Cyber Incident Victim: Telegram
Date:
Jun 2019
Location:
China
Summary
A distributed denial-of-service (DDoS) attack targeted the Telegram messaging service, causing widespread connection instability and service disruptions primarily across the Americas, Europe, and parts of Asia. The attack involved a botnet flooding servers with excessive traffic, preventing legitimate access for users in affected regions including the East Coast of the Americas, the UK, Germany, Ukraine, Russia, and China, with additional reports of video-loading issues in Australia. The messaging platform confirmed user data remained secure despite the outage. Its founder later indicated the attacking IP addresses predominantly originated from China, noting a historical pattern of state-sized DDoS attacks coinciding with Hong Kong protests organized via the platform. Service stability was restored following mitigation efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 12, 2019, Telegram Messenger experienced a distributed denial-of-service (DDoS) attack that disrupted service for users globally. The attack involved a botnet—a network of compromised computers—flooding Telegram’s servers with excessive traffic, overwhelming their capacity to process legitimate requests. This caused unstable connections and messaging failures, primarily impacting users in North and South America, though Downdetector data showed significant disruptions in the UK, the Netherlands, Germany, Ukraine, Russia, and China. Users in Australia also reported difficulties loading video content. Telegram publicly acknowledged the attack via Twitter, explaining that botnets generate traffic from geographically dispersed devices, making attribution inconclusive. The company dismissed speculation about Brazilian hackers or state-sponsored involvement, emphasizing that rented botnet services allow attackers worldwide to mask their origins. Telegram assured users that no data breaches occurred, stating the attack only aimed to degrade service availability. By the end of June 12, service stability was restored.
On June 13, Telegram founder Pavel Durov provided additional context via Twitter, revealing that most attacking IP addresses originated in China. He noted a historical pattern of state-scale DDoS attacks (200–400 Gb/s) coinciding with protests in Hong Kong organized on Telegram. At the time, Hong Kong activists were demonstrating against an extradition bill that would permit trials in mainland China, with protests escalating ahead of a postponed legislative vote. Durov implied a correlation between the attack timing and these protests, though he did not explicitly attribute the attack to a specific entity. The incident highlighted Telegram’s growing user base, which had reached 200 million active users by March 2018 and surged by three million registrations in 24 hours during March 2019 outages affecting Facebook, WhatsApp, and Instagram. No further technical details about mitigation efforts were disclosed beyond the confirmation of restored service stability.