A cybersecurity audit has identified a Telegram vulnerability that allows users to be tracked

An independent cybersecurity review obtained by Important Stories found that Telegram exposes persistent device identifiers that could allow passive tracking of users across networks and locations. The findings support a 2025 OCCRP and IStories investigation into Telegram’s infrastructure and its links to a Russian network engineer with alleged ties to the FSB.

An independent cybersecurity review has confirmed a critical Telegram vulnerability previously reported by OCCRP and its Russian partner Important Stories, finding that the messaging app exposes persistent device identifiers that could allow users to be tracked across networks and locations.

The review, conducted by Symbolic Software and obtained by Important Stories, found that Telegram clients transmit messages in a way that exposes an identifier known as ‘auth_key_id’ in cleartext or in a form that can be easily deobfuscated. The identifier remains stable across sessions, IP address changes, network switches, and geographic locations.

That means an internet service provider, network administrator, state surveillance system, or other actor with passive access to Telegram traffic could collect the identifiers without breaking encryption, intercepting certificates, or actively manipulating the connection.

The experts said such access could allow an observer to build a database linking specific devices to network locations, timestamps, and traffic patterns. If the user’s identity is known through other means, the same data could be used to track that person’s device over time.

In 2025 the investigation by OCCRP and IStories found that Russian network engineer Vladimir Vedeneev had served as Telegram’s chief financial officer, had power of attorney to sign documents on behalf of Telegram and founder Pavel Durov, and operated companies with links to Russian state and security-linked clients, including the FSB.

Vedeneev himself acknowledged having an FSB handler and responding to security service requests involving Russian internet users. Vedeneev has denied that the vulnerability described by reporters exists and said he does not provide Telegram data to the FSB.

Telegram rejected the latest conclusions. In a response to Important Stories, the company said the ‘auth_key_id’ parameter changes regularly and does not reveal user information, message contents, recipients, or private data. Telegram also said its infrastructure is managed exclusively by its internal engineering teams and denied that Vedeneev or his company GNM are connected to the FSB.