July 2025 | Protection & Intelligence Insights
Telegram has become one of the most downloaded messaging apps in Thailand and across Asia, used by activists, businesses, and even government agencies. With its sleek design and strong privacy branding, it’s easy to assume Telegram is a safe choice for secure communications. But recent investigations have raised serious concerns – not only about Telegram’s true level of security but also about who might be watching.
At our agency, we constantly evaluate tools and platforms used in digital communications, because in today’s world, trust in tech can’t be taken for granted. Based on new findings from international investigators and our own risk assessments, here’s what you need to know about Telegram, how it fits into regional and global surveillance dynamics, and what to look for in truly secure communications platforms.
Behind the App: Who Really Runs Telegram?
According to a major report by the Organized Crime and Corruption Reporting Project (OCCRP), Telegram’s infrastructure is far from independent. The report traces control of Telegram’s networking backbone to a low-profile Russian engineer, Vladimir Vedeneev. His companies reportedly manage IP addresses and maintain Telegram servers and have business ties to Russian intelligence agencies, including the FSB.
Why does that matter to users in Thailand or the wider ASEAN region?
Because control of infrastructure can mean access to data. And when that infrastructure is tied to a state actor known for mass surveillance, it’s not just a privacy issue it’s a security concern.
Telegram Isn’t End-to-End Encrypted by Default
Despite its reputation, Telegram does not use end-to-end encryption (E2EE) by default. Regular chats, including all group chats, are stored on Telegram’s servers in plain text. Only 1-on-1 “secret chats” are end-to-end encrypted, and most users don’t even enable this feature.
In other words: most communications on Telegram are no more secure than talking on the phone in public. For organizations in Thailand handling sensitive operations, investigations, or protected client data, this is a major red flag.
Why This Matters to Southeast Asia
Thailand and its regional neighbors face growing threats in the digital landscape from cybercrime to state-sponsored surveillance. With geopolitical tensions rising in Asia and beyond, communications infrastructure is increasingly caught in the crosshairs. Apps that appear secure but have hidden vulnerabilities can become soft targets for intelligence collection or data exploitation.
Telegram’s architecture, especially its metadata collection and centralized storage, makes it a tempting goldmine for surveillance agencies, both foreign and domestic.
And this risk isn’t hypothetical. The protocol Telegram uses, called MTProto, includes metadata in every message, identifying devices and approximate locations. Combine this with control of servers by individuals tied to Russian intelligence, and the app becomes less of a private messenger and more of a metadata machine.
Four Signals of Truly Secure Communication (That Telegram Doesn’t Meet)
If you’re responsible for protecting people, assets, or sensitive information in your organization, here are four key trust signals to demand from any communications platform:
1. End-to-End Encryption—Always On
True secure messaging tools encrypt everything by default—texts, calls, files, even emojis. Telegram fails this test. The app you use should not require extra steps or secret modes to be secure. Encryption should be invisible and automatic.
2. Transparent Access Control
You should always know who is in a chat or group, especially in joint task forces or cross-border operations. Many apps, including Telegram, blur these lines. A professional-grade platform should make internal/external roles crystal clear.
3. Zero Trust and Zero Knowledge Design
Zero trust means constant verification, never assuming any user or device is safe without proof. Zero knowledge means the provider (and even system admins) can’t read your data. Telegram’s model violates both principles.
4. Strong Data and App Sovereignty
Where your data lives and under which legal jurisdiction, matters. In Southeast Asia, where data protection laws are still developing, using services controlled or hosted in surveillance-heavy countries like Russia, China, or even the U.S. (under laws like the Cloud Act) can be a liability. Look for services based in privacy-respecting jurisdictions, ideally in the EU or within countries that enforce strong data sovereignty protections.
What Should Thai Agencies and Organizations Do?
In Thailand and across the ASEAN region, awareness of digital threats is growing, but so are the risks. Whether you’re handling private investigations, conducting government-related operations, or managing corporate IP, secure communication is not optional.
We recommend that every organization review their current communication tools and assess them against the four trust signals above. Telegram may still serve for public broadcasting or social media-like functions, but it is not a platform for secure, confidential exchanges.
And as recent events show, choosing the wrong tool can come with real-world consequences.
If Telegram’s recent revelations prove anything, it’s this: Privacy branding is not the same as real security.
Our mission is to keep our clients informed, prepared, and protected. That means constantly evaluating tools and practices in light of both global intelligence and regional realities.
We are happy to advise you or your organization on best-in-class secure messaging platforms and operational protocols.