intelligence than he portrays. So he portrays himself as an exile, but from Russia. But he's been back many times. There's lots of anecdotal stories about Russian dissidents who thought the telegram was safe. And then they get hauled into the police station or the fsb, the security service and the, the security service people will like, read out their telegram conversations. It's hard to know if that's like access to telegram, that's like technically very possible, or it's because every telegram group has informants. So there's some element of doubt either way.
[10:31]
Patrick Bray
I mean, there is the whiff of Russian cooperation around Pavlodyarov. Like, you know. Well, I think any way you slice or dice it, and logically it just makes sense that that would be the case.
[10:39]
Tom Uren
The most convincing thing is what he said about the Romanian election where he supported Russian interests. It was in the hours before the polls closed. So it's, you know, if you've got a problem with what the French are doing, you can either do it. You can say what the French have requested, allegedly. You can either do it exactly at the time or you can do it after the election. But doing it in the middle of polls very much feels like you're trying to influence the election rather than stay out of it.
[11:11]
Patrick Bray
Yeah, well, didn't work. So there you go. Now, look, you've also written a piece here. You know, you've just directed people to read a piece from Rest of World which chronicles the personal stories of some of the people who are trafficked into these scam compounds to do the actual scamming. It's a heartbreaking stuff, you know, so people can go and read. Read about that one in the newsletter and then click through to the Rest of World Peace. But you've also got another item in here which really looks at how Meta is the cornerstone, the scam economy. This is where victims are found is Instagram and Facebook. Basically.
[11:50]
Tom Uren
Yeah. Yeah. So the. There's an article in the Wall Street Journal. They talk to regulators, victims, Meta, current and former employees. And the basic dynamic they come up with is that Meta allows scam advertisements more than perhaps they should. And so there's an economic incentive for Meta not to make it too hard to be able to run ads. The harder they make it, the less money they make. And that has this sort of perverse incentive where they're encouraged to prioritize other things. So some of those things that they've prioritised are, for example, combating human trafficking. So some of the people who end up in the scam compounds we've been talking about, they were recruited via Facebook. Via Facebook ads. Now, that's not the only means. And Facebook says that they prioritize human trafficking higher than scam advertisements, which, like, is fair enough. I think that is the thing you should prioritize. Yet at the same time, there is this dynamic where it's not in their financial interest to get rid of scam advertisements. And so I think this is a sort of place where it seems like a government regulator should take a good hard look. What do you expect of your companies in terms of due diligence to be able to run ads.
[13:21]
Patrick Bray
Yeah. And I think it's worth pointing out, too, they're not just concerned that they'll lose the revenue from the scam ads. The concern is that they're going to add friction.
[13:28]
Tom Uren
Yes.
[13:29]
Patrick Bray
To the process of buying advertisements, and that will just pull their revenue down across the board. And I can understand why some sociopathic executive at Meta would think about it in these ways. But when your users are having their life savings stolen, you know, but I mean, that doesn't affect their bottom line. So I mean, it's just, you know, I think you're right. I think the only solution to something like this is going to be a bit of a regulation stick.
[13:54]
Tom Uren
Well, to me, it's the difference between what's the right balance for a company versus what is the right balance for society? And a company will come up with its perfect balance, which is not necessarily what everyone else wants. And so I think that's what government for is to try.
[14:08]
Patrick Bray
The river is a perfectly good place to put this toxic waste. You know, I mean, but that's the thing. If you let companies determine their own. Their own balance, they don't. They care about the bottom line. They don't care about the broader. It's not their job. They got to look after shareholders, not the world. Come on. What are you, a hippie?
[14:25]
Tom Uren
No, no, no. I'm just trying to be fair and balanced about the whole thing. And I think it. When you're. The way I describe it, it makes you realize there is a problem.
[14:34]
Patrick Bray
Yes, I hope 100%.
[14:36]
Tom Uren
That's what I'm trying to get across.
[14:37]
Patrick Bray
Yeah. Now, look, last week we didn't do one of these podcasts because we had one in the can, which was a discussion between myself, Rob Joyce, who's former nsa, and Andy Boyd, who's former CIA. If people missed that, go check it out. It was a fascinating conversation, but there was one thing that you covered in the newsletter last week that we definitely wanted to talk about, which was some company did an analysis of the most popular Chinese apps in Chinese app stores and found that if an app was popular, it was just almost guaranteed to be using absolutely awful encryption. And this is very interesting because you wonder if that is policy. Right? I mean, if you are a signals intelligence agency in a country like China where you could force people to use bad encryption, you know, would you implement that policy so that you could break stuff on the wire? I mean, I don't know that that's the case. Right. Because you've got to remember that the Chinese government gets an awful lot of cooperation out of the app makers. So I don't know how often they would need to actually break stuff on the wire. But the whole thing is very weird.
[15:41]
Tom Uren
Yeah, I found it really interesting. So it was researchers from Princeton and the Citizen Lab, and they did a big picture look at almost 1700 apps. So there have been lots of, I guess, point reports which look at a particular Chinese app, you know, this one or that one, and, you know, amazingly, the security settings are typically bad. That is like looking with a spotlight. Whereas this is showing you the big picture. They built an automated test system. They found that mostly there's, I think, something like nine different families of cryptographic systems, and almost all of them had faults that you could exploit. In one way or another. Some of them were like just not checking certificates so that it made it possible to man in the middle any communication. And of course the great firewall is that kind of middle box that could potentially intercept and decrypt.
[16:44]
Patrick Bray
They have the plumbing for that to be useful, I guess is the point.
[16:47]
Tom Uren
Yeah, yeah, yeah. So I thought that was very interesting. Now it's. They all seem to use a different variety of different crypto systems that are all bad in their own unique ways. So that doesn't feel like a government policy. Government policy seems like you would use this or that.
[17:04]
Patrick Bray
Yeah, here is a library. Use that one.
[17:06]
Tom Uren
Yeah, but it is at the same time they found that the more popular an app was, the more likely that there was to be a problem.
[17:16]
Patrick Bray
We had a listener suggest something interesting which is they wondered how this might connect to historical like crypto export controls. And I did wonder like if there were export controls on western crypto back then. And then you got the Snowden leaks and stuff. And like perhaps these guys just don't trust, you know, the filthy, decadent, bourgeois western crypto algorithms.
[17:38]
Tom Uren
Yeah, like, to be honest, I was hoping that someone would get in touch and say, ah, here's the reason I've got this wonderful experience that is perfectly suited to answer this question. I just thought the whole thing was very fascinating. Like, you know, is it policy? I don't think so, but in some ways it feels like it is. It's certainly in the Chinese government's interest.
[18:03]
Patrick Bray
I mean, if it's not policy, there's probably people listening to this at the NSA right now saying shut up. Because really, like, you know, we're talking about very, very popular apps using vulnerable encryption, which is, you know, terrific for China's adversaries. Then again, I mean, you've got to be present on the network in China to sort of exploit those sort of flaws. Unless you're dealing with, you know, cross border communications and whatever. But yeah, it's just a weird thing like, you know, it's, it's one of those stories where the results of that analysis are not what you would expect.
[18:37]
Tom Uren
I also think that in terms of, for the Chinese state, their like number one priority is internal stability. And so this, if it is a policy decision, if this is the way that they want their Internet to be, I don't think they've got a choice. They can't make it a whole lot more secure because it's driven by the priority for internal security and surveillance.
[19:04]
Patrick Bray
But I think the way that that manifests is that they could just dip into any WeChat conversation they want. You know what I mean? They don't need to pull stuff off the wire like peasants. You know, they can just go straight to their access portal and read whatever they want.
[19:16]
Tom Uren
Yeah, yeah. So, interestingly enough, WeChat was one of the most secure systems. I think that makes sense. You know, once we've established a good connection to the.
[19:29]
Patrick Bray
Yeah, exactly. Once we have the we can read everything portal, why do we need to worry about getting them to use weak crypto?
[19:36]
Tom Uren
Yeah, that's right. But, I mean, who knows?
[19:39]
Patrick Bray
Yeah, exactly. But it is curious, let's put it that way. Which is why it was a fun one to talk about. We don't have the answers, people, but, you know, you look at that and you just think, that's. That's a bit strange. That's a bit strange. We'll wrap it up there. Tom, you're in. Thank you so much for joining me to talk through your newsletter of the week and last week's newsletter. Again, if you're not subscribed to Tom's newsletter and also Catalyn's newsletter, because we've got two, you know, four editions a week, head over to Risky Biz and subscribe to them. Great to chat to you about your work this week, Tom. Thank you very much. And we'll do it again next week.
[20:10]
Tom Uren
Thanks, Patric. Sam.