Telegram is a freeware, cross-platform, cloud-based instant messaging (IM) software and application service. The service also provides end-to-end encrypted video calling, VoIP, file sharing and several other features. It was initially launched for iOS on 14 August 2013 and Android in October 2013. The application servers of Telegram are distributed worldwide to decrease data load with five data centers in different regions, while the operational center is currently based in Dubai. Various Telegram client apps are available for desktop and mobile platforms including official apps for Android, iOS, Windows, macOS and Linux, as well as for the now-discontinued Windows Phone. There are also two official Telegram web apps- WebK and WebZ and numerous unofficial clients that make use of Telegram's protocol. All of Telegram's official components are open source, with the exception of the server which is closed-sourced and proprietary.
Telegram was launched in 2013 by brothers Nikolai and Pavel Durov. Previously, the pair founded the Russian social network VK, which they left in 2014 after it was taken over by President Putin's allies. Pavel Durov sold his remaining stake in VK and left Russia after resisting government pressure. Nikolai Durov created the MTProto protocol that is the basis for the messenger, while Pavel Durov provided financial support and infrastructure through his Digital Fortress fund. Telegram Messenger states that its end goal is not to bring profit, but it is not currently structured as a non-profit organization.
Telegram is registered as both an English LLP and an American LLC. It does not disclose where it rents offices or which legal entities it uses to rent them, citing the need to "shelter the team from unnecessary influence" and protect users from governmental data requests. Pavel Durov said that the service was headquartered in Berlin, Germany, between 2014 and early 2015, but moved to different jurisdictions after failing to obtain residence permits for everyone on the team. After Pavel Durov left Russia, he is said to be moving from country to country with a small group of computer programmers consisting of 15 core members. According to press reports, Telegram had employees in Saint Petersburg. The Telegram team is currently based in Dubai.
In October 2013, Telegram announced it had 100,000 daily active users. On 24 March 2014, Telegram announced that it had reached 35 million monthly users and 15 million daily active users. In October 2014, South Korean governmental surveillance plans drove many of its citizens to switch to Telegram. In December 2014, Telegram announced that it had 50 million active users, generating 1 billion daily messages, and that it had 1 million new users signing up on its service every week, traffic doubled in five months with 2 billion daily messages. In September 2015, Telegram announced that the app had 60 million active users and delivered 12 billion daily messages.
In February 2016, Telegram announced that it had 100 million monthly active users, with 350,000 new users signing up every day, delivering 15 billion messages daily. In December 2017, Telegram reached 180 million monthly active users. In March 2018, Telegram reached 200 million monthly active users. On 14 March 2019, Pavel Durov claimed that "3 million new users signed up for Telegram within the last 24 hours." Durov did not specify what prompted this flood of new sign-ups, but the period matched a prolonged technical outage experienced by Facebook and its family of apps, including Instagram.
According to the U.S. Securities and Exchange Commission, the number of monthly Telegram users as of October 2019 is 300 million people worldwide.
On 24 April 2020, Telegram announced it had reached 400 million monthly active users. On 8 January 2021, Durov announced in a blog post that Telegram was at "about 500 million" monthly active users.
Telegram accounts are tied to telephone numbers and are verified by SMS. Users can add multiple devices to their account and receive messages on all of them. Connected devices can be removed individually or all at once. The associated number can be changed at any time and when doing so, the user's contacts will receive the new number automatically. In addition, a user can set up a username as an alias that allows them to send and receive messages without exposing their phone number. Telegram accounts can be deleted at any time and they are deleted automatically after six months of inactivity by default, which can optionally be changed from 1 month at the shortest up to 12 months at most with a range between. Users can replace exact "last seen" timestamps with broader messages such as "last seen recently".
The default method of authentication that Telegram uses for logins is SMS-based single-factor authentication. All that is needed to log into an account and gain access to that user's cloud-based messages is a one-time passcode that is sent via SMS to the user's phone number. This can be prevented by creating a password as a form of two-step verification.
Telegram's default messages are cloud-based and can be accessed on any of the user's connected devices. Users can share photos, videos, audio messages and other files (up to 2 gigabytes per file). Users can send messages to other users individually or in groups of up to 200,000 members. Sent messages can be edited up to 48 hours after they have been sent and can be deleted at any time on both sides. Messages in all chats, including groups and channels, can be set to auto-delete after 24 hours or 7 days, although this will only apply to messages sent after the auto-delete timer is enabled. Telegram offers drafts which sync across user devices, such as when a user starts typing a message on one device and can later continue on another. The draft will persist in editing area on any device until it is sent or removed. All chats, including groups and channels, can be sorted into custom folders set by the user. Users have the option to schedule messages in personal chats to be sent when the other side comes online. Users can also import chat history, including both messages and media, from WhatsApp, Line and Kakaotalk due to data portability, either making a new chat to hold the messages or adding them to an existing one.
The transmission of cloud messages to Telegram's servers is encrypted with the service's MTProto protocol, while 'Secret Chats' use end-to-end encryption based on the same protocol. According to Telegram's privacy policy, "all data is stored heavily encrypted and the encryption keys in each case are stored in several other data centers in different jurisdictions. This way local engineers or physical intruders cannot get access to users' data". Telegram's local message database is not encrypted by default. Some Telegram clients allow users to encrypt the local message database by setting a passphrase.
Messages can also be sent with client-to-client encryption in so-called secret chats. These messages are encrypted with the service's MTProto protocol. Unlike Telegram's cloud-based messages, messages sent within a secret chat can be accessed only on the device upon which the secret chat was initiated and the device upon which the secret chat was accepted; they cannot be accessed on other devices. Messages sent within secret chats can, in principle, be deleted at any time and can optionally self-destruct.
Secret chats have to be initiated and accepted by an invitation, upon which the encryption keys for the session are exchanged. Users in a secret chat can verify that no man-in-the-middle attack has occurred by comparing pictures that visualize their public key fingerprints.
According to Telegram, secret chats have supported perfect forward secrecy since December 2014. Encryption keys are periodically changed after a key has been used more than 100 times or has been in use for more than a week. Old encryption keys are destroyed.
Windows and Linux users are still not able to use secret chats using the official Telegram Desktop app while the official macOS-only client supports them.
Secret chats are not available for groups or channels.
In September 2015, Telegram added channels. Channels are a form of one-way messaging where admins are able to post messages but other users are not. Any user is able to create and subscribe to channels. Channels can be created for broadcasting messages to an unlimited number of subscribers. Channels can be publicly available with an alias and a permanent URL so anyone can join. Users who join a channel can see the entire message history. Users can join and leave channels at any time. Depending on a channel's settings, messages may be signed with the channel's name or with the username of the admin who posted them. Non-admin users are unable to see other users who've subscribed to the channel. Furthermore, users can mute a channel, meaning that the user will still receive messages, but won't be notified. Admins can give permission to post comments on the Telegram channel with help of bots. The admin of the channel can obtain general data about the channel. Each message has its own view counter, showing how many users have seen this message, this includes views from forwarded messages. As of May 2019, the creator of a channel can add a discussion group, a separate group where messages in the channel are automatically posted for subscribers to communicate.
In December 2019, Bloomberg moved their messenger-based newsletter service from WhatsApp to Telegram after the former banned bulk and automated messaging. The news service is attempting to grow its audience outside the U.S. Channel comment was added on October 1, 2020 via threads in discussion groups.
At the end of March 2017, Telegram introduced its own voice calls. The calls are built upon the end-to-end encryption. Connection is established as peer-to-peer whenever possible, otherwise the closest server to the client is used. According to Telegram, there is a neural network working to learn various technical parameters about a call to provide better quality of the service for future uses. After a brief initial trial in Western Europe, voice calls are now available for use in most countries.
Telegram announced in April 2020 that they would include group video calls by the end of the year. On 15 August 2020, Telegram added video calling with end-to-end encryption like Signal and WhatsApp, which Zoom does not have yet. Currently offering one-to-one video calls, Telegram has plans to introduce secure group video calls later in 2020. Picture-in-picture mode is also available so that users have the option to simultaneously use the other functions of the app while still remaining on the call and are even able to turn their video off.
Telegram's video and voice calls are secure and end-to-end encrypted.
Telegraph is a publishing tool used to create formatted posts with photos and embedded media.
Telegraph is designed in a minimalist style, the article pages do not contain any controls. Each article on the website is separate, there is no possibility to merge articles into groups or hierarchies. For each article, the author specifies a title and optionally a subtitle, usually used for the author's name. In addition, the title of the article indicates the date of the first publication, which the author of the article cannot influence.
Text formatting options are also minimal: two levels of headings, single-level lists, bold, italics, quotes, and hyperlinks are supported. Authors can upload images and video to the page, with a limit of 5mb. When an author adds links to YouTube, Vimeo, or Twitter, the service allows you to embed their content directly in the article.
When an article is first published, the URL is generated automatically from its title. Non-Latin characters are transliterated, spaces are replaced with hyphens, and the date of publication is added to the address. For example, an article titled "Telegraph (blog platform)" published on November 17 would receive the URL /Telegraph-blog-platform-11-17.
Instant View is a way to view web articles with zero pageload time. With Instant View, Telegram users can read articles from mass media or blogs in a uniform and readable way. Instant View pages support text and media of any type and work even if the original website was not optimized for mobile devices.
On top of this, Instant View pages are extremely lightweight and cached on the Telegram servers, so they load instantly on pretty much any connection.
In June 2015, Telegram launched a platform for third-party developers to create bots. Bots are Telegram accounts operated by programs. They can respond to messages or mentions, can be invited into groups and can be integrated into other programs. It also accepts online payments with credit cards and Apple Pay. Dutch website Tweakers reported that an invited bot can potentially read all group messages when the bot controller changes the access settings silently at a later point in time. Telegram pointed out that it considered implementing a feature that would announce such a status change within the relevant group. There are also inline bots, which can be used from any chat screen. In order to activate an inline bot, user needs to type in the message field a bot's username and query. The bot then will offer its content. User can choose from that content and send it within a chat. Bots can also handle transactions provided by Paymentwall, Yandex.Money, Stripe, Ravepay, Razorpay and QiWi, Google Pay for different countries. Bots also power Telegram’s gaming platform, which utilizes HTML5, so games are loaded on-demand as needed, like ordinary webpages. Games work on iPhones 4 and newer and on Android 4.4 devices and newer. People can use Internet Of Things (IoT) services with two-ways interaction for IFTTT implemented within Telegram.
Telegram has more than 20,000 stickers. Stickers are cloud-based, high-resolution images intended to provide more expressive emoji. When typing in an emoji, the user is offered to send the respective sticker instead. Stickers come in collections called "packs", and multiple stickers can be offered for one emoji. Telegram comes with one default sticker pack, but users can install additional sticker packs provided by third-party contributors. Sticker sets installed from one client become automatically available to all other clients. Sticker images use WebP file format, which is better optimized to be transmitted over internet.
Telegram added voice chats in December 2020. Any group or channel admin can launch a chat, which will be open to all members and ongoing even if no one is currently using it. Admins can mute members by default or selectively as well create invite links that will add people as muted by default. Members can use the Raise Hand button to signal their desire to speak. A push-to-talk option is available on mobile versions, as well as key shortcuts to mute and unmute oneself on Telegram Desktop. Admins of groups or channels have the option to join as their group or channel, hiding their personal account. Users can also record chats with a red dot shown as a warning during the recording period.
Since version 4.1, released in May 2017, Telegram offers a dedicated video hosting platform called Telescope. The round videos can be up to one minute long and autoplay. When posted in a public channel on Telegram, the videos are also uploaded to and viewable without an account. However, Telegram video messages and "Telescope" videos sent within non-public chats or groups are not published.
For either 15 minutes, one hour, or eight hours, Telegram users can share their live location in a chat since version 4.4 released in October 2017. If multiple users share their live location within a group, they are shown on an interactive map. Sharing the 'live location' can be stopped at any time.
In February 2018, Telegram launched their social login feature to its users, named Telegram Login. It features a website widget that could be embedded into websites, allowing users to sign into a third party website with their Telegram account. The gateway sends users' Telegram name, username, and profile picture to the website owner, while users' phone number remains hidden. The gateway is integrated with a bot, which is linked with the developer's specific website domain.
In July 2018, Telegram introduced their online authorisation and identity management system, Telegram Passport, for platforms that require real-life identification. It asks users to upload their own official documents such as passport, identity card, driver license, etc. When an online service requires such identification documents and verification, it forwards the information to the platform with the user's permission. Telegram stated that it does not have access to the data, while the platform will only share the information to the authorised recipient. However, the service was criticised for being vulnerable to online brute force attacks.
Polls are available on Android, iOS, and the desktop applications. Polls have the option to be anonymous or visible. A user can enter multiple options into the poll. Quiz mode can also be enabled where a user can select the right answer for their poll and leave it to the group to guess. Quiz bots can also be added to track correct answers and even provide a global leaderboard.
Comments.App, is a tool for commenting on pages, channel posts, it lets you add a comments widget to your website. With the widget in place, Telegram users will be able to log in with just two taps and leave comments with text and photos, as well as like, dislike and reply to comments from others. They can also subscribe to comments and get notifications from @DiscussBot. Widgets are configurable. Developers can change the color theme, use different colors for names, change the design to a dark theme, change the maximum number of comments on the page, change the height, assign moderators, and block user spam; the mode of filled and outlined icons is also supported.
People Nearby can help users meet new friends by turning on phone GPS location and opting-in in contacts and through Groups Nearby people can create a local group by adding location data to groups.
Telegram allows groups, bots and channels with a verified social media or Wikipedia page to be verified but not user accounts.
The official Telegram clients support sending any file format extensions. Natively supported in their viewer/player in mobile and desktops versions of Telegram are the common media formats - JPEG, PNG, WebP for images and H.264 and HEVC in videos in MP4 container and MP3, FLAC, Vorbis, Opus and AAC for audio.
Telegram uses a symmetric encryption scheme called MTProto. The protocol was developed by Nikolai Durov and other developers at Telegram and is based on 256-bit symmetric AES encryption, 2048-bit RSA encryption and Diffie–Hellman key exchange.
As with most instant messaging protocols, Telegram uses centralized servers. Telegram Messenger LLP has servers in a number of countries throughout the world to improve the response time of their service. Telegram's server-side software is closed-source and proprietary. Pavel Durov said that it would require a major architectural redesign of the server-side software to connect independent servers to the Telegram cloud.
For users who signed in from the European Economic Area (EEA) or United Kingdom, the General Data Protection Regulations (GDPR) are supported by storing data only on servers in the Netherlands, and designating a London based company as their responsible data controller.
Telegram has various client apps, some developed by Telegram Messenger LLP and some by the community. Most of them are free and open-source and released under the GNU General Public Licence version 2 or 3.
Telegram has public APIs with which developers can access the same functionality as Telegram's official apps to build their own messaging applications. In February 2015, creators of the unofficial Whatsapp+ client released the Telegram Plus app, later renamed to Plus Messenger, after their original project got a cease-and-desist order from WhatsApp. In September 2015, Samsung released a messaging application based on these APIs.
Telegram also offers an API that allows developers to create bots, which are accounts controlled by programs. In February 2016, Forbes launched an AI-powered news bot that pushes popular stories to subscribers and replies to search queries with relevant articles. TechCrunch launched a similar bot in March 2016. (Both of them are down)
In addition, Telegram offers functions for making payments directly within the platform, alongside an external service such as Stripe.
Telegram has openly stated, that the company will never sell advertisements. Despite that, in late 2020, Durov announced that the company was working on its own Ad Platform, and will integrate ads in public one-to-many channels, that already sell and display ads in form of regular messages.
Durov announced that Telegram will also consider adding paid features aimed at enterprise clients. According to him, these features will require more bandwidth and the added cost will be covered by the feature prices, in addition to covering some of the costs incurred by regular users.
In 2017, in an attempt to monetize Telegram without advertising, the company began the development of a blockchain platform dubbed either “The Open Network” or “Telegram Open Network” (TON) and its native cryptocurrency “Gram”. The project was announced in mid-December 2017 and its 132-pages technical paper became available in January 2018. The codebase behind TON was developed by Pavel Durov's brother Nikolai Durov, the core developer of Telegram's MTProto protocol. In January 2018 a 23-page white paper and a detailed 132-page technical paper for TON blockchain became available.
Durov planned to power TON with the existing Telegram user base, and turn it into the largest blockchain and a platform for apps and services akin to a decentralized WeChat, Google Play, and App Store. Besides, the TON had the potential to become a decentralized alternative to Visa and MasterCard due to its ability to scale and support millions of transactions per second.In January and February 2018 the company ran a private sale of futures contracts for Grams, raising around $1.7 billion. No public offering took place.
The development of TON took place in a completely isolated manner, and the release was postponed several times. The test network was launched in January 2019, some components were released in May, and in September 2019 the complete source code for TON nodes was published on GitHub. The launch oft the TON main network was scheduled for October 31. Yet on October 3o, U.S. Securities and Exchange Commission obtained a temporary restrictive order to prevent the distribution of Grams to initial purchasers: the regulator considered the legal scheme employed by Telegram an unregistered securities offering with initial buyers acting as underwriters.
The judge hearing the Telegram v. SEC case, P. Kevin Castel, agreed with the SEC's vision and kept the restrictions on Gram distribution in force. The ban applied to non-U.S.-based purchasers as well, because Telegram couldn't prevent the re-sale of Grams to U.S. citizens on a secondary market, as the anonymity of users was one of the key features of TON. Following that, Durov announced the end of Telegram's active involvement with TON. On June 26 the judge approved the settlement between Telegram and SEC. The company agreed to pay an $18.5 million penalty and return $1.22 billion to Gram purchasers. In March 2021 Telegram had to run bonds offering to cover this debt. Even though the company's involvement in TON was terminated, several independent projects emerged, using TON source code: the Free TON, NewTON, and Ton Community Blockchain.
In 2013, an author on Russian programming website Habr discovered an unexplained modification to the Diffie-Hellman key exchange scheme as described in the first version of MTProto specification that would allow an attacker to mount a man-in-the-middle attack and prevent the victim from being alerted by changed key fingerprint. The bug was fixed by the company shortly after the initial publication without any explanation.
On 2 August 2016, a report by Reuters stated Iranian hackers compromised more than a dozen Telegram accounts and identified the phone numbers of 15 million Iranian users, as well as the associated user IDs. Researches said the hackers belonged to a group known as Rocket Kitten. Rocket Kitten's attacks were similar to ones attributed to Iran's Islamic Revolutionary Guards Corps. The attackers took advantage of a programming interface built into Telegram. According to Telegram, these mass checks are no longer possible because of limitations introduced into its API earlier in 2016.
On 30 March 2020, an Elasticsearch database holding 42 million records containing user IDs and phone numbers was exposed online without a password. The accounts listed in the database were those belonging to users in Iran, extracted from an unofficial government-sanctioned version of Telegram. It took 11 days for the database to be taken down, but the researchers say the data was accessed by other parties, including a hacker who reported the information to a specialized forum.
In September 2020, it was reported there have been successful large-scale Iranian government phishing and surveillance by RampantKitten targeting dissidents in Telegram. The attack relied on people downloading a malware-infected file from any source, at which point it would replace Telegram files on the device and 'clone' session data. David Wolpoff, a former Department of Defense contractor, has stated that the weak link in the attack was the device itself and not any of the affected apps: "There’s no way for a secure communication app to keep a user safe when the end devices are compromised."
Azerbaijan
From 27 September 2020, following the start of the war in Nagorno-Karabakh, the Azerbaijani Ministry of Transport, Communications and High Technologies imposed temporary restrictions on the use of social media in the country. Telegram, Facebook, WhatsApp, YouTube, Instagram, TikTok, LinkedIn, Twitter, Zoom and Skype were completely blocked. Many other unrelated services were also blocked due to a lack of coordination. The restriction was lifted on 10 November.
Bahrain
In June 2016, it was found that some ISPs in Bahrain had started to block Telegram.
Belarus
Telegram was a key platform for sharing information and coordinating rallies during the 2020–2021 Belarusian protests. Telegram was one of few communication platforms available in Belarus during the three days of internet shutdown that followed the day of the presidential election, which Belarus's president Alexander Lukashenko won amid widespread allegations of election fraud. On the evening of 11 August, while the Internet shutdown continued, 45 percent of people using Telegram protest chats in Belarus were online, despite the government’s efforts to block online access.
China
In July 2015, it was reported that China blocked access to Telegram Messenger. According to state-owned People's Daily, Chinese human rights lawyers used Telegram to criticize the Chinese Government and the Communist Party of China.
Hong Kong
During the 2019–20 Hong Kong protests, many participants used Telegram to evade electronic surveillance and coordinate their action against 2019 Hong Kong extradition bill. On the evening of 11 June 2019, the Hong Kong police arrested Ivan Ip, the administrator of a Telegram group with 20,000 members on suspicion of "conspiracy to commit public nuisance." He was forced by the police to hand over his Telegram history. The next day, Telegram suffered a "powerful" decentralized denial of service attack. Hackers tried to paralyze the target server by sending a large number of spam requests, most of which came from mainland China.
On 28 August 2019 the Hong Kong Internet Service Providers Association announced that the Hong Kong government had plans to block Telegram.
India
In 2019, it was reported that some internet service providers in India were blocking Telegram traffic, including its official website. Internet Freedom Foundation, an Indian digital liberties organisation filed an RTI on whether Department of Telecommunications (DoT) had banned Telegram or requested ISPs to block traffic. The response from DoT said that it had no information on why the ISPs were blocking Telegram. The High Court of Kerala asked about the central government's view on a plea for banning Telegram for allegedly disseminating child abuse videos and communicating through it.
Indonesia
On 14 July 2017, eleven domain name servers related to Telegram were banned by the Indonesian Communication and Information Ministry with the possibility of closing all Telegram applications in Indonesia if Telegram did not make a standard operating procedure to maintain content that was considered unlawful in the apps. In August 2017, Indonesian Government has opened full access of Telegram, after Telegram has made self censorship about negative contents mainly radicalism and terrorism. Telegram said that about 10 channels/groups have been deleted from Telegram everyday due to are categorized as negative contents.
Iran
Telegram was open and working in Iran without any VPN or other circumvention methods in May 2015. In August 2015, the Iranian Ministry of ICT asserted that Telegram had agreed to restrict some of its bots and sticker packs in Iran at the request of the Iranian government. According to an article published on Global Voices, these features were being used by Iranians to "share satirical comments about the Iranian government". The article also noted that "some users are concerned that Telegram's willingness to comply with Iranian government requests might mean future complicity with other Iranian government censorship, or even allow government access to Telegram's data on Iranian users". Telegram has stated that all Telegram chats are private territory and that they do not process any requests related to them. Only requests regarding public content (bots and sticker packs) will be processed. In May 2016, the Iranian government asked all messaging apps, including Telegram, to move all Iranian users' data to Iranian servers. On 20 April 2017, the Iranian government completely blocked Telegram's new voice calls, a service that allows individuals to make calls via secure, end-to-end encryption, and keep their conversations private.Mahmoud Vaezi Chief of Staff of the President of Iran said reason for blocking Telegram free voice calls is so Iranian corporations keep revenue from voice calls.
On 30 December 2017, during anti-government demonstrations across Iran, Telegram has shut down a channel of the Iranian opposition that published calls to use Molotov cocktails against the police, after receiving a complaint from the Iranian government. Pavel Durov explained that the reason for the blocking was a "no calls to violence" policy and confirmed that criticizing local authorities, challenging the status quo and engaging in political debate were seen as "OK" by the platform, while "promoting violence" was not. The opposition group promised to comply with Telegram rules and created a new channel which amassed 700,000 subscribers in less than 24 hours. On December, 31, the Iranian government announced that Telegram has been "temporarily restricted" in order to "ensure calm and security" after the company said it refused to shut down peaceful protesting channels. On January, 13, the app was unblocked by an order of the president Hassan Rouhani, who said that "more than 100,000 jobs had been lost” in Iran as a result of the ban on Telegram. Channels of the opposition remain operational.
In March 2018, Iran's chairman for the Committee for Foreign policy and National Security Alaeddin Boroujerdi announced that Telegram has been targeted to be fully blocked in Iran by 20 April 2018, citing Telegram's role in facilitating the winter protests and the need to promote local apps. President Rouhani agreed with the need to break Telegram's monopoly in Iran, but maintained that he was opposed to a new blockade and did not see it as an effective measure to promote local apps. Iranian MP Mahmoud Sadeghi noted that during the two weeks that Telegram was blocked in January 2018, 30 million Iranians (75% of Telegram's users in Iran) did not start using local messaging apps, but instead turned to VPN services to circumvent the block, rendering the blockade ineffective. Telegram was blocked by the government on May 1, 2018. For until one year from the end of the 2017 riots, the Iranian government made available a customized version of Telegram that was under their domain. In 2019 Mohammad Ali Movahedi Kermani in Tehran Friday prayer declared that Telegram is haram and requested National Information Network deployement like Great Firewall of China.
On 27 September 2019, Bijan Ghasemzadeh, the Iranian prosecutor who ordered the block on Telegram, was arrested for charges of corruption. It is unclear whether or not the charges were related to the ban on Telegram.
Pakistan
In October 2017, Telegram was inaccessible to users in Pakistan, and as of 17 November 2017, it has been completely blocked as per instructions from PTA, Pakistan's largest ISP, PTCL mentioned this in a tweet to a user.
Russia
On 16 May 2017, Russian media reported that Roskomnadzor was threatening to ban Telegram. On 13 April 2018, Telegram was banned in Russia by a Moscow court, due to its refusal to grant the Federal Security Service (FSB) access to encryption keys needed to view user communications as required by federal anti-terrorism law. Enforcement of the ban was attempted by blocking over 19 million IP addresses associated with the service. However they included those used by Amazon Web Services and Google Cloud Platform, due to Telegram's use of the providers to route messages. This led to unintended collateral damage due to usage of the platforms by other services in the country, including retail, Mastercard SecureCode, and Mail.ru's Tamtam messaging service. Users used VPNs to bypass the ban as a result. On 17 April 2018, Russian authorities asked Apple and Google to pull the service from their stores as well as APKMirror, however Apple and Google refused the request. On 28 March 2018, Roskomnadzor reportedly sent a legally binding letter to Apple asking it to remove the app from the Russian version of its App Store and block it from sending push notifications to local users who have already downloaded the app. On 27 December 2018, the largest search engine in Russia, Yandex, removed telegram.org from their search results. On 18 June 2020, the Russian government lifted its ban on Telegram after it agreed to "help with extremism investigations".
Thailand
On 19 October 2020, the National Broadcasting and Telecommunications Commission was ordered to block Telegram due to its use in the 2020 Thai protests.
Telegram's security model has received notable criticism by cryptography experts. They criticized how the general security model permanently stores all contacts, messages and media together with their decryption keys on its servers by default and that it does not enable end-to-end encryption for messages by default. Pavel Durov has argued that this is because it helps to avoid third-party unsecured backups, and to allow users to access messages and files from any device. Cryptography experts have furthermore criticized Telegram's use of a custom-designed encryption protocol that has not been proven reliable and secure. However, in December 2020, a study titled "Automated Symbolic Verification of Telegram’s MTProto 2.0" was published, confirming the security of the updated MTProto 2.0 and reviewing it. The paper provides "fully automated proof of the soundness of MTProto 2.0’s authentication, normal chat, end-to-end encrypted chat, and re-keying mechanisms with respect to several security properties, including authentication, integrity, confidentiality and perfect forward secrecy" and "proves the formal correctness of MTProto 2.0". This partially addresses the concern about the lack of scrutiny while confirming the security of the protocol's latest version.
The desktop clients (excluding macOS client) do not feature options for end-to-end encrypted messages. When user assigns a local password in the desktop application, data is locally encrypted also. Telegram has defended the lack of ubiquitous end-to-end encryption by claiming the online-backups that do not use client-side encryption are "the most secure solution currently possible".
Critics have also disputed claims by Telegram that it is "more secure than mass market messengers like WhatsApp and Line", because WhatsApp applies end-to-end encryption to all of its traffic by default and uses the Signal Protocol, which has been "reviewed and endorsed by leading security experts", while Telegram does neither and stores all messages, media and contacts in their cloud. Since July 2016, Line has also applied end-to-end encryption to all of its messages by default.
The Electronic Frontier Foundation (EFF) listed Telegram on its "Secure Messaging Scorecard" in February 2015. Telegram's default chat function received a score of 4 out of 7 points on the scorecard. It received points for having communications encrypted in transit, having its code open to independent review, having the security design properly documented, and having completed a recent independent security audit. Telegram's default chat function missed points because the communications were not encrypted with keys the provider didn't have access to, users could not verify contacts' identities, and past messages were not secure if the encryption keys were stolen. Telegram's optional secret chat function, which provides end-to-end encryption, received a score of 7 out of 7 points on the scorecard. The EFF said that the results "should not be read as endorsements of individual tools or guarantees of their security", and that they were merely indications that the projects were "on the right track".
In December 2015, two researchers from Aarhus University published a report in which they demonstrated that MTProto did not achieve indistinguishability under chosen-ciphertext attack (IND-CCA) or authenticated encryption. The researchers stressed that the attack was of a theoretical nature and they "did not see any way of turning the attack into a full plaintext-recovery attack". Nevertheless, they said they saw "no reason why Telegram should use a less secure encryption scheme when more secure (and at least as efficient) solutions exist". The Telegram team responded that the flaw does not affect message security and that "a future patch would address the concern". Telegram 4.6, released in December 2017, supports MTProto 2.0, which now satisfied the conditions for IND-CCA. MTProto 2.0 is seen by qualified cryptographers as a vast improvement to Telegram's security.
In April 2016, accounts of several Russian opposition members were hijacked by intercepting the SMS messages used for login authorization. In response, Telegram recommended using the optional two-factor authentication feature. In May 2016, the Committee to Protect Journalists and Nate Cardozo, senior staff attorney at Electronic Frontier Foundation, recommended against using Telegram because of "its lack of end-to-end encryption and its use of non-standard MTProto encryption protocol, which has been publicly criticized by cryptography researchers, including Matthew Green".
Login SMS messages are known to have been intercepted in Iran, Russia and Germany, possibly in coordination with phone companies. Pavel Durov has said that Telegram users in "troubled countries" should enable two-factor authentication by creating passwords in order to prevent this.
In June 2017, Pavel Durov in an interview claimed that U.S. intelligence agencies tried to bribe the company's developers to weaken Telegram's encryption or install a backdoor during their visit to the U.S. in 2016.
In 2018 Telegram sent a message to all Iranian users stating that the Telegram Talai and Hotgram unofficial clients are not secure.
Telegram promised since at least March 2014 that "all code will be released eventually", including all the various client applications (Android, iOS, desktop, etc.) and the server-side code. As of December 2020, Telegram still hasn't published their server-side source code. In January 2021, Durov explained rationale for not releasing server-side code, citing reasons such as inability for end-users to verify that the released code is the same code run on servers, and a government that wanted to acquire the server code and make a messaging app that would end competitors.
On 9 June 2019, The Intercept released leaked Telegram messages exchanged between current Brazilian Minister of Justice and former judge Sérgio Moro and federal prosecutors. The hypothesis is that either mobile devices were hacked by SIM swap or computers invaded. The Telegram team tweeted that it was either because the user had malware or they were not using 2-step verification.
On 12 June 2019, Telegram confirmed that it suffered a denial-of-service attack which disrupted normal app functionality for approximately one hour. Pavel Durov tweeted that the IP addresses used in the attack mostly came from China.
In December 2019, multiple Russian businessmen suffered account takeovers that involved bypassing SMS single-factor authentication. Security company Group-IB suggested SS7 mobile signalling protocol weaknesses, illegal usage of surveillance equipment, or telecom insider attacks.
Telegram has organized two cryptography contests to challenge its own security. Third parties were asked to break the service's cryptography and disclose the information contained within a secret chat between two computer-controlled users. A reward of respectively US$200,000 and US$300,000 was offered. Both of these contests expired with no winners. Security researcher Moxie Marlinspike, founder of the competing Signal messenger, and commenters on Hacker News criticized the first contest for being rigged or framed in Telegram's favor and said that Telegram's statements on the value of these contests as proof of the cryptography's quality are misleading. This was because the cryptography contest could not be won even with completely broken algorithms such as MD2 (hash function) used as key stream extractor, and primitives such as the Dual_EC_DRBG that is known to be backdoored.
Telegram was the main subject surrounding the 2019 Puerto Rico riots that ended up in the resignation of then Governor Ricardo Rosselló. Hundreds of pages of a group chat between Rosselló and members of his staff were leaked. The messages were considered vulgar, racist, and homophobic toward several individuals and groups, and discussed how they would use the media to target potential political opponents.
On 15 March 2021, Telegram conducted a 5 years public bonds placement worth $1 billion. The funding was required to cover the debts amounting to $625.7 million, including $433 million to investors who bought futures for Gram tokens in 2018 and included purchasers such as David Yakobashvili. On 23 March, Telegram also sold additional bonds worth $150 million to the Abu Dhabi Mubadala Investment Company and Abu Dhabi Catalyst Partners. The Mubadala Investment Company also stated that Russia's sovereign wealth fund participated in its deal through the Russia-UAE joint investment platform to buy convertible bonds. According to the contract, the holders of the bonds will be provided an option to convert them to shares if the company conducts an IPO.