Telegram Is Cooperating With Authorities, For Now

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by SpecterOps.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

Telegram's moderation policies have markedly improved, but the jury is out on whether its pivot to more responsible practices will be an enduring one.

This week the messaging app shut down Huoine Guarantee and Xinbi Guarantee, two massive Telegram-based criminal marketplaces that connected Southeast Asian fraudsters with criminal services. 

Both were 'guarantee marketplaces', where the market administrators facilitated illicit transactions between anonymous buyers and sellers. Its services included the vetting of merchants, escrow services, and bots that monitor transaction fulfillment. Tether's USDT stablecoin is the primary payment method.  

The sheer size of these marketplaces is eye opening. 

In January this year, Blockchain analysis company Elliptic said that Huione Guarantee was the "largest online illicit marketplace to have ever operated". At the time, Elliptic said Huione had more than 900,000 users and its vendors had received at least USD$24 billion worth of cryptocurrency since 2021. More than $USD4 billion of that was in the last quarter of 2024 alone. 

Huoine Guarantee is connected to the Huoine Group, a Cambodian conglomerate. The US Treasury announced on 1 May that it was planning to "sever its [Huione Group's] access to the US financial system" because of its involvement in money laundering. 

As of earlier this month, Elliptic reckoned that Xinbi was the second largest illicit marketplace of all time. It had more than 233,000 users and its vendors had received at least $8.4 billion in USDT since 2022. 

Blockchain analysis firm Chainalysis explained this week why guarantee markets use Telegram:

Guarantee services rely on Telegram because it offers the fastest, lowest-friction way to coordinate deals. There's no need to register a domain or build infrastructure — a group can be created in minutes, brokers can operate under aliases, and communication is encrypted. For actors dealing in illicit or high-risk transactions, Telegram's pseudonymity and ease of access are major benefits.

…

Telegram's role also poses enforcement challenges. Its design makes it difficult to monitor, and obtaining backend data requires legal processes with uncertain outcomes. Still, the removal of Huione and Xinbi accounts from Telegram following FinCEN's action suggests that even Telegram's permissiveness has limits, especially when regulatory pressure is high.

Telegram served as the communications fabric for these marketplaces and we wrote last year that "Telegram turbocharges organised crime". 

So it is great to see these takedowns and they'll certainly have some impact. Elliptic cofounder Tom Robinson told Wired that these marketplaces were a "key enabler" for online scammers and described the takedown as a "huge win" that will put a "real dent in the ability of online scammers to do what they do". 

We agree. But redundancy and resilience are built into these criminal ecosystems. Chainalysis, another blockchain analysis firm, notes:

Historically, similar enforcement actions — whether targeting darknet markets like Hydra or broker networks — have led to dispersion, but not total disappearance. Vendors migrate, new services fill the void, and users adapt quickly. For instance, Telegram took down Xinbi's channels, but Xinbi has since posted new addresses and Telegram contact points.

Huione has announced its shutdown and even removed its name from its headquarters, but it's far too early to say whether this marks a true exit or simply the beginning of a quiet rebrand.

Prior to the takedown Huione Group had invested in resilience. It launched its own stablecoin (USDH), which it claimed could not be frozen, and it took a 30% stake in Tudou Guarantee. Coincidentally, Tudou Guarantee has seen a 30% bump in users since Huione was taken down.

The question here, then, is how quickly will Telegram wipe out new, up-and-coming criminal marketplaces? The app has historically ignored content moderation and lawful assistance requests, so what is motivating it to act nowadays and will its cooperation endure?

Elliptic claims its analysis of Huione Guarantee and Xinbi Guarantee "led directly" to the marketplaces being shut down. Wired is also claiming credit, reporting the bans appear "to have been spurred by Wired's inquiry" to Telegram about Elliptic's research. We can see why they'd think that. Telegram spokesperson Remi Vaughn told the magazine that it had taken down communities "reported to us by Wired or included in reports published by Elliptic have all been taken down".

Although Wired and Elliptic's prodding may have been the proximate cause of action, we think the person ultimately responsible for Telegram's improved responsiveness is the company's CEO Pavel Durov. He was arrested in France last August on charges including being complicit in the administration of an online platform to enable organised crime and illicit transactions. The prosecutor's office told Wired they issued an arrest warrant for Durov after realising just how many investigations were being stymied by Telegram. The company had failed to respond to 2,460 legal requests between 2013 and 2024.

Amazingly, Telegram's attitude to law enforcement cooperation changed almost overnight!  Wired describes the shift:

"It's night and day," a Gendarmerie officer told Wired. The officer, who investigates cybercrime but is not directly involved in Durov's case, said that compliance from Telegram with metadata requests was helping with numerous investigations, especially drug trafficking. The Belgian prosecutor's office told Libération that they had noticed improved cooperation from Telegram too. In fact, regulators as far afield as South Korea have been saying the same. Soyoung Park, who works for the country's independent media commission, told Wired that prior to Durov's arrest, referring illegal content to the company felt like yelling into the void. But then, late last year, Park said, she met with a high-ranking executive in Japan. … Now, Park said, her contacts at Telegram "not only remove the flagged content but provide us with compliance updates, typically within an average of 24 hours … And I think that's, you know, a pretty big deal."

404 Media also has a quantitative analysis that found Telegram satisfied far more government requests so far this year than during the same period in 2024. In France, for example, Telegram accepted four requests within the first three months of 2024, and provided IP addresses or phone numbers for 17 people. For the same period in 2025 it took 668 requests and provided the same information for 1,425 users. 

The investigation into Durov is ongoing, but we do wonder how durable his commitment to cleaning up Telegram will be.  

He is already involved in an unrelated spat with the French government. On Sunday, just hours before voting in Romania's presidential election closed, Durov claimed that a "Western European government" asked him to "silence conservative voices" in the country. Durov gave a subtle-as-a-brique hint that the country in question was France by using the baguette emoji.  

The French government responded within hours and called the accusations "completely unfounded". It said Durov's accusations were "a diversionary maneuver from the real threats of interference" and pointed out that Romania's presidential elections last December were annulled by domestic authorities because of Russian interference. 

There's much more to this story, but suffice it to say we don't think it is a good omen for Telegram's continued cooperation with law enforcement authorities. 

The French government used a big prison-cell sized stick to get Telegram to pay attention to its government authorities. Given the sheer scale of harm facilitated by the app, we think that is perfectly fine. 

From the Mouths of Trafficked Scam Centre Workers

Rest of World has chronicled the personal stories of several young Indonesians who were lured by fraudulent job ads and then trafficked to scam compounds. 

They were enticed by ads that appeared on Telegram, Facebook and other social media offering IT-related office work overseas, in jobs like digital marketing or sales. Instead, they end up in fortified scam compounds, with their passports and mobile phones confiscated. 

They are then forced to carry out all sorts of romance or cryptocurrency scams on victims all over the world:

Even unskilled workers can learn the workflow in just a day, a 32-year-old communications graduate who was rescued from a Myanmar scam compound in March, told Rest of World. 

The toughest part of the job is not the tech but building a relationship with the victims enough to be able to exploit them, he said. 

"Building trust is to make the clients willing to invest and do business with us," he said. He was so good at it, he earned bonuses, he recalled. 

"Every day, for eight months, I deceived people. If God really punishes me, it’s my fault," he said. "I'm, like, waiting for karma to come to me."

The scam compound work force is comprised of people from a variety of countries including China, India, Ethiopia and other developing countries. Indonesia's Ministry of Foreign Affairs says over 6,700 Indonesians have been tricked to work in scam compounds since 2020.   

Meta Is the Cornerstone of the Scam Economy

Facebook ads are also being scam victims as well as the forced labour for scam compounds.

Meta, which owns Facebook and Instagram, "is increasingly a cornerstone of the internet fraud economy" says The Wall Street Journal which published a range of anecdotes detailing the types and impact of scams. A Meta spokesperson even acknowledged that there was an "epidemic of scams" that the company was working to address. 

The Journal says that Meta's anti-scam measures have been deprioritised, although it was done as part of a shift dedicating more effort into combating human trafficking and content promoting self-harm and suicide. That actually seems fair. We'd make the same priority decisions.  

Still, it is possible that Meta is a bit conflicted here. After all, even scam advertisements generate revenue for the company, so there are real financial incentives to look the other way. Current and former employees told The Wall Street Journal the company is reluctant to add things like verification requirements for ad-buying clients. 

What are reasonable standards of due diligence when it comes to preventing malicious and scammy advertisements? This seems like exactly the sort of area that government regulators should be investigating. 

Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. No reprieve for NSO Group: The US government does not plan to rescind various government actions that punish the maker of Pegasus spyware, according to The Washington Post. During the Biden administration NSO Group was placed on a US trade blacklist and was also barred from selling to the US government. The company had hoped that President Trump's election would provide an opportunity to rehabilitate the company in the eyes of the US government. 
2. New protections in Android to stop scammers: Google has announced new security and privacy protections that will be coming to Android in 2025. Interestingly, most of the protections it announced are designed to stop people being easily scammed. For example, what it calls "in-call protections" stop a user from doing risky things like disabling security protections or sideloading an app during a phone call.  
3. Family of stalkerware apps goes dark: A trio of related stalkerware apps, Cocospy, Spyic and Spyzie, appear to have gone offline. Although the three apps had different branding, they were very similar under the hood and shared a security flaw. This allowed a researcher to scrape the email addresses of 3.2 million users. Following reporting of the breach, TechCrunch says "the stalkerware apps have since stopped working, their websites disappeared, and their Amazon-hosted cloud storage was deleted". 

Sponsor Section

In this Risky Bulletin sponsor interview Justin Kohler, Chief Product Officer at SpecterOps talks to Tom Uren about the impossible challenge of managing identity directory services securely. Organisations try to implement the principle of least privilege but have no idea if they have done a good job. Justin talks about approaches SpecterOps is developing to address this problem.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq examine what makes it hard for even competent hackers to contribute to state-backed espionage agencies. 

Or watch it on YouTube!

From Risky Bulletin:

EU sanctions more Russian disinformation peddlers: The European Union has sanctioned three new clusters associated with Russia's disinformation networks across Africa and Europe.

This is the EU's 17th round of sanctions against Russia over its 2022 invasion and ongoing war in Ukraine. The sanctions are far broader and also target Russia's oil sector, its shadow fleet of oil tankers, and its hybrid warfare activities across Europe, which included extensive sabotage and disinformation campaigns.

We will not cover the entire sanctions package since it's out of the scope of this newsletter, but only the three clusters that are cyber adjacent.

[more on Risky Bulletin]

Japan passes active cyber defense law: The Japanese government passed a new law last week that allows local agencies to carry out preemptive offensive cyber operations to prevent or suppress future attacks on the country's IT infrastructure.

Although named the Active Cyberdefense Law, its scope goes beyond what the name suggests and also includes several other provisions that modernize and upgrade the country's cybersecurity practices as a whole.

The most important section of the new law is not the part about "active cyber defense" but the part that overhauls some of Japan's data collection practices.

[more on Risky Bulletin]

Chrome will de-elevate itself when run with admin privileges: Google Chrome will inherit a security feature from Microsoft Edge that will automatically prevent Windows users from launching the browser with elevated admin privileges.

The new feature stops and relaunches the browser with normal user-level permissions every time a user tries to run it as an Administrator.

Chrome will only run with admin rights if passed special command-line arguments or when it's started in Automation Mode—to prevent the browser from breaking complex software automation chains.

[more on Risky Bulletin]