Protecting Sources on Telegram: Security Protocols for Investigative Reporting

Telegram is a powerful tool for journalists. It’s where whistleblowers drop documents, where protest footage goes viral, and where breaking news spreads faster than official channels. But if you’re using it to talk to a source-especially one who’s at risk-you’re playing Russian roulette with their safety.

Telegram Isn’t Secure by Default

Most people think Telegram is encrypted. It’s not. Not really. Only secret chats are end-to-end encrypted. And even then, they’re not automatic. Regular chats-group messages, channels, even one-on-one conversations-are stored on Telegram’s servers. That means Telegram can access them. And if they’re forced to, they will.

A 2025 investigation by OCCRP’s Important Stories team found that Telegram’s infrastructure is managed by Vladimir Vedeneev, a Russian network engineer whose companies have worked with Russian intelligence. That’s not a coincidence. It’s a risk. Telegram claims its data centers are spread across multiple countries to avoid legal pressure. But their own 2025 transparency report shows they complied with 85% of U.S. law enforcement requests-up from 30% in 2023. That’s not privacy. That’s compliance.

And here’s the kicker: Telegram’s encryption protocol, MTProto, has been criticized by top cryptographers like Matthew Green from Johns Hopkins. He called its design choices “unnecessary risks.” Why? Because even encrypted messages leave behind metadata-like your device’s auth_key_id-that can be used to track you.

Secret Chats Don’t Save You

Journalists often think turning on “secret chat” makes them safe. It doesn’t. Secret chats are device-specific. They don’t sync across phones or computers. If your source uses a different device, they can’t access the chat. If they lose their phone? The conversation is gone. And if they’re under surveillance? Telegram still knows their IP address, their phone number, and when they were last online.

In December 2025, a Reddit user named u/DeepThroat2025 posted: “Used Telegram for source comms last month. Source was identified within 48 hours-despite using secret chats.” That’s not an outlier. It’s the norm. Secret chats protect content, not identity. And in journalism, identity is the most dangerous thing to expose.

Telegram Is a Gold Mine for Public Info-But a Trap for Sources

Here’s the truth: Telegram is unbeatable for open-source intelligence. Journalists use it to track protests in Iran, monitor corruption in Brazil, and trace arms shipments in Eastern Europe. OCCRP uncovered Russian grain smuggling by analyzing public Telegram posts that listed pickup points and delivery schedules. No secret chats needed. Just public channels.

But that’s the line: public info? Fine. Private sources? Don’t touch it.

The 2025 Journal of Media Ethics study found that 83% of investigative journalists monitor Telegram daily. But only 12% use it for confidential communications-down from 28% in 2023. Why the drop? Awareness. Journalists are learning the hard way that Telegram doesn’t protect people. It exposes them.

What You Should Use Instead

If you need to talk to a source who could be arrested, threatened, or worse-use Signal. Signal is end-to-end encrypted by default. No exceptions. No backdoors. No metadata leaks. It’s open-source. It’s been audited by cryptographers. It doesn’t store your contacts or message history on a server.

Signal also lets you lock your app with a PIN, hide your profile picture, and disable read receipts. You can send disappearing messages. You can verify contacts with safety numbers. None of this is optional on Signal. It’s built in.

Telegram markets itself as a privacy tool. Signal is built by people who understand what privacy actually means.

How to Use Telegram Safely-Without Putting Sources at Risk

You’re not going to stop using Telegram. It’s too useful. But you can use it the right way:

• Never use Telegram for first contact. If a source reaches out to you on Telegram, don’t reply with sensitive details. Tell them: “I can’t talk here. Use Signal.” Then send them your Signal QR code or link.
• Use a burner phone number. If you must use Telegram for research, get a separate phone number-preferably a VoIP number like Google Voice or a prepaid SIM bought with cash. Never link it to your real identity.
• Use a VPN every time. Even if you’re only browsing public channels, your IP address is still visible to Telegram. A trusted VPN hides your location and makes tracking harder.
• Don’t join channels with your main account. Create a separate Telegram account for OSINT work. Use it only for monitoring. Never for messaging.
• Keep your own database. Don’t rely on Telegram’s search. Save screenshots, transcripts, and metadata in an encrypted folder. Use tools like Maltego or custom Python scripts to organize what you find. The Shorenstein Center recommends building your own “source archive” - not storing info on Telegram.

Legal and Ethical Risks

The European Union forced Telegram to set up a legal entity in Brussels in 2025. That means EU authorities can now legally demand user data. In January 2026, OCCRP revealed Telegram now shares data with over 40 national law enforcement agencies. That’s not rumor. That’s documented.

And here’s what no one talks about: Telegram’s privacy policy says they’ll hand over your phone number and IP address if you’re labeled a “terror suspect.” They claim this has never happened. But ESET documented cases in Russia where activists were tracked and arrested based on their Telegram activity. If it’s happened once, it can happen again.

Journalists have a duty to protect sources. That’s not optional. It’s the foundation of the profession. If you use Telegram to communicate with someone who could be harmed by exposure, you’re not doing journalism-you’re endangering people.

Real-World Example: The Grain Scandal

In 2025, OCCRP used Telegram to trace illegal Russian grain shipments. They didn’t talk to a single source. They didn’t use secret chats. They watched public channels. Someone posted a photo of a truck with a license plate. Someone else commented on the delivery route. A third post showed a warehouse with a timestamp. Together, they built a case.

That’s how you use Telegram right. Not to protect sources. To uncover secrets that are already public.

Final Rule: If It’s Confidential, Don’t Put It on Telegram

There’s no workaround. No clever trick. No “if you do this, you’re safe.” Telegram’s architecture is fundamentally incompatible with source protection. It’s designed for mass communication, not confidentiality.

If you’re an investigative journalist, your job isn’t just to report the truth. It’s to protect the people who help you find it. That means ditching Telegram for sensitive conversations. Use Signal. Use Wire. Use PGP. Use anything but Telegram.

And if your source insists on Telegram? Tell them: “I care about your safety more than I care about convenience.” Then send them your Signal link.

The truth is worth reporting. But not if it costs someone their freedom-or their life.