End‑to‑end suspicion. An iStories‑OCCRP investigation raises serious doubts about Telegram’s Russia ties, but evidence remains elusive

Facts

The investigation focuses on Vladimir Vedeneev, 45, who is described as a “key player in the Russian telecommunications market.” His company, Global Network Managements Inc. (GNM), takes care of Telegram’s networking equipment and gives it thousands of IP addresses, according to the iStories report. U.S. court records show Vedeneev had special access to Telegram’s servers in a Miami data center for technical help. Court records also show he was authorized to sign contracts for Telegram and was identified as its CFO.

Many of GNM’s IP addresses were once used by Globalnet, a company in St. Petersburg with contracts with the Russian government and intelligence agencies. iStories reports that one of its clients is the Main Research Computing Center of the Presidential Property Management Department of Russia (GlavNIVTS). This center officially provides tech support for high-level meetings and events, but in reality, the report suggests, it is “perhaps the most secret and little-studied special service in Russia” that “helped plan the invasion of Ukraine, upgraded a major bot network, developed a centralized video surveillance system, and built tools to track and deanonymize internet users.”

Telegram also got thousands of IP addresses from another St. Petersburg company, Electrontelecom. iStories found that this company works with the FSB on secure communication systems for intelligence work. 

While iStories states there is no evidence GNM itself has worked with the Russian government or provided any data, it reported that other companies closely linked to Vedeneev have a documented history of collaboration with Russia’s defense sector and the FSB.

Telegram’s network design inherently relies on centrally controlled infrastructure. Although the platform offers end-to-end encryption in its “secret chats,” the majority of communication travels through standard unencrypted chats. The content of these cloud chats is stored on Telegram’s servers after being decrypted server-side. This architecture means that metadata, such as user IP addresses and connection times, could be accessible to entities with control over the network infrastructure.   

Telegram relies on its proprietary MTProto protocol, developed in-house to secure user communications. It employs auth_key_id, an identifier, part of the user’s main authorization key (auth_key). auth_key_id uniquely identifies this authorization key and, by extension, a specific user’s device or session to the server. 

This auth_key_id is not encrypted, potentially meaning that any entity capable of monitoring network traffic to and from Telegram’s servers—which Russia can, considering its SORM monitoring system installed at all points of internet traffic exchange—can observe these auth_key_ids. 

Therefore, the report concludes, it is technically feasible to track when a specific user sends or receives messages and from which IP address, even if the actual content of the messages remains encrypted.

Allegations

In response to an inquiry from the BBC, Telegram stated that as a global entity, it “has contracts with dozens of different service providers around the world,” but stressed that none of them “has access to Telegram’s data or confidential infrastructure.” The statement asserted that “All of Telegram’s servers are owned by Telegram and serviced by Telegram employees,” and that the messenger “has never disclosed private messages to third parties, and its encryption has never been broken.”

Despite the serious implications, neither iStories nor OCCRP has provided direct evidence that Telegram user data has been intercepted or that its infrastructure has been deliberately compromised. 

The findings show what is technically possible: a company operating crucial parts of Telegram’s network infrastructure has historic links to the Russian intelligence services. However, the investigation does not show that this enabled actual surveillance. There is no documentation or forensic evidence demonstrating this.

The concerns about access to metadata and the unencrypted and unique device identifier (auth_key_id) are fair: for a state-level actor monitoring all internet traffic, this makes it possible to track when a specific user sends or receives messages and from what IP address. A 2022 report on the surveillance of partisans in then-occupied Ukrainian city of Kherson illustrated how Russian special services could leverage this, knowing when a device received a message even if its content was hidden.

Beyond the technical analysis, the report introduces anecdotal evidence from the human rights group “First Department”. They noted a “significant number of cases” where the FSB inexplicably obtained their clients’ Telegram chats. When hacking or user error is denied, suspicion falls on Telegram itself. However, such claims are near impossible to verify and simpler explanations are plentiful: sophisticated honeypots, other vulnerabilities, or user carelessness. 

Ultimately, despite the lack of proof, Telegram’s own narrative of total opposition to the Russian state remains under suspicion. Pavel Durov continues to travel to Russia while Telegram’s transparency report, which has not been updated in over six months, implausibly claims zero data requests from Russian authorities. While interactions between any large tech company and law enforcement are normal, the serious accusation that Telegram could be exposing user data requires a higher standard of proof, which, for now, remains unseen.