BRIDGES

Telegram, Spam, and the Privacy Manifesto: A Human Rights Drama in Gilded Packaging

Three white paper objects floating against a vivid yellow background: a crumpled paper ball in the upper left, an irregularly shaped wad of paper on the right, and a creased, slightly crumpled paper airplane in the lower center. The composition is clean and graphic, with a strong color contrast that gives the image a playful, creative feel.

Telegram is a remarkably open platform, offering considerable freedom to both users and developers. I won’t deny that, because I’m one of the beneficiaries myself. Its bot system works like a breadboard, letting developers automate almost anything without restriction: message notifications are just the basics, and OpenClaw, which went viral not long ago, used a Telegram bot as an AI chat interface, a nearly perfect pairing.

But the “freedom” that developers see can taste quite different when ordinary users are on the receiving end. The content on Telegram can be described as “a swamp of the good and the bad”, and that’s putting it charitably. I’m more inclined to call it “civilization’s sewage system”: pornographic accounts, gambling links, and advertisements carrying keywords you’d rather not read are business as usual in any group with a halfway decent following. As the developer of Telegram Watchdog, I don’t need to rely on gut feelings to judge how serious the problem is, a quick look at the data is enough.

What Is Flooding Your Group?

According to Telegram’s statistics for my bot, Telegram Watchdog has 39,139 monthly active users.1 My human-verification provider, Cloudflare Turnstile, reports 22,440 verifications in the past week. Multiply that by 4 weeks and you get roughly 89,760 per month, meaning each user joins a group more than twice a month on average. But unless someone just registered and is hunting for interesting communities, joining even one group in a month is already pretty active behavior for a normal person.

Screenshot of Cloudflare Turnstile Analytics showing Telegram Watchdog’s verification data over the past 7 days. Webapp operations accounted for 22,170 requests, while browser-fallback accounted for 265. Traffic was primarily from Hong Kong (8,790), followed by Japan (3,900) and the United States (3,860). Browser distribution shows Chrome Mobile at 9,910, Mobile Safari at 6,630, and Edge at 2,510. The operating system breakdown is dominated by Android (12,480) and iOS (6,710), indicating the vast majority of users are on mobile devices.

Even more alarming: Cloudflare Turnstile reports that more than half of all requests going through Telegram Watchdog have already been flagged as bots. Given that many groups using Telegram Watchdog still suffer from spam, the real number is almost certainly higher. I once asked an AI how much spam a platform needs before users find it intolerable. The answer was 10%. And on a platform where bot accounts already account for well over 50% of the activity, I don’t believe for a second that they’re only churning out 10% of the total spam.

If you want to understand where Telegram spam actually comes from, you don’t need the dark web or any underworld connections. Open Telegram, search a few keywords, and in under twenty minutes you can map out the complete supply chain of a spam operation.

Screenshot of a Telegram global search for “telegram 买” (telegram buy), showing multiple channels and groups related to buying and selling Telegram resources, including “Merchant Telegram Buy Phone Numbers” (10 subscribers), “Buy Telegram Accounts / Buy Telegram…” (1,079 members), “Buy & Sell Telegram Blue Badges” (80 subscribers), “Buy & Sell Telegram Subscriptions” (60 subscribers), and “Buy & Sell Telegram Boosts” (22 subscribers). These channels are commonly associated with selling fake accounts, artificially inflating subscriber counts, and other fraudulent activities.

The supply chain starts with accounts. Bulk-registered Telegram accounts circulate openly on the platform, graded and priced by “quality”: older accounts cost more than freshly registered ones because the platform treats them as more trustworthy and they’re harder to trigger restrictions against. The channels trading these accounts operate right on Telegram, some even advertise on X to recruit customers. Once you have accounts, you need tools: bulk-messaging bots, auto-join scripts, none of which are hard to find.

With accounts and tools in hand, the next question is delivery. Sending plain text, even with obfuscated characters, can still get caught by Bayesian filters. When that happens, the ingenuity of spammers finds other channels to slip things through. Some purchase paid gifts for high-subscriber channels (think of it as sending a digital tip after topping up a credits balance), then embed ad copy in the gift’s caption. Since gifts are displayed publicly by default, it’s a neat piece of free-form advertising. Others exploit the title field of sticker packs to spread ad links. That field is shown when users preview a sticker pack, and the platform applies almost zero moderation or automated filtering to it.

Screenshot of a Telegram Gift notification showing a brown teddy bear emoji gift received on November 30, 2025 at 15:10, valued at 15 Stars (sellable for 13 Stars). Accompanied by a Chinese message wishing the recipient success in sticking with a particular platform, and blessing them with prosperous business and abundant wealth.

None of this operates in the shadows. It’s public, searchable, and comes with full customer service and after-sales support. The reason it can exist this openly isn’t that the platform technically can’t detect it. It’s that the platform chooses not to act.

Grassroots Defense, and Why It Will Never Be Enough

Group admins haven’t taken this lying down. Anti-spam solutions on Telegram are everywhere: math problems for new members, chemical equations to solve, specific emoji to send — the variations are endless. Telegram Watchdog uses Cloudflare Turnstile, a relatively privacy-friendly human-script detect solution. It verifies device trustworthiness via Private Access Tokens and requires completing a proof-of-work challenge (essentially lightweight hash computation, sharing the same underlying principle as Bitcoin mining), with no tracking cookies and no squinting at distorted letters.

But all these approaches hit the same ceiling: CAPTCHA-solving services.

A CAPTCHA-solving service simply pays real humans to complete verification challenges. For a few cents, someone clicks “I’m not a robot” for you. No matter how cleverly the CAPTCHA is designed, if a real person is behind the keyboard, it cannot be distinguished from a genuine user, because the person completing it actually is a person. Telegram Watchdog’s HMAC signature mechanism prevents pre-collected verification tokens from being replayed, but it can’t stop a real human from completing verification and then joining the group.

Ultimately, every product problem is an economic problem. Any anti-spam tool operating outside the platform can only do one thing: raise the cost a little. Raise it high enough, and some automated scripts will give up. But when the cost of an operation is low enough to wholesale (and on Telegram, attack costs are genuinely rock-bottom), someone will always find a way around it. And the chemistry-problem CAPTCHAs? They’re actually locking out legitimate users too. Unless you make a living from organic chemistry, do you honestly still remember the “molecular chirality” you learned in high school?

The other problem with grassroots solutions is fragmentation. Telegram Watchdog, various custom bots, paid commercial anti-spam services: everyone fights their own battle with no shared blacklists and no coordinated banning. An account kicked from one group can simply move to the next. Platform-level systematic intervention, including identifying behavioral patterns in bulk-registered accounts, imposing rate limits on suspicious accounts, and blocking known spam sources at the infrastructure layer - none of that falls within the reach of community tools.

So including Telegram Watchdog, everything in this space can manage at best “make your group slightly more bearable”, not “solve the problem.” The key that actually solves it has always been in Telegram’s hands.

The Real Solution that Officially Unused

So what is Telegram officially doing about this?

The answer comes in two parts. The first: they’re busy making money. In October 2022, Telegram launched Fragment, a digital asset auction platform built on the TON blockchain. It started with auctions for Telegram usernames, later expanding to virtual phone numbers, Telegram Premium subscriptions, and more. The official line is that TON is a “community-driven independent project” with no direct ties to the company.

But Pavel Durov personally posted to his channel to endorse Fragment at launch, announcing that it sold $50 million worth of usernames in under a month. Even as late as August 2025, years after the official “separation,” Durov was still publicly championing the TON ecosystem on his personal channel, promoting news of a Nasdaq-listed company making major TON purchases.

In March 2024, Telegram announced that ad revenue would be paid out in TON tokens, with channel owners withdrawing their share via TON wallets. In November of the same year, Fragment introduced KYC (Know Your Customer) requirements, demanding ID documents and facial photos from users. A platform that loudly champions “decentralization” introducing centralized identity verification says everything. The “independence” is largely a legal distancing maneuver.

The second part: they do occasionally “act,” but what they act on isn’t spam. It’s content that governments demand taken down. That’s common across social platforms, nothing new. But Telegram’s “acting” has a peculiar selectivity: in 2022, the German government fined it €5 million for failing to comply with laws on illegal content; in August 2024, Pavel Durov was arrested in France, with the core charges centering on the platform’s complicity in child sexual exploitation content, drug trafficking, and its lack of content moderation. After the arrest, Telegram revised its privacy policy, expanding the scope of law enforcement cooperation from terrorism investigations alone to all criminal suspects, any valid legal request could now obtain a user’s IP address and phone number.

In other words: it takes being pushed this far before they move. What I find even harder to accept is another type of “acting”: roughly ten Chinese-language channels I know of that shared completely normal content were directly shut down by Telegram with no functional appeals process, including a friend’s band meme channel and “Hikari Tech” (光卡科技) channel. No illegal content, no politically sensitive material, just gone. Meanwhile, spam openly carrying keywords like “underage girls” runs freely through groups, met with total silence from Telegram. That contrast is very difficult to explain away as “technical limitations.”

The “Privacy Protection” Is Just a Drama

Telegram has long carried an important brand label: “privacy protection.” Its anti-censorship image and its narrative of never yielding to governments attracted massive numbers of users who treat it as a “secure communications tool.” That impression deserves some scrutiny.

Telegram uses its proprietary MTProto protocol, which official documentation describes as a “highly secure encryption protocol,” claiming all messages are encrypted. That’s technically true, but the gap between “encrypted” and “end-to-end encrypted” is about as significant as the gap between Java and JavaScript, and Telegram has long worked to blur this distinction.

Ordinary private chats, groups, and channels on Telegram use server-side encryption: the data is encrypted in transit, but Telegram’s servers can read your messages. The very existence of the “message cloud sync” feature makes the point plainly. If Telegram weren’t storing your chats, where would cloud sync come from? Johns Hopkins University cryptography professor Matthew Green stated this directly in his 2024 analysis: Telegram is not an end-to-end encrypted messaging app.

Telegram does offer an end-to-end encrypted option, called “Secret Chat.” There is a large asterisk: it requires manual activation: on iOS, finding the entry point takes at least four taps; it only supports one-on-one conversations, not groups; it requires both parties to be online simultaneously to establish a session; and it doesn’t support multi-device sync. In other words, its existence functions more like a “we have this feature” disclaimer than a product genuinely designed for ordinary users.

Among instant messaging apps where private conversation is the primary use case, Telegram is one of the rare few that doesn’t offer end-to-end encryption by default. That fact, placed alongside its carefully cultivated “guardian of privacy” image, is rather ironic.

So, Whose Freedom Is Telegram Actually Protecting?

In the course of developing Telegram Watchdog, I’ve come to see with increasing clarity that the platform’s many problems are not oversights, nor are they resource constraints. They are systemic choices.

Spam can proliferate because governing it costs something, while ignoring it costs nothing. The narrative of “decentralization” and “freedom” conveniently provides ideological cover for exactly this kind of neglect. Fragment and TON’s commercial logic keeps running, the advertising ecosystem keeps flourishing (don’t forget that the Telegram ads with official promote system include plenty of bottom-of-the-barrel promotions like “collectible airdrops”), and monthly active users keep growing. From a business standpoint, the system works quite well. It just doesn’t hold up to scrutiny.

Real accountability only appears under two conditions: government pressure, or arrest. For day-to-day content governance, Telegram has simply opted out.

Will I keep maintaining Telegram Watchdog? I honestly don’t know. Maybe one day Telegram will have a change of heart and start taking community governance seriously (still dreaming?). Maybe after this post goes up, Uncle Durov’s heavy hand will reach down and wipe my bot out of existence.

But until the platform delivers a systemic solution, Telegram Watchdog is just the best effort that ordinary users, who are completely unarmed, can manage. And it can’t change one thing: this platform never intended to be accountable to its users.

Note: This post was composed with the assistance of large language models. All core content was provided by humans. The post has been reviewed and extensively modified by humans.

Feature image: Unsplash

  1. Technically, Telegram has never published exactly how they define this metric. When a new member joins a group protected by Telegram Watchdog, the bot proactively sends them a message and the verification is completed in the private chat with the bot. We assume that completing one interaction in that private chat counts as Telegram officially recording Telegram Watchdog as having one active user.

#Telegram #Telegram Watchdog #privacy #spam