You’ve downloaded the Telegram app because a group chat moved there, or a colleague insists it’s more secure than other apps. Starting in 2024, however, news reports about the arrest of the company’s CEO, criminal activity facilitated through the app, as well as alleged data breach, began circulating. 

In this guide, you will learn about Telegram’s different security models, security experts’ insights about the app, and how you can protect yourself while using it.

Key Takeaways

  • Telegram is not end-to-end encrypted by default. Full encryption only applies if you manually start a Secret Chat.
  • Most Telegram risks come from scams, not broken encryption. Crypto fraud, phishing, fake bots, and account takeovers are the primary threats targeting users.
  • Even with Secret Chats, Telegram may collect information such as phone numbers, IP addresses, and communication patterns, which can have privacy implications.
  • Recent policy changes and rising criminal activity impact privacy. Telegram now shares data with law enforcement when required, and the platform has seen increased scam activity, malware, and alleged large‑scale data exposure.
  • Enabling two-factor authentication, tightening privacy settings, and using Secret Chats for sensitive chats significantly reduces your risk.

How Telegram Security Works

Telegram is a cloud‑based messaging app that allows users to send messages, share media and files, and place voice or video calls across devices. Unlike traditional SMS, Telegram is a cross-platform tool that synchronizes messages through the cloud, so you can access conversations from phones, tablets, and desktops.

What many users don’t realize is that Telegram uses two different security models, depending on the type of chat you choose:

Standard Chats: Cloud‑Based Encryption

By default, users use Telegram’s standard chats. These messages are encrypted while traveling between your device and Telegram’s servers using the company’s MTProto protocol. They are stored on Telegram servers in encrypted form, so they can sync across devices. 

Because Telegram holds the decryption keys, they can technically access these messages if required. These chats are not end-to-end encrypted by default, which means they don’t offer the same level of privacy as messaging apps that encrypt all chats end-to-end automatically. While Telegram offers convenience and basic protection, it introduces tradeoffs, leaving your conversations vulnerable to unauthorized server access and potential breaches.

Secret Chats: When Full End‑to‑End Encryption Applies

If you want your conversations in Telegram to be fully encrypted, you will need to manually start a Secret Chat. In these chats, messages are encrypted using AES-256 encryption with Perfect Forward Secrecy (PFS), meaning each chat session uses a temporary, unique encryption key that cannot be recreated. When the session ends, this key is discarded, and a new key is created for the next chat. 

Secret Chats exist only on the device from which you started the session, and will not be synchronized on your other devices nor on Telegram’s servers. If you and the person you are chatting with log out, reset or change your phone, or uninstall Telegram, the Secret Chat history is lost.

This design limits exposure but also requires more intentional use. Secret Chats are best suited for sensitive conversations you wouldn’t want stored or recoverable later.

Is Telegram Safe from Hackers?

Whether Telegram protects you from hackers depends largely on how you use it.

Though Telegram’s encryption is a weak link, most hacks on the platform don’t break encryption; they target users directly. The most common threats include phishing messages, fake support accounts, malicious bots, and account takeovers that rely on stolen verification codes or SIM‑swap attacks. In many cases, users are tricked into handing over access rather than having it forcibly taken.

While Telegram’s default security protects messages in transit, standard chats stored in the cloud increase exposure if accounts are compromised or if attackers gain access through social engineering.

Telegram can protect you from many technical attacks, but it can’t prevent scams or account takeovers unless you actively enable protections like two‑factor authentication, Secret Chats for sensitive conversations, and tighter privacy controls.

Privacy concerns with Telegram

Security and privacy aren’t the same thing. Even when messages aren’t intercepted, how an app handles your data matters just as much.

Telegram promotes itself as privacy‑focused, but its cloud‑based design means it still collects and retains certain user information.

What Telegram Collects

Depending on how you use the app, Telegram may collect and store:

  • Your phone number
  • IP addresses
  • Device details
  • Contact metadata
  • Patterns of communication (who you message, when, and how often)

Messages in standard chats may also be stored on Telegram’s servers to support cloud syncing across devices. While Secret Chats minimize stored data, they must be manually enabled and don’t sync across devices.

Why Telegram’s Safety Reputation Has Changed

In recent years, a mix of policy shifts, law‑enforcement pressure, and widespread criminal misuse has reshaped how safe, or risky, the platform feels for everyday users. 

Regulatory Pressure and Policy Changes

In August 2024, Telegram CEO Pavel Durov was arrested in France on charges of allegedly facilitating criminal activity through the app. Soon after, Telegram updated its data-sharing policies to cooperate with law enforcement and disclose users’ phone numbers and IP addresses upon a valid court order. 

Since then, Telegram has disclosed user data, including phone numbers and IP addresses, in thousands of cases worldwide. Telegram complied with 900 U.S. law-enforcement data requests affecting 2,253 users. India and the U.K. also saw significant increases in law‑enforcement data requests affecting thousands of users. 

Criminal Activity Alleged Data Exposure on Telegram

Despite law enforcement scrutiny, the platform grew to become a preferred hub for cybercriminals, increasingly referred to as a place to find malicious AI tools and services, and clocked a 2,000% surge in malware scams.

In addition, its automated moderation systems began flagging and removing millions of criminal channels throughout 2025.

In January 2026, a post on a leak forum announced an alleged data breach that exposed 200+ million user records, which included usernames, full names, email addresses, and phone numbers. Telegram denies that users’ private data were exposed, but security researchers dispute this claim.

Telegram’s unconfirmed breach reports and policy changes on what the platform can and does share when legally required, raise valid concerns about how data is stored, protected, and potentially exposed, especially in non‑encrypted chats. 

The Rise of Telegram Scams

With massive public groups, anonymous accounts, bot automation, and built-in crypto communities, Telegram has become a fertile hunting ground for fraudsters who exploit the platform’s openness.

The $35 Billion Fraud Machine

In May 2025, crypto compliance solutions provider Elliptic revealed that two marketplaces on Telegram, Haowang Guarantee and Xinbi Guarantee, had together facilitated over $35 billion in stablecoin transactions alone. The scale of the illegal activity also included investment-related schemes (62% of inflows), impersonation scams (1400% year-over-year growth), and highly profitable AI-enabled scams.

Crime-as-a-Service Chat Groups

In another report, Gary Warner, Director of Intelligence at cyber intelligence company DarkTower, tracked eight major Chinese-language crime-as-a-service groups on Telegram in 2025, some with over 300,000 members. These groups offered phishing design, hosting, spamming services, and remote Tap-to-Pay facilitation for trade-based money laundering.

Why Scammers Gravitate to Telegram?

According to the KELA Cyber Team, Telegram has become a preferred platform for scammers because its design allows users to create highly anonymous accounts, making it easier for fraudsters to operate without immediately revealing their real identities. While enforcement efforts have increased in recent years, historically light content moderation at Telegram has given malicious actors more room to establish and grow scam networks.

The platform’s ability to host massive communities and broadcast messages to unlimited subscribers has also enabled scammers to target hundreds of thousands of potential victims at once. 

Telegram’s Bot API further enables criminals to automate phishing messages, fake verification processes, and investment scams at scale. On top of that, built-in cryptocurrency communities and seamless crypto payment integration make it easier to request, transfer, and launder digital assets, which are often irreversible once sent.

Because of the questionable activities operating through Telegram, Cybernews security researchers recommend that users block Telegram traffic going to their devices if it is not necessary.

How to Protect Yourself on Telegram

On the chance that you decide to use Telegram, here are some steps you can take to safeguard your data and yourself against scams and hackers.

Enable Secret Chats

To start a Secret Chat, open a chat with your desired contact, tap their name at the top, and select ‘Start Secret Chat’. Verify encryption keys by comparing the visual fingerprint or QR code.

It’s recommended to use Telegram’s Secret Chats to encrypt financial information, personal identification details, confidential work discussions, and any conversation you wouldn’t want on a server.

Activate Two-Factor Authentication 

To prevent anyone from taking over your accounts, enable two-factor authentication (2FA). This prevents a cybercriminal from accessing your account even though they have your email address or phone number. Follow this quick 2FA set-up process on Telegram:

  • Go to Settings → Privacy and Security → Two-Step Verification
  • Generate a strong, unique password using a password manager.
  • Add a recovery email. This is optional but recommended.
  • Store the backup codes securely.

Tighten Privacy Settings

Taking a few minutes to review and restrict your settings on Telegram significantly reduces your exposure to scammers, spam, and unwanted contact.

  • Phone Number: Navigate to Settings → Privacy → Phone Number → Select Nobody or My Contacts to hide your phone number. This prevents strangers from linking your Telegram account to your real-world identity. This reduces targeted phishing, SIM-swapping attempts, and unsolicited outreach from scammers.
  • Last Seen & Online: Select Nobody or My Contacts to stop strangers from tracking when you’re active or inactive, and from stalking you. It also prevents scammers from timing messages when you’re most likely to respond.
  • Profile Photo: Choose My Contacts only to restrict your profile photo. This keeps unknown users from copying or misusing your image for impersonation scams and may limit how strangers can identify or socially engineer you.
  • Forwarded Messages: Disable Link to My Account When Forwarded to prevent non-contacts from tapping forwarded messages and accessing your profile. It limits unwanted attention and reduces your visibility in large public groups.
  • Groups & Channels: Choose My Contacts only to block strangers from adding you to scam or spam channels. You control which communities you join instead of being pulled into fraudulent networks.
  • Calls: Choose My Contacts only to block unknown users from initiating voice or video contact. This reduces harassment, scam calls, and attempts to socially engineer you.

Manage Active Sessions

Because Telegram allows you to stay logged in on multiple devices at once, it’s imperative that you review your account regularly. 

  • Go to Settings → Devices.
  • Review all logged-in devices and terminate any unrecognized sessions, especially from a location you haven’t visited, or showing activity at unusual times.

Enable Account Self-Destruct Timer

If you become inactive on Telegram for at least 18 months, your account will be deleted by default. This includes all your messages, media, contacts, and all data you store in the Telegram cloud. However, Telegram also provides the Account Self-Destruct Timer feature, which gives the tool the option to irreversibly delete your entire profile earlier. This protects your data if you abandon the account, lose access to your device, or stop using Telegram altogether. To enable this feature:

  • Navigate to Settings → Privacy and Security → If Away For
  • Set the period from 1 to 12 months, depending on your usage frequency.

Use Self-Destruct Messages in Secret Chats

The Self-Destruct Timer in Secret Chats automatically deletes messages after a set amount of time. To set the timer, tap the clock icon in the input field for iOS or the top bar for Android, and then choose your preferred time limit. The countdown starts once the message is displayed on the recipient’s screen. When the time runs out, the message disappears from all participating devices.

Daily Safety Habits to Stay Protected

Most Telegram scams succeed because users click, trust, or share information too quickly. Build these simple daily safety habits to lower your risk of account compromise and financial fraud.

Never Do These

  • Never share your private keys or seed phrases, verification codes, even to contacts purporting to be Telegram support, credit card numbers, Social Security numbers, or passport details.
  • Never trust unsolicited investment advice, claims of guaranteed returns or risk-free opportunities, messages from unknown users claiming emergencies, bots requesting cryptocurrency for verification, links in group messages without hovering to check the URL, and free giveaways requiring upfront payment.
  • Never download files from unknown senders and desktop clients shared in channels that could be malware. Also, do not download apps from Telegram messages; use official stores such as the Google Play or Apple App Stores.

Always Do

  • Verify before trusting: Check official websites for legitimate channels/groups and cross-reference information on multiple platforms, and contact people through alternative channels to confirm identity.
  • Use security tools: Keep your device’s operating system updated. For tighter security, install reputable mobile security software, use a password manager to create strong, unique passwords, and consider using a virtual private network.
  • Practice skepticism: If it sounds too good to be true, it most likely is. It is best for you to learn the warning signs of a scam, including pressure to act quickly, unsolicited opportunities, requests for money, and grammatical or spelling errors.

Group and Channel Safety

First, never join groups from shortened links. After that, research the group or channel’s name + ‘scam’ in search engines and see if anything turns up. Check how long the group has existed, and review its admin profiles. Always view new groups and profiles with a skeptical eye. If you decide to join the group, look at the message history for signs of phishing, such as:

  • Immediate requests for personal information
  • Links requiring login to external sites
  • Promises of easy money or guaranteed returns
  • High-pressure tactics 
  • Multiple people sharing similar success stories, which are likely bots
  • Admins deleting critical questions and comments

If you notice even just one of these red flags, leave that group immediately and block the shady profiles. We also recommend that you configure the Group Privacy Settings:

  • Go to Settings → Privacy and Security → Groups & Channels
  • Change to My Contacts only to prevent strangers from adding you to groups.

What to Do If You’ve Been Scammed on Telegram

  • Stop all communication: Block and report the scammer immediately by tapping on their name, selecting Report or Block User, and choosing the appropriate reason.
  • Document everything: Screenshot all messages, transaction records, timestamps, and account names. These will be crucial when you file a report with law enforcement or a lawyer.
  • Secure your accounts: Immediately change your Telegram password, enable 2FA if you haven’t done so already, and log out of unknown devices. Remember to also check any payment methods you have linked to.
  • Report to authorities: In the U.S., you can report the incident to the Internet Crime Complaint Center (IC3) and the Federal Trade Commission. In other countries, contact your local police authorities, especially if the scam involves large amounts.
  • Alert financial institutions: Contact your bank or credit card company immediately and request charge reversals if the scammer has used your account for any transaction. If possible, request to freeze the compromised accounts.
  • Warn your contacts: Protect your connections by notifying them about the scammer and their tactics. Informing your contacts allows them to be aware of the situation and take precautions.
  • Cryptocurrency recovery: Cryptocurrency transactions are generally irreversible. However, you still need to report it to the appropriate cryptocurrency exchange and to IC3 to enable the Federal Bureau of Investigation to track crypto fraud patterns. Blockchain analysis firms may also assist in tracking the patterns, usually for large amounts.

Frequently asked questions

Is Telegram Safer Than WhatsApp?

It depends on how you use it. WhatsApp uses end‑to‑end encryption by default for all chats. Telegram only offers full encryption if you start a Secret Chat manually. Telegram can be considered safe, but it requires more intentional settings to reach the same baseline.

Is Telegram Safe for Sending Private Photos?

It can be, but only in Secret Chats. Photos sent in standard Telegram chats are stored on the cloud. For sensitive images, Secret Chats with self‑destruct timers offer stronger protection.

Is Telegram Safe from Government Surveillance?

Not entirely. Telegram may share certain user data, such as phone numbers and IP addresses, when required by law. Standard chats stored on Telegram’s servers are more exposed than Secret Chats, which limit what can be accessed.

Is Telegram Safe to Use with Strangers?

Caution is essential. Public groups, channels, and unsolicited messages are common sources of scams and impersonation attempts. Tight privacy settings and healthy skepticism go a long way in reducing risk.

Can Telegram Chats Be Hacked?

Most Telegram compromises don’t involve breaking encryption. They usually happen through phishing, fake support messages, or stolen verification codes. Strong passwords, two‑factor authentication, and cautious behavior are your best defense.

Final Thoughts

Telegram isn’t inherently unsafe, but it isn’t automatically secure either. You’ve seen the numbers: 200 million user records possibly exposed, $35 billion stolen through scams, and a platform that fundamentally changed its user data sharing policies after its CEO’s arrest. The headlines can feel overwhelming and frightening.

If you must use Telegram, make choices that define your digital safety. Within 10 minutes, you can lock down your Telegram account, enable Secret Chats for sensitive conversations, activate two-factor authentication, and decline suspicious messages without guilt or hesitation.

For broader protection beyond Telegram, layered security tools such as McAfee+ can fortify your digital defense. Look for solutions that provide real-time phishing detection, malicious link blocking, identity monitoring, and secure VPN services that help protect you across apps and devices.

While no tool replaces smart behavior, combining strong account settings with comprehensive security software will greatly reduce your overall digital risk.