A clip from a recent interview with the founder of Telegram, Pavel Durov, went semi-viral on X over the weekend. In it, Durov tells right-wing personality Tucker Carlson that he is the only product manager at the company-and that he only employs "about 30 engineers.".

According to security experts, while Durov bragged of how "super efficient" his Dubai-based company is, what he said was actually a red flag to users.

"Without end-to-end encryption, huge numbers of vulnerable targets, and servers located in the UAE? Sounds like that would be a security nightmare," said Johns Hopkins University cryptography expert Matthew Green. (Telegram spokesperson Remi Vaughn disputed this, saying it has no data centers in the UAE.)

Green was referring to the fact that, by default, chats on Telegram are not end-to-end encrypted like they are on Signal or WhatsApp. A Telegram user has to start a "Secret Chat" to switch on end-to-end encryption, making the messages unreadable to Telegram or anyone other than the intended recipient. Also over time, quite many people have raised questions over the encryption quality, mainly because the company uses its proprietary encryption algorithm, developed by Durov's brother, as he revealed in an extended version of the Carlson interview. Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation and a long-time specialist in the security of endangered users, pointed out that one should recall that, unlike Signal, Telegram is much more than just an application for messages.
"What makes Telegram different (and much worse!) is that Telegram is not just a messaging app, it is also a social media platform.".

It sits on an enormous amount of user data. "Indeed, it is sitting on the contents of all communications that are not one-on-one messages that have been specifically [end-to-end] encrypted," Galperin told TechCrunch. "'Thirty engineers' means that there is no one to fight legal requests, there is no infrastructure for dealing with abuse and content moderation issues." And actually, I would even dare to say that the class of those 30 engineers is not particularly brilliant,\" Galperin said. "And also, I think if I was some kind of a threat actor, I would really really take this as encouraging information. Every attacker likes extremely understaffed and severely overworked opponent.

Namely, there are relatively few chances for Telegram being a very good hacker-to-beat especially for attackers with governmental resources, due to such small staffs.

Lemme guess, none of these 30 staff includes privacy or compliance people and zero third-party audit is ever done to review possible security controls restricting access to users' data. "Please trust us" isn't how security works. https://t.co/w7PBkU0TJR

Telegram's representative confirmed that the company has 30 developers working on the apps and infrastructure, but claims to have an additional 30 people on its "core team." The representative neither answered our specific questions, including whether the company has a chief security officer, nor would he tell us how many of his engineers work full time on securing the platform.

Last week, the renowned cybersecurity expert SwiftOnSecurity posted on X that "The cost to run a company that has all the right cyber security tools and staff is absolutely obscene."

"It's hard to describe the numbers I've seen. Even saying this is a gray area. But it is [an] incredible headcount and spend," SwiftOnSecurity wrote.

All that to say, even the largest companies on earth probably don't spend enough money, time, and energy securing themselves. Telegram has nearly one billion users, Durov said. It's among the most popular platforms for people working in crypto, who move millions of dollars, extremists, hackers, and peddlers of disinformation.

That makes it an incredibly interesting target for both criminal and government hackers. And it has—at most—just a handful of people dedicated to cybersecurity.

For years, security experts have warned that people should not see Telegram like a truly secure messaging app. Given what Durov said recently, it may be even worse than experts thought.