In the digital era, the center of gravity for hybrid warfare has shifted to online platforms. Among these platforms, Telegram has evolved from a messaging app into a tool for Russian intelligence influence operations, illustrating how hybrid warfare now leverages consumer technology platforms. Russian intelligence has developed an efficient system for recruiting individuals via Telegram, through which it successfully orchestrated the 2024 parcel attacks. What makes Telegram a tool for hybrid warfare is the combination of lax moderation, ideological commitment to maximal openness, and structural opacity, which together create a uniquely exploitable environment for Russian intelligence and a mounting security risk for Europe.
The internet has increasingly become a virtual battlefield for hybrid warfare, and the 2024 parcel attacks illustrate this trend. Lithuanian authorities have detained suspects linked to the 2024 parcel explosions across Europe. The perpetrators carried out four terrorist attacks through parcel delivery services DPD and DHL. Two attacks were carried out by sending explosive and incendiary packages from Vilnius to the United Kingdom by DHL cargo planes, while two others were executed via package delivery to Poland using DPD cargo trucks. [1] The investigation exposed ties between the perpetrators and their activities to Russian intelligence agencies. Fifteen suspects were recruited individually through Telegram, motivated by promises of payment in cryptocurrency. Lithuanian police have seized high explosives with a yield exceeding 6 kilograms of TNT concealed within food cans. [2]
From 2023 to 2024, Russian sabotage operations in Europe nearly quadrupled, primarily targeting government facilities and infrastructure supporting Ukraine’s defense against the Russian invasion. [3] According to Western intelligence sources, the aim of the attacks is to weaken public support for the Ukrainian cause. [4] In its 2024 annual report, the Latvian State Security Service (VDD) noted the growing trend of Russian intelligence services using Telegram to recruit citizens on the other side of the Russo-Ukrainian conflict – those who benefit from the freedom of movement within the Schengen Area. [5]
Security Risks Associated with Telegram
The challenge stems from the digital age, where widely accessible platforms can easily be used for both civic and malicious purposes. Telegram embodies this dual nature. On the one hand, it serves as a hub for dissent globally, connecting communities and offering alternative information channels [6]. On the other, it facilitates the spread of disinformation, extremist propaganda, and even terrorist recruitment.
Telegram was created in Russia and initially financed by Russian entities and oligarchs, including the Russian Direct Investment Fund. Its founder Pavel Durov has also declared his previous cooperation with the FSB. [7] In 2011, Durov wrote a letter to Deputy Prime Minister for Economic Modernization Vladislav Surkov. In the letter he reminded Surkov of his five-year cooperation with the FSB, providing IP addresses, phone numbers, and other information necessary for the identification of VKontakte users to suppress dissent among Russians. The former head of the VKontakte press service Vladislav Tsyplukhin has denied knowing about the letter, despite evidence linking him to it, and Durov dismissed the letter as „made-up nonsense“. [7] Durov left Russia in 2014, claimed never to have returned, and explicitly stated that Telegram had no infrastructure in Russia. However, leaked documents from the FSB Border Guard revealed that Durov entered Russia more than 50 times between 2015 and 2021. [8]
The independent Ukrainian investigative group Kremlingram, which studies Telegram’s security risks, routinely reports on Russian ties to the platform. Some Telegram servers are located within Russia and managed by Global Network Management, a company whose IP addresses formerly belonged to Globalnet – a Russian company closely linked to the FSB. [9] An investigation by IStories further identified Vladimir Vedeneev, the owner of Global Network Management, who also serves as Telegram’s Chief Financial Officer. Vedeneev reportedly has links to companies that provided services to the FSB and to a research computing center that assisted in planning the invasion of Ukraine and developed deanonymizing tools. [10]
Telegram’s corporate structure remains highly secretive. The company maintains a strict no-LinkedIn policy, and only a tiny fraction of its managers are publicly known. [10] This opacity undermines accountability and potential state influence.
In August 2024, Durov was arrested in France on charges of enabling criminal and terrorist activity through insufficient moderation. [11] After his release, he pledged to improve moderation of harmful content. [12]
Telegram is commonly marketed as an end-to-end encrypted messaging app; however, this image is not entirely accurate. In April 2025, Pavel Durov wrote „[w]e don’t trade privacy for market share… Telegram has never disclosed a single byte of private messages.“ [10] However, network security experts warn that the end-to-end encryption of Telegram is far from perfect and leaves users vulnerable to tracking. Every encrypted Telegram message has an unencrypted element – the auth_key_id. According to Michał “Rysiek” Woźniak, a security expert who served as the head of infrastructure and information security at the Organized Crime and Corruption Reporting Project, this makes it possible to identify a specific user device. The unencrypted identifier also allows for the retrieval of a Telegram user’s IP address, severely compromising the anonymity and overall security of Telegram users. [10]
New Age of Russian Hybrid Warfare
Russian intelligence agencies use bots as part of their Telegram recruitment strategy. In March 2024, Ukrainian counterintelligence prevented an attack on a military recruitment center in Kharkiv in which the perpetrator had been contacted directly via a Telegram bot offering instructions, imagery and a cryptocurrency reward. In July 2025, a 17-year-old boy was apprehended by authorities after providing Ukraine’s military movement data to the GRU, unaware of the recipient’s true identity. [13] However, recruiters sometimes make direct contact with targets. Another 17-year-old boy was contacted in July 2025 after he posted on two Telegram channels seeking remote work. Less than 30 minutes later, he was contacted by a recruiter, first instructed to set fire to a conscription center van, then to plant a bomb in another van in Rivne, where he was subsequently detained. [14]
Not all Telegram recruits are involved in direct attacks. Russia routinely recruits these individuals to carry out lesser tasks than arson or explosive attacks, and these agents are often underage. In September 2025, Dutch authorities arrested 17-year-olds recruited through Telegram who were instructed to walk around several embassies as well as Europol and Eurojust areas in The Hague with a Wi-Fi sniffer for network mapping. Such cases demonstrate the ease with which young individuals can be manipulated into espionage – either through their curious nature or Russian exploitation of their desire for validation in online communities. [15]
Online recruitment of agents also poses a significant threat because of its decentralized network that is cloaked in anonymity and is widely accessible. Unlike traditional espionage, relying on highly trained operatives and hierarchical, centralized command, Telegram recruitment leverages decentralized clusters of expendable recruits. This model of recruitment amplifies the compartmentalization of operations, and it is thus even more difficult to connect and trace the active agents. [16] Unlike traditional operations involving trained agents, platforms like Telegram facilitate a gig-economy model of sabotage. In this model, agents often operate in a disconnected chain. One picks up a task where another left off, with both linked only by an anonymous digital handler. European intelligence services thus need to intensify cooperation to uncover the networks. On October 21, 2025, one Ukrainian citizen was arrested in Poland and two others in Romania for allegedly working for Russian intelligence services. The two perpetrators were arrested in Romania for handing over two IEDs to an international courier company. The parcels were defused, and the third arrest in Poland was made on suspicion of involvement in a Russian sabotage scheme. [17]
The November 2025 rail attacks in Poland confirmed Telegram’s central role in coordinating sabotage networks. Ukrainian President Volodymyr Zelensky, citing intelligence shared by Polish Prime Minister Donald Tusk, revealed that the perpetrators used Telegram to organize the bombing of the strategic Warsaw-Lublin railway line, a critical route for military aid. [18] Furthermore, on December 2, 2025, Polish prosecutors charged a 28-year-old Russian national with coordinating a sabotage network on behalf of Russian intelligence in 2023. He is accused of managing a group of around 30 people via Telegram. The network was responsible for sabotaging railway infrastructure, conducting espionage, and disseminating propaganda. [19]
The Security Service of Ukraine (SBU), the National Police and United News have started a public awareness campaign against the recruitment of Ukrainian minors by Russian intelligence. At the end of 2024, the SBU launched a Telegram chatbot for reporting Russian recruitment practices to authorities. The bot has already received over 10,000 messages since its launch, showing the vast scale of the recruitment efforts. [20]
Telegram as a tool for Russian hybrid operations is also addressed by several European intelligence services in their annual reports. The 2024 annual report of the Czech Security Information Service (BIS) stated that Russia tried to undermine the cohesion of Western countries by sowing discord among their populations. According to the BIS, Russian intelligence used Telegram to weaken the cohesion of Ukraine’s supporters, disrupt military support for Ukraine, and manipulate public opinion against Ukraine. The BIS cited an arson attack on the Prague Klíčov bus depot carried out by a Colombian citizen recruited on Telegram for financial reward. The report highlights how socioeconomically vulnerable individuals, such as nationals from outside of the EU, are the prime targets, as they have a financial incentive to carry out attacks – often unaware that they are working for Russian security services. [21]
A joint investigation by journalists from Delfi, OCCRP, Paper Trail Media, ZDF and Der Standard demonstrated how these recruitment schemes operate. They created a fake identity under the name Valeri Ivanov, a fictitious 26-year-old Russian-speaking Estonian. A Telegram recruiter instructed Valeri to spy on bases, set fire to NATO vehicles and commit murder. Reporters provided Valeri’s fake name, birth details, location and an ID photo and were offered acts of violence – burning Ukrainian military vehicles or murder-for-hire (each offering a payout of $10,000). The recruiter also instructed him to practice with Molotov cocktails and to suggest targets like fuel depots. The pro-Russian channel Grey Zone that advertised Privet Bot was blocked for EU mobile/desktop users but remained reachable via Telegram’s web client. [22]
Ukraine’s Use of Telegram-Based Tactics
The use of Telegram as a tool for spreading terror is not limited to Russia. In December 2024, police identified a network of phone scammers who coerced Russian citizens into committing 34 arson attacks. The perpetrators targeted banks, police cars, post offices and government service offices in shopping centers. The FSB claimed that these phone scammers, who impersonate bank officials or law enforcement, were Ukrainian operatives. Like the Russian recruits, the Ukrainian scammers targeted socially vulnerable individuals. The perpetrators ranged from 17-year-olds to pensioners, who were first instructed to send money to the scammers, and then to commit attacks. [23]
In September 2024, a 13-year-old and a 14-year-old carried out an arson attack on an Mi-8 helicopter at the Noyabrsk airport in Russia. They told police that a stranger who contacted them through social media had promised them 5 million rubles. Another attack was carried out in September, when two perpetrators set fire to relay cabinets near the Khrapunovo railway station. They too told authorities they had received an offer of payment for committing arson. [24]
These terrorist attacks are regarded as part of a hybrid warfare campaign by Ukrainian security services to offset their military disadvantage compared to Russia. [24] However, the Ukrainian authorities publicly distance themselves from this campaign, while the Russian Prosecutor General’s Office claimed that the scammers were financed by the Ukrainian government. International investigations have revealed that the call centers in Ukraine are primarily large-scale operations, but it remains unclear under whose initiative these call centers operate. Additionally, the investigations revealed that the stolen money is transferred to offshore accounts or converted into cryptocurrencies, and as such, does not benefit the Ukrainian economy. [25]
What Should the West Do?
The growing use of consumer-grade digital platforms for hybrid warfare highlights the evolving nature of modern conflict. Telegram has become a strategic asset in Russia’s operations against Ukraine and the West. However, this asset can also be effectively utilized to sow instability within Russia itself, as illustrated by the disruptive operations of independent Ukrainian call centers. The ease of recruiting citizens poses a challenge that is difficult for both Russia and Ukraine and its allies to mitigate. Telegram recruitment practices from both use minors as part of their schemes. The Western authorities should therefore put pressure on both sides to address the recruitment of minors. While both sides use Telegram for recruitment, the Ukrainian government reportedly is not involved in the operation of call centers, while the Russian intelligence agencies directly recruit individuals. The West thus needs to develop strategies to counter these disinformation campaigns and raise awareness about Russian recruitment on the platform. [26]
The swift adaptation of Russian intelligence services to digital platforms is a grim testament to their operational agility. Telegram recruitment of European citizens may not always yield immediate results for Russian intelligence, as the process still relies on individuals agreeing to engage in illicit activity. Nevertheless, it allows Russia to identify and use potential agents without investing time or resources into training them. A human recruiter can provide step-by-step instructions, while with an automated bot recruiter, the recruitment process proceeds with minimal exposure for Russia.
Although most contacted individuals do not follow through with the recruitment process, each successful case advances Russia’s objectives and can have devastating effects. European security authorities therefore face a difficult task of regulating Telegram and similar platforms without suppressing legitimate activity and preventing their citizens from becoming unwitting assets in foreign intelligence operations.
Reviewed by Dávid Dinič and Tomáš Zwiefelhofer
Cover photo: Yuri Samoilov/Flickr
References
[1] Lietuvos Policija. (2025, September 17). Išaiškinta ir sulaikyta asmenų grupė, organizavusi ir planavusi įvykdyti keturis teroro aktus, turinčius hibridinių tikslų. Pradžia. Retrieved from https://policija.lrv.lt/lt/naujienos/isaiskinta-ir-sulaikyta-asmenu-gruoe-organizavusi-ir-planavusi-ivykdyti-keturis-teror-aktus-turincius-hibridiniu-tikslu-0hsd/
[2] LRT.lt. (2025, September 17). Lithuania says it busted Russian-linked network that planned terror attacks in Europe. News. Retrieved from https://www.lrt.lt/en/news-in-english/19/2681837/lithuania-says-it-busted-russian-linked-network-that-planned-terror-attacks-in-europe
[3] Edvards, C., & Seidenstein, N. (2025, August 19). The Scale of Russian Sabotage Operations Against Europe’s Critical Infrastructure. International Institute for Strategic Studies. Retrieved from https://www.iiss.org/research-paper/2025/08/the-scale-of-russian–sabotage-operations–against-europes-critical–infrastructure/
[4] Kopaleishvili, K. & Weiss, M. (2025, September 17th). Revealed: How Russia’s GRU Plotted Europe’s Parcel Explosions. Vsquare. Retrieved from https://vsquare.org/revealed-how-russia-gru-plotted-europe-parcel-explosions/
[5] Latvian State Security Service. (2025, February). Annual Report on the Activities of Latvian State Security Service (VDD) in 2024. Retrieved from https://vdd.gov.lv/en/useful/annual-report-2024
[6] NDI. (2025 August 13). A Decade of Resilience: Ukrainian Views on Their Democracy in the Face of War, Crisis and Reforms. Retrieved from https://ndi.org/publications/decade-resilience-ukrainian-views-their-democracy-face-war-crisis-and-reforms
[7] Колесников, A. (2013, March 26). Руководство «ВКонтакте»: «Мы уже несколько лет сотрудничаем с ФСБ и отделом «К» МВД, оперативно выдавая информацию о тысячах пользователей нашей сети». Новая Газета. Retrieved from https://novayagazeta.ru/articles/2013/03/27/54100-rukovodstvo-171-vkontakte-187-171-my-uzhe-neskolko-let-sotrudnichaem-s-fsb-i-otdelom-171-k-187-mvd-operativno-vydavaya-informatsiyu-o-tysyachah-polzovateley-nashey-seti-187
[8] Kondratyev, N., Feoktistov, E. & Korotkova, A. (2024, August 27). Pavel Durov Has Visited Russia More Than 50 Times Since His “Exile” in 2014. iStories. Retrieved from https://istories.media/en/news/2024/08/27/pavel-durov-has-visited-russia-more-than-50-times-since-his-exile-in-2014/
[9] Kremlingram. (n.d.). Dangers of Telegram – Servers in Russia. Retrieved from https://kremlingram.org/en/dangers/
[10] Anin, R. & Kondratyev, N. (2025, June 10). Telegram, the FSB, and the Man in the Middle. iStories. Retrieved from https://storage.googleapis.com/istories/en/stories/2025/06/10/telegram-fsb/index.html
[11] Tidy, J. (2025, March 17). Telegram founder allowed to leave France following arrest. BBC. Retrieved from https://www.bbc.com/news/articles/cg703lz02l0o
[12] Hollister, S. (2024, September 6). Telegram CEO breaks silence after arrest. TheVerge. Retrieved from https://www.theverge.com/2024/9/5/24237174/telegram-ceo-pavel-durov-statement-following-arrest
[13] Таран, В. (2025, August 7). UberKills і «уберизація» злочинності: як Telegram перетворився на тіньовий даркнет. Ukrinform.ua. Retrieved from https://www.ukrinform.ua/rubric-world/4023151-uberkills-i-uberizacia-zlocinnosti-ak-telegram-peretvorivsa-na-tinovij-darknet.html
[14] BBC. (2025, November 20). Ukrainian teen saboteurs recruited on Telegram to attack their own country. Retrieved from https://www.bbc.com/news/articles/c8r08zmkjlzo
[15] Cluley, G. (2025, September 30). Dutch teens recruited on Telegram, accused of Russia-backed hacking plot. Bitdefender. Retrieved from https://www.bitdefender.com/en-us/blog/hotforsecurity/dutch-teens-recruited-telegram-russia
[16] Institut Governance. (2025, August 12). European intelligence officials warn that a Russian sabotage campaign is escalating. News – Business. Retrieved from https://institut-gouvernance.org/news/european-intelligence-officials-warn-that-russian-sabotage-campaign-is-escalating/
[17] APnews. (2025, October 21). Ukrainian citizens arrested in Poland and Romania over an alleged Russian plot. Retrieved from https://apnews.com/article/poland-sabotage-war-ukraine-hybrid-russia-b62581c88b125d18b6f962c0c0b83b2f
[18] Zaikova, A. (2025, November 19). Saboteurs used Telegram to organize a railway blowing up in Poland. Babel.ua. Retrieved from https://babel.ua/en/news/123178-saboteurs-used-telegram-to-organize-a-railway-bombing-in-poland
[19] Charlish, A. (2025, December 2). Poland charges man with orchestrating sabotage from Russia. Reuters. Retrieved from https://www.reuters.com/world/poland-charges-man-with-orchestrating-sabotage-russia-2025-12-02/
[20] Служба безпеки України. (2025 August 1). СБУ та Нацполіція спільно з телемарафоном «Єдині новини» розпочали новий етап кампанії з протидії вербуванню українських підлітків російськими спецслужбами (відео). Retrieved from https://ssu.gov.ua/novyny/sbu-ta-natspolitsiia-spilno-z-telemarafonom-iedyni-novyny-rozpochaly-novyi-etap-kampanii-z-protydii-verbuvanniu-ukrainskykh-pidlitkiv-rosiiskymy-spetssluzhbamy-video
[21] Bezpečnostní informační služba. (2025, July 10). Výroční zpráva Bezpečnostní informační služby za rok 2024. Retrieved from https://www.bis.cz/vyrocni-zpravy/vyrocni-zprava-bezpecnostni-informacni-sluzby-za-rok-2024-323084ca.html
[22] Huppertz, C., Izumrudov, A., Lorenz, L., Lozovsky, I., Obermayer, B., Roonemaa, H., Schmid, F. & Vunš, M. (2024, September 26). ‘Make a Molotov Cocktail’: How Europeans Are Recruited Through Telegram to Commit Sabotage, Arson, and Murder. Organized Crime and Corruption Reporting Project. Retrieved from https://www.occrp.org/en/investigation/make-a-molotov-cocktail-how-europeans-are-recruited-through-telegram-to-commit-sabotage-arson-and-murder
[23] Meduza. (2024, December 23). Police blame Ukrainian scammers for wave of arson attacks and explosions in cities across Russia ahead of New Year holidays. Retrieved from https://meduza.io/en/feature/2024/12/23/police-blame-ukrainian-scammers-for-wave-of-arson-attacks-and-explosions-in-cities-across-russia-ahead-of-new-year-holidays
[24] Mitrokhin, N. (2024, October 4). How Russia and Ukraine Use Teenagers for Sabotage Operations. Russia.Post. Retrieved from https://russiapost.info/politics/teenagers_for_sabotage
[25] Romashova, O. (2025, January 16). “The police are already looking for you. I’m a scammer.” How Russians are tricked into attacking military enlistment offices and polling stations. Mediazona. Retrieved from https://en.zona.media/article/2025/01/16/scam_arsons
[26] Lovi, S. (2025). The Role of Telegram in Coordinating Cyber Attacks and Propaganda Campaigns by Russian Hackers. Cybersecurity and Law nr 2 (14) 2025. Retrieved from https://www.cybersecurityandlaw.pl/nr-2/22.pdf
