What is Telegram?
Telegram is a free messaging app and social media platform that lets users communicate via one-on-one chats, group chats, voice and video calls, and channels. Since its founding in 2013, Telegram has become one of the most popular messenger apps in the world, amassing over 950 million active users.
Telegram is a cloud-based messenger, meaning most chats are stored on cloud servers and not locally on any device. While this allows users to enjoy synced messaging across their devices, it also means most chats on Telegram are not end-to-end encrypted, unless users initiate Secret Chats — this has raised concern among privacy advocates.
A competitor to apps like WhatsApp and Facebook Messenger, Telegram offers many advanced privacy and security features. These include end-to-end encryption in Secret Chats, encrypted file transfers, and the option to send self-destructing messages.
How safe is Telegram?
Telegram is generally safe to use for basic messaging. The app employs high-level security features that keep messages relatively confidential and secure, and it offers many customizable settings for users who want to beef up their online privacy.
However, critics of Telegram have contested founder Pavel Durov’s claims that the platform is safer than WhatsApp, pointing out that Telegram doesn’t provide end-to-end messaging encryption by default like WhatsApp does. Telegram has also come under fire for its allegedly lax content moderation, which could make it more attractive to criminal groups and encourage phishing attacks.
Read on for a breakdown of some of Telegram’s top privacy and security features and issues security professionals and others have raised about the platform’s security.
Telegram’s privacy and security features
Here are some of the safety features that set Telegram apart from other messaging apps:
-
End-to-end encryption (for Secret Chats only): End-to-end encryption (E2EE) software makes it nearly impossible for anyone besides the sender and recipient to view messages. However, E2EE is not enabled by default for most messages. To enable E2EE, Telegram users must manually initiate a Secret Chat, which will not sync to other devices.
-
MTProto security protocol: MTProto is Telegram’s proprietary encryption protocol, designed by co-founder Nikolai Durov. Messages are encrypted using this protocol to prevent interception during transmission to Telegram’s cloud servers.
-
Two-step verification: Two-step verification (2FA) is a feature that adds an extra layer of security by requiring two forms of verification — a password and a confirmation code sent to your phone — to make important changes to the app or log in on a new device.
-
Self-destructing media and messages: Users can set timers for messages or media to self-delete from the recipient's message thread. This is similar to Snapchat’s self-destruct feature. Users can manually delete any message for themselves and the recipient at any time; no trace of the message will remain.
-
Device-specific Secret Chats: Secret Chats are accessible only on one device. They feature more robust security than standard chats, as they use E2EE. Secret Chats make screenshots and message forwarding impossible.
-
Decentralized corporate structure: Telegram is a decentralized private entity with servers located around the globe. This helps it remain independent of any single government's data laws. Telegram does not share messages’ contents with third parties, including governments or law enforcement. However, if presented with a warrant, Telegram, like many other apps, may share some metadata like IP addresses, phone numbers, or usernames.
Is Telegram encrypted?
Yes, Telegram is encrypted, but the default encryption settings for most Telegram chats are less secure than users may believe. Normal Telegram chats feature client-server encryption; only Secret Chats feature industry-standard end-to-end encryption.
Client-server encryption means that Telegram encrypts messages as they are sent from the user to the company servers, and then again as they travel from the servers to the recipient. This keeps user messages private during transmission. However, they can be accessed at the server level, potentially putting users at risk in the case of a data breach.
In fact, Telegram has suffered several data breaches over the years, exposing millions of users’ sensitive information.
To turn on E2EE in Telegram, users must initiate a Secret Chat, which is only available for one-on-one messaging — not group chats.
End-to-end encryption is a security protocol that fully encrypts messages as they are sent from the sender to the recipient. The technology converts messages into undecipherable text until they reach their intended destination, where they are decrypted back into the original message.
Messages encrypted using E2EE are highly secure because they can’t be accessed by anyone except the sender and recipient. This includes the government, law enforcement, third parties, advertisers, and even the service provider (in this case, Telegram).
Texts protected with end-to-end encryption are visible only to the sender and recipient.
Can Telegram be traced?
Yes, it is possible to be traced via Telegram, though it’s very unlikely. Telegram is highly secure, but it does store users’ IP addresses on its servers. Hackers have found ways to access user IP addresses, which they can use to trace a user’s location and activity.
One report found that hackers were able to access a user’s IP address simply by receiving a call from them on the app. In larger, unmoderated Telegram groups, hackers can use social engineering schemes to trick people into adding them to their contacts. Then, all it takes is a phone call to leak your location.
Using a VPN is one of the best ways to stay safer while using Telegram. Avast SecureLine VPN helps mask your IP address, hiding your web activity from hackers and allowing you to chat, download, and browse more securely and anonymously.
What is the MTProto security protocol?
The MTProto security protocol is Telegram’s custom encryption protocol and prevents prying eyes from accessing your messages in the app. It was designed specifically for Telegram’s cloud-based messaging service. It protects messages and files as they’re transmitted between user devices and Telegram’s servers.
MTProto has two levels of security: client-server encryption (for standard Telegram chats) and end-to-end encryption (for Secret Chats).
Issues with Telegram’s security
Despite Telegram’s reputation as a secure messaging app, cyber professionals and journalists have flagged security risks. Here’s a breakdown of potential weaknesses in Telegram’s platform and security protocols:
-
Decryption keys lack security: Telegram’s chats are encrypted between the client and Telegram’s servers, but the decryption keys are also stored on those servers. This means that if Telegram’s servers are compromised, attackers could access users’ data.
-
No end-to-end encryption for regular chats: Telegram only offers E2EE for Secret Chats, which the user needs to turn on manually. Regular cloud chats are stored on Telegram’s servers. This means Telegram (or someone who hacks Telegram) might be able to access these messages.
-
No end-to-end encryption for group chats: Unlike one-on-one chats, group chats do not have a Secret Chat option, therefore no end-to-end encryption. No matter the size, group chats do not have E2EE, making them less secure.
-
Closed server-side code: Telegram’s server-side code is private. This lack of transparency makes it harder for external security experts to verify the security of Telegram’s inner workings.
-
Potential vulnerabilities in the MTProto protocol: Telegram’s MTProto protocol is designed for security. However, it lacks security reviews common to other widely-used encryption protocols, leading some security experts to question whether it’s as safe as other encryption methods.
-
Telegram’s servers store metadata: Even for private chats, Telegram stores some user data like your IP address, username, and what time you sent a message. This information could be leaked if Telegram’s servers are ever compromised.
-
Telegram has a phishing problem: Users who enter group chats may be exposed to unsafe or illicit content. The app is reportedly a hotbed of phishing schemes and DIY cyberattacks aimed at infecting users with malware or computer viruses.
One of Telegram’s more controversial features, People Nearby, which allowed you to see and message other users within a few miles of you, was discontinued in 2024.
Why is Telegram controversial?
While Telegram has been praised for its privacy and features, it has also been involved in controversy. Due to its large group chat limit and unlimited file transfers, it has become a popular app for criminal organizations, extremist groups, and people trading in illicit materials.
But Telegram has also helped protest movements — such as those in Hong Kong, Belarus, and Russia — coordinate activities more safely and privately. Telegram claims that they remove millions of illegal posts and channels every day, and users are encouraged to report illegal content.
Telegram is known for avoiding cooperation with the authorities even when Telegram is used for illegal activities — founder Pavel Durov was arrested in 2024 in France for “complicity in managing an online platform to allow illicit transactions by an organized group.” The platform has faced repercussions in Germany and Brazil for similar reasons.
In response to this increased scrutiny, Telegram has stated that it would start handing over user data to law enforcement under court order, frustrating some privacy activists.
How to stay safer on Telegram
Like all secure messaging apps, Telegram isn’t perfect. And while Telegram is popular for its fast speeds, small size, and convenience, other messenger apps like Signal, WhatsApp, and even Facebook Messenger, feature end-to-end encryption by default. By following a few additional cybersecurity measures, you can chat on Telegram while keeping your data and devices safer, even if E2EE isn’t available. Here’s how to stay more secure on Telegram:
-
Use Secret Chats: When chatting one-on-one, use the Secret Chat feature. This feature does enable end-to-end encryption, so not even Telegram can view your messages.
-
Set a self-destruct timer: Turn on the self-destruct feature for your messages and files. This ensures that your messages are automatically deleted after a certain time.
-
Enable 2FA: Turning on two-factor authentication in your Privacy and Security settings requires you to enter two forms of verification to log into Telegram on a new device. This makes it much harder for a hacker to access your account.
-
Review your privacy settings: Some of the personal info on your Telegram account could be public, including your phone number and profile picture. You can limit access to this information by customizing your privacy settings. In the app, go to Settings > Privacy and Security.
-
Be wary of Telegram bots: Third parties can make bots for Telegram (that work similarly to apps) using Telegram’s API. These bots are not verified by Telegram and may contain vulnerabilities. Bot developers may also have malicious intent, such as launching phishing attacks or other illegal behavior. Avoid interacting with bots in Telegram groups or channels, and don’t grant them access to your contacts.
-
Be careful who you chat with: Don’t add unknown users to your contacts, and never accept calls or chat invitations from people you don’t know. This may allow hackers to infect you with malware.
-
Block spammers: Despite its best efforts, Telegram is unable to prevent spammers from messaging you. To help protect yourself from phishing attacks or malware, block suspicious messages from unknown senders.
-
Use a VPN: A virtual private network (VPN) such as Avast SecureLine VPN can help protect your privacy online by masking sensitive information, including your IP address.
Get a VPN to use Telegram more safely
Telegram is one of the most popular messenger apps in the world, but users should be aware of security issues like phishing scams, hackers, and bad actors that could steal personal info or infect devices with malware.
To stay safer on Telegram, turn on a VPN before chatting. Avast SecureLine VPN hides your web activity and secures your connection with bank-grade encryption, making you invisible to snoops and keeping your communications secure. Enjoy Telegram knowing you’re protected by a top-class online security tool.