Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Tracking & Law Enforcement

Iranian Telegram Accounts Compromised

15 million Iranian Telegram users have reportedly had their phone number and their ID registered with the Telegram encrypted chat app compromised.

15 million Iranian Telegram users have reportedly had their phone number and their ID registered with the Telegram encrypted chat app compromised. In a paper to be presented at the Black Hat conference on Thursday, security researchers Collin Anderson and Claudio Guarnieri will outline their findings into the alleged compromise of more than a dozen Telegram accounts and the identification of 15 million Iranian users’ telephone numbers. This, it is claimed, would have jeopardized the communications of activists, journalists and other people in sensitive positions in Iran.

Telegram is an app designed to offer privacy and confidentiality with end-to-end encryption. The company was founded by the Pavel and Nikolai Durov brothers, following Pavel Durov’s sale of VK to the group in 2014. 

According to a report from Reuters, Telegram’s vulnerability lies in its use of SMS messages to activate new devices. “When users want to log on to Telegram from a new phone,” reports Reuters, “the company sends them authorization codes via SMS, which can be intercepted by the phone company and shared with the hackers, the researchers said.”

Telegram itself has been quick to deny any serious problem. It points out that anyone can check whether a particular phone number is registered for any contact-based messaging service, including WhatsApp, Messenger and others. The automated API-based checks that were apparently used in this incident “are no longer possible since we introduced some limitations into our API this year.”

As for the dozen or more accessed accounts, “this is hardly a new threat as we’ve been increasingly warning our users in certain countries about it. Last year we introduced 2-Step Verification specifically to defend users in such situations.” This process would require newly registered phones to use a password as well as the received SMS token. “If you do that,” says the statement, “there’s nothing an attacker can do.”

The suggestion from the researchers is that a mobile service provider may have intercepted connections and provided information to the hackers. The hackers are thought to the Rocket Kitten group, previously described as an Iranian state-sponsored APT group. 

Trend Micro commented in a research paper written in September 2015, “These facts suggest that Rocket Kitten may be engaging some sort of foreign political espionage campaign and may want to find regime-opponents active in driving policy in different ways.”

Advertisement. Scroll to continue reading.

The concern with this new research is that the group may also be active in seeking political activists and dissidents within Iran; although the researchers have so far declined to comment on whether they believe this particular activity was Iranian government sponsored. Nevertheless, the implication is clear. “‘We see instances in which people … are targeted prior to their arrest,’ Anderson said. ‘We see a continuous alignment across these actions,’” reports Reuters.

The Telegram compromise is a perfect illustration of the encryption quandary for western law enforcement. LEAs want encryption backdoors built into cryptographic systems, so that terrorists have less places to hide their communications. The problem is that such systems are equally used by journalists and dissidents under repressive regimes. If Telegram and other products had an FBI or Metropolitan Police backdoor, hacking groups such as Rocket Kitten would very soon find them.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


Spanish Court agreed to extradite Joseph James O’Connor to he U.S., who allegedly took part in the July 2020 hacking of Twitter accounts of...


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...


A hacker who reportedly posed as the CEO of a financial institution claims to have obtained access to the more than 80,000-member database of...

Application Security

Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that...