Blog Telegram

Executive Summary

The arrest of Telegram’s founder and CEO, Pavel Durov, on August 24, 2024, due to allegations that his messaging platform has been used for various illicit activities has sparked significant international attention and debate, particularly around issues of freedom of speech and the responsibilities of social media platforms.

Conversely, the arrest has also incited the ire of several hacktivist groups in cyberspace because, for many in this community, Durov is more than just a tech entrepreneur; he is the mastermind behind two pivotal communication platforms in their lives: Vkontakte, Russia’s answer to Facebook, and the anonymous messaging app Telegram.

Vkontakte played a significant role in fostering communication and forming groups within hacktivist collectives. It was also a treasure trove of information for Russian hacktivists, thanks partly to its lax approach to copyright enforcement. Prior to Durov being forced to sell the platform, it was renowned for its virtually unmatched collection of illicit content.

Telegram later took on a similar role, providing a haven for pro-Russian hacktivists to organize, form communities, and sell services and software. With minimal moderation and Durov’s libertarian stance on privacy and free speech, hacktivist movements felt secure operating on Telegram.

Interestingly, Durov’s detention also sparked a rare moment of unity among unlikely allies: the Russian government, pro-Russian activists, and even members of the Russian opposition in exile. All three groups expressed skepticism toward the decision by French authorities, albeit in different ways.

While the Russian government and opposition followed the conventional route of issuing official statements, pro-Russian hacktivists quickly rallied to launch #FreeDurov and #OpDurov campaigns, signaling their support for Durov and Telegram.

FreeDurov and #OpDurov

News of Pavel Durov’s detention on Saturday evening, August 24, in France quickly spread like wildfire across Russian activists’ channels and chats on Telegram. Almost immediately, CRIL began monitoring the real-time reactions and activities of key Russian hacktivist groups and their allies:

  • People’s Cyber Army

  • UserSec

  • CyberDragon

  • EvilWeb

  • Rootsploit

  • CGPlnet

  • Overflame

  • ReconSploit

  • RipperSec

  • 62IX (did not actively participate but supported #freedurov campaign)

  • High Society (alliance)

  • Holy League (alliance)

One of the first to react was the UserSec collective, which invited all other hacktivist groups to join the campaign against France. Several hacktivist alliances, such as the High Society and Holy League, shared these posts in their Telegram channels.

UserSec posts on Sunday, inviting other groups to join the attack on France
Figure 1 – UserSec posts on Sunday, inviting other groups to join the attack on France

Two hours later, the group reported an attack on the Court of Cassation in France and the official website of the Administrative Court of Paris in conjunction with another infamous pro-Russian hacktivist group, the People’s Cyber Army. People’s Cyber Army administrators have been on the wanted list of criminals by U.S. Law Enforcement agencies since July 2024.

Figure 2 – Attack on two French courts by UserSec and People’s Cyber Army

By Monday, August 26, several Russian and Pro-Russian hacktivist collectives, including Cyber Dragon, ReconSploit, Evilweb, Rootspolit, CGPlnet, and RipperSec, joined forces with UserSec and the People’s Cyber Army. Together, these groups launched coordinated cyber attacks targeting various websites in France and organizations affiliated with the European Union.

Coordinated cyber-attacks by several hacktivist groups on French websites
Figure 3 – Coordinated cyber-attacks by several hacktivist groups on French websites

The next day, August 27, 2024, UserSec continued its attacks on France, targeting the website of the French financial giant AXA Group.

UserSec and People's Cyber Army claim responsibility for the Attack on AXA France
Figure 4 – UserSec and People’s Cyber Army claim responsibility for the Attack on AXA France

Additionally, hacktivist groups simultaneously attacked a wide range of targets, including airports in Bayonne and Marseille-Provence, ferry services in Corsica, the website of a French customs agency, the Agence Universitaire de la Francophonie (AUF), and other entities.

Despite widespread claims of a massive cyber assault planned for the day of the court hearing, CRIL recorded diminished activities, with People’s Cyber Army claiming to access Industrial Control Systems (ICS) components of a French dam on August 28. To support their claim, they released a video showing their intrusion and the modifications made to the system settings. An examination of the video reveals that the People’s Cyber Army gained access to one of the Power transmission control panels developed by French company ELEC-ENR of the Parc éolien de Tenbonrev, a wind farm located in the Brittany region of France.

Figure 5 – People’s Cyber Army claimed an attack on French ICS systems

Pavel Durov’s Border Crossing Details Emerge in Leaked FSB Database

As we analyze the events surrounding Pavel Durov’s detention in Paris, it’s impossible to overlook the timing of a significant data leak involving Russia’s FSB Border Service database in mid-August 2024.

During this period, information surfaced on one of the Telegram-based database leak channels, revealing details of individuals who crossed Russia’s borders between 2014 and 2023. The database, named “Kordon 2023”, where “Kordon” means “border” in Russian slang, contains sensitive information such as each traveler’s full name, the date and location of the border crossing, the mode of transportation used, and the destination.

However, what stands out even more is that the leaked data contained records of Pavel Durov’s movements, a fact that directly contradicts his claims of having severed ties with Russia. The database revealed that Durov had traveled to Russia over 50 times since his immigration. Notably, he was in Russia on the very day that the Russian Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) announced their decision to list the ban from Telegram in Russia. Adding to the intrigue, the database mysteriously vanished shortly after its appearance, raising questions about who might have orchestrated this operation and for what purpose.

Several Russian investigative journalists have verified the authenticity and accuracy of this database.

Russian Media about the Kordon 2023 Data Leak

Figure 6 – Russian Media about the Kordon 2023 Data Leak

Conclusion

The arrest of Pavel Durov and the subsequent legal measures imposed by the French court have sparked a significant surge in activity among both pro-Russian and other hacker groups. The #FreeDurov campaign has garnered support from not only pro-Palestinian factions but also various French teams and numerous other collectives. Telegram has become the primary platform for these groups to push their nefarious campaigns.

Also, these incidents highlight a critical juncture in the ongoing debate over the responsibilities of social media platforms in regulating content while upholding user privacy. The backlash from various factions underscores a collective apprehension about the implications of legal actions against tech leaders. As the situation develops, privacy advocates will be closely monitoring how these events may reshape the landscape of digital communication and the protections afforded to users in an increasingly regulated online environment. The outcome of Durov’s case could set a precedent that either reinforces or undermines the principles of privacy and free speech that many Telegram users hold dear.

The post #FreeDurov: Hacktivists Scramble on Telegram Supporting Pavel’s Release appeared first on Cyble.