-
An independent cybersecurity review confirmed Telegram exposes persistent device identifiers called auth_key_id in cleartext, this enables passive tracking of users across networks and locations without breaking encryption.
-
The findings support an OCCRP and Important Stories investigation last year that linked Telegram’s infrastructure to Russian network engineer Vladimir Vedeneev, whose companies have contracts with the FSB and other Russian security agencies.
-
Telegram rejected the conclusions, it claims the identifier changes regularly and reveals no user data.
An independent cybersecurity audit by an independent digital forensics company has confirmed that Telegram, a messaging app, exposes a permanent identifier which could potentially allow passive tracking of users’ devices via the Internet across different networks and geographical locations.
This finding supports the results of a 2025 investigation conducted by the Organized Crime and Corruption Reporting Project (OCCRP) and its Russian partner, Important Stories, which investigated the infrastructure of Telegram and its inherent links with a Russian network engineer who purportedly has ties with the FSB.
Symbolic Software conducted the audit while Important Stories received it. The research discovered that the way in which Telegram Clients send or receive messages results in the exposing of an identifier; the ‘auth_key_id’ in cleartext or in a form that can be easily de-obfuscated. The identifier is stable through sessions, network switches, IP address switches, and geographic locations.
An internet service provider, network administrator, state surveillance system, or other actor with passive access to Telegram traffic could collect these identifiers without breaking encryption.
Expert analysis confirms key technical findings
The report from the Symbolic Software indicated that their analysis confirms the key technical findings from the original investigation. Telegram transmits messages over unsecured TCP connections – this is the reason the auth_key_id travels in clear text. This makes passive tracking possible without sophisticated man-in-the-middle attacks or certificate hacking.
All these attackers can collect auth_key_id values by simply intercepting internet traffic and performing minimal data processing. According to experts, this vulnerability arose from Telegram’s complete failure to protect user privacy rather than through any technical issues. Since many journalists, activists and other high-risk people use Telegram, the implications exceed just the theoretical concerns at the moment.
To solve this problem, Telegram’s developers should make transport encryption mandatory. Almost all modern major messengers already offer this basic protection as a standard feature.
The same unencrypted device identifier attaches to every message, even when end-to-end encryption protects the message content. Metadata remains exposed, a vulnerability experts consider critical, particularly in high-risk regions like occupied Ukraine.
Privacy tools that help users monitor their exposure are also disappearing. Google recently shut down its Dark Web Report tool, ending automatic breach alerts, leaving users with fewer resources to track compromised data.
Investigation linked Telegram infrastructure to an FSB-Tied engineer
The 2025 review by OCCRP and Important Stories revealed that a network engineer from Russia, Vladimir Vedeneev, had functioned as the chief financial officer of Telegram. He held the power of attorney to sign documents on behalf of Telegram and its founder, Pavel Durov. Vedeneev also operated companies with links to the Russian state and security-linked clients, including the FSB.
Vedeneev’s company, Global Network Management (GNM), controls thousands of Telegram IP addresses and maintains its servers. His other companies have a history of partnership with the FSB security service, the defense sector of Russia, and other sensitive agencies.
Due to the structure of the encryption protocols of Telegram, users remain vulnerable to potential tracking even if they have enabled end-to-end encryption. That means anyone with access to the network data associated with Telegram’s network and logs may be able to track the location of users, even though the content of the messages remains unreadable.
Telegram rejects the latest summaries
While replying to Important Stories, Telegram rejected the findings. The company noted that the auth_key_id parameter fluctuates regularly and does not reveal user information, message contents, recipients, or private data. Telegram also claimed its infrastructure is managed exclusively by its internal engineering teams. The company denied that Vedeneev or his company, GNM have any connection to the FSB.
Telegram’s defensive stance extends beyond security audits. Founder Pavel Durov has criticized Spain’s new internet laws, arguing they threaten free speech, showing the platform’s broader resistance to external oversight.
Also, Telegram mentioned that it has agreements with multiple service providers worldwide, but none of them have access either to its data or the secure part of its infrastructure. The company owns all of its servers, and they are maintained by Telegram employees; therefore, no third party has the ability to access any of them without authorization.
Vedeneev himself denied the existence of the vulnerability the reporters described. He also said he does not provide Telegram data to the FSB.
