Independent Review Confirms Critical Telegram Vulnerability Previously Exposed by IStories

IStories has obtained an expert report from Symbolic Software, a firm specializing in cybersecurity analysis and technical audits of applications for tech giants such as Zoom, Mozilla, Coinbase, and many others.

Symbolic Software reviewed the claims from last year’s IStories report regarding Telegram’s ties to the FSB, concluding that the vulnerability we detailed in 2025 poses a genuine threat to the privacy of all the app’s users, including those communicating in secret chats.

“We evaluate claims from public reporting about these vulnerabilities, finding the core technical assertions <...> to be accurate and reproducible. <...> The implications extend beyond theoretical concerns. <...> This is particularly significant given Telegrams adoption by journalists, activists, and other high-risk users,” the expert review states (the full Symbolic Software report can be read here).

The anatomy of the vulnerability

While working on last year’s investigation, IStories conducted an experiment: we asked people in various countries to send messages to each other via Telegram and record the network traffic using specialized software.

We then shared the results with cybersecurity experts, who discovered that during data transmission, the app sends an unencrypted header containing a unique device identifier: auth_key_id. Armed with this identifier, anyone with access to Telegram’s traffic can track users, analyze their online activity, and map their communication networks.

Symbolic Software experts reached the same conclusion:

“Our analysis confirms the core technical findings: Telegram clients <...> transmit messages over unencrypted TCP connections, exposing the auth_key_id in cleartext (or trivially obfuscated form) to any network intermediary. The auth_key_id functions as a persistent device identifier that remains constant across sessions, IP address changes, network switches, and geographic locations. This creates a technical capability for device tracking by any entity with passive network access, including Internet Service Provider (ISP)s, network administrators, government surveillance programs, and other adversaries positioned along the communication path.”

“All of these adversaries,” the review continues, “can collect auth_key_id values through entirely passive observation. No man-in-the-middle attack is required, no certificate compromise is necessary, and no active protocol manipulation is needed. Simple packet capture and trivial deobfuscation suffice to extract persistent device identifiers from Telegram traffic.

The persistence of auth_key_id values across sessions, network changes, and extended time periods enables long-term tracking of individual devices. An adversary who collects auth_key_id values from network traffic can build a comprehensive database associating specific auth_key_id values with observed network locations, timestamps, traffic patterns, and — when the user’s identity is known through other means — specific individuals.

Such a database could enable queries like: ‘Where has the device associated with auth_key_id X been observed over the past six months?’ or ‘Which auth_key_id values were present at network location Y during time period Z?’ The ability to track devices across IP address changes means that even users who employ dynamic IP addressing, regularly switch networks, or use mobile connections remain trackable through their persistent auth_key_id,” the experts emphasize.

The FSB connection and the origin of the report

This expert review is particularly valuable not only because it was conducted by an independent firm with a solid reputation in cybersecurity, but also because its initiator was apparently none other than Vladimir Vedeneev — one of the key figures in last year’s IStories investigation. In 2025, we revealed that Vedeneev had served for several years as Telegram’s chief financial officer, held power of attorney to sign documents on behalf of the company and Pavel Durov, and, moreover, maintains nearly the entirety of the app’s network infrastructure across multiple countries.

We also learned that Vedeneev’s former Russian company (he transferred ownership to a relative in 2024) services FSB operational and investigative systems used to surveil Russian citizens under a classified government contract. Most importantly, according to Vedeneev himself, he is assigned a dedicated FSB handler — a senior security service officer with whom Vedeneev has long cooperated and shared information: “I am overseen by a FSB guy, related to SORM (the System for Operative Investigative Activities, the technical specification for the targeted surveillance of telephone and Internet communications in Russia. — Ed.). He’s apparently trying to get promoted, so he tells everyone: ‘Access to Vladimir is only through me.’ He calls me and says: ‘Listen, Volodya, basically, you’ve got to somehow talk to them, to all of them [other FSB officers], and so on.’

They [the FSB officers] say: ‘So, we need this IP address at this time. Who is it?’ We understand that we can’t not answer, right? We quickly answer them. We have authorized emails from which they send requests. We quickly answer them. We say: ‘It’s Ivanov Ivan Ivanovich, apartment number 7, blah-blah-blah.’ They’re like: ‘All right, okay,’” Vedeneev told IStories in an interview.

Following the publication of the investigation, Vedeneev filed a lawsuit in Switzerland, where he resides, against the story’s lead author and IStories founder, Roman Anin. In the lawsuit, Vedeneev does not dispute the investigation’s claims; instead, he demands the removal of the interview in which he admits to cooperating with the FSB.

While reviewing the materials of the Swiss case, we discovered this very same technical review by Symbolic Software, which Vedeneev had apparently attached in hopes that the experts would refute the article’s technical findings. Instead, they confirmed them.

Global reach and the scale of the risk

“From a surveillance infrastructure perspective, ‘global’ reach depends on the extent of the adversary's network access. <...> Achieving truly global surveillance would require infrastructure access across multiple geographic regions and network paths,” the Symbolic Software review states.

Vladimir Vedeneev possesses exactly this level of access. For instance, here is what he said in an interview with IStories: “Telegram doesn’t have access to the data centers in Singapore or Miami: they’ve never been there. Four data centers have already been built. We (Vedeneev’s company GNM, which services Telegram’s network infrastructure. — Ed.) are present in all four. <...> At this point, I provide all communication channels. Not someone else — me! If I really wanted to, of course, I could capture this traffic.”

Vedeneev’s admission, coupled with the experts’ conclusions, indicates that a significant portion of Telegram’s traffic essentially flows through a single individual, and:

• this traffic contains unencrypted device identifiers that allow user tracking;
• this individual has an FSB handler with whom he has long cooperated and shared information.

In last year’s interview with IStories, Vladimir Vedeneev denied the vulnerability we described, claiming he only provides his FSB handler with information regarding Russian internet users from Russian companies, but not from Telegram. Whether this is true or not is a matter of faith.

The Symbolic Software expert notes that the vulnerability did not stem from a technical failing, but rather is the result of “a fundamental abdication of Telegram’s responsibility to protect user privacy through appropriate cryptographic measures. <...> The proper solution is <...> for Telegram to eliminate the vulnerability entirely through mandatory use of transport-layer encryption — a standard practice adopted by virtually every other major messaging platform. The technical implementation is straightforward, the performance impact negligible, and the privacy benefits substantial. Until Telegram implements proper TLS encryption, it continues to expose its users to unnecessary privacy risks,” the expert concludes.

The Symbolic Software review does not claim that malicious actors with access to Telegram traffic and device identifiers can decrypt messages. However, cybersecurity experts interviewed by IStories consider such a risk to be entirely possible.

The issue is that the auth_key_id identifier — which Telegram transmits openly over the network for some reason — is used to locate the specific user's key in the database, which the app then uses to decrypt messages on its servers. Thus, if someone like Vladimir Vedeneev or another passive traffic observer were to gain access to this database, it means they could potentially decrypt messages.

Telegram’s response

Telegram representative Remi Wong (whose actual existence remains unverified: there are no photos or other mentions of him online) sent the following response to the IStories editorial office: “Regarding the unpublished article, we reject its conclusions for the reasons outlined on this page.

The auth_key_id parameter changes regularly and does not reveal user information, message contents, recipients, or private data. Any observer able to see it would already have access to more reliable network-level signals for tracking. Telegram owns its infrastructure, which is configured, managed and controlled exclusively by Telegram’s internal engineering teams. GNM is a respected global infrastructure provider, and neither GNM nor its owner Mr. Vedeneev is connected to the FSB.

Since 2021, neither GNM nor any other company affiliated with Mr. Vedeneev has provided services in the Telegram data center that stores information of Russian and European citizens. This fact alone makes the entire FSB–Vedeneev conspiracy theory inconsistent with reality.”