The Proud Boys’ Reliance on Telegram Didn’t Save Them, But It Thwarted Preventing the Attack

At 8:06PM on January 4, 2021, shortly after the arrest of Enrique Tarrio, a Proud Boy named Travis instructed everyone on the Proud Boys’ Ministry of Self Defense Telegram list to “nuke everything.”

Because of the way Telegram persists on individual phones, it didn’t work. Two years later, that text was introduced as evidence against the Proud Boys to show that already on January 4, they knew they had something to hide.

Four days later, on the Ministry of Self Defense list that had replaced the first one, Aaron of the Bloody East — a senior Proud Boy in Philadelphia — announced the arrest of Proud Boy Nicholas Ochs as he landed in Hawaii (the avatars for the Proud Boys were added for the trial exhibit; only the monikers and user numbers came from Telegram itself). The conversation immediately turned to deleting two channels used to organize the Proud Boys during January 6. But because Jeremy Bertino, who had set up the chat, had already left it, the men once again struggled to cover their tracks.

Organizing on Telegram did not prevent the government from prosecuting the Proud Boys for their roles in January 6. On the contrary, those chats — complete with their boisterous efforts to delete them after every arrest — were a central part of the evidence used to prosecute Enrique Tarrio, Joe Biggs, and Ethan Nordean on sedition charges, with help from Bertino, who had flipped and who continues to cooperate in the investigation.

It started no later than Nordean’s own arrest on February 3, 2021, when Nordean’s spouse provided the FBI with the passcode to his phone, where many of these texts were still available. It continued as the FBI acquired one after another of the Proud Boys’ phones (one of the only known exceptions was Joe Biggs, whose phone the FBI never got).

A letter to Zach Rehl’s attorney from 2022 gives a sense of how the FBI had to exploit as many phones as they could, one after another, because the set of texts still available on any individual’s phone varied. Some people, like Nordean, were successful at deleting their voice notes and other attachments. Others didn’t even try.

Altogether, DOJ relied on at least 11 separate lists, as well as a slew of individual Telegram texts (as well as a number of Parler texts), at trial. In that sense, the investigation of the Proud Boys was little different than that of the Oath Keepers, who used Signal rather than Telegram for that kind of organization.

That’s important background to news of the French arrest of Pavel Durov on charges implicating (at least) child sexual exploitation, terrorism, cybersecurity, fraud, and organized crime. Authorities can still prosecute people who use Telegram to plan and organize their crimes.

But there are impediments. The cops took Tarrio’s phone when they arrested him — with those damning Telegram threads still on it — two days before the Proud Boys would lead a mob that attacked the Capitol. But it took over a year before they cracked the encryption on his phone, exploited it, and did a privilege review. Even after seizing Tarrio’s phone, then, prosecutors couldn’t prevent January 6 having decided that Tarrio posed a risk to the certification of the vote only days before the attack.

It might have been different if the Proud Boys had been considered a terrorist group (which it still is not, in significant part because of an asymmetry in US law regarding domestic and foreign extremist groups). Contrary to what a lot of coverage is reporting, the vast majority of Telegram usage is not encrypted. As far as I’m aware, none of the texts introduced at the Proud Boy trials were protected by Telegram’s hard to use encryption, not even the private texts in which Tarrio told one after another of his girlfriends of his imminent arrest.

But the encryption itself would not have saved him. On December 18, 2020 DC cop Shane Lamond did turn on Telegram’s encryption in texts he was exchanging with Tarrio, warning him about both the investigation into his role in burning a BLM flag (the crime for which Tarrio would be arrested on January 4), as well as observations about public Proud Boys statements in advance of January 6.

To contact Tarrio, the Defendant used a chat on Telegram with the highest level of encryption available. The Defendant then asked Tarrio if he had called in the anonymous tip. Tarrio responded “I did more than that. It’s on my social media.” The Defendant told Tarrio “I’m curious to see what happens too. I will check with our CID [Criminal Investigations Division] people if they have you on video.”

But those were still available on the phones after the fact.

Even after Lamond and Tarrio set Telegram to auto-delete messages, Telegram’s functionality didn’t entirely save them.

On December 22, 2020, approximately two minutes after Tarrio sent the Defendant a screenshot of a message he received from an MPD detective assigned to the BLM Banner Burning Investigation through Telegram, the Defendant changed the settings of his encrypted chat with Tarrio on Telegram so that future messages would delete 5 seconds after the recipient opened them.

Some of their auto-delete texts were reconstructed, especially those sent after Tarrio’s pre-trial release on the DC case.

And after Lamond called Tarrio using Telegram to warn him about the warrant for his arrest, Tarrio went to the Ministry of Self Defense thread — the same one the Proud Boys failed to delete after his arrest — and told them that his contact had just warned him of the arrest. There are texts between Lamond and Tarrio, especially from January 1 and 4, which were lost to law enforcement. But enough of their texts were preserved to substantiate obstruction charges on which Lamond will go to trial in October.

The encryption didn’t save Shane Lamond. It would probably do little for intelligence targets either — in part because the encryption may not be all that great, but also because a determined spook is going to get texts via the phones, just like the FBI did with Lamond. France certainly has the intelligence capabilities to defeat Telegram’s encryption, as does the US, both of which would be happy to share with Ukraine.

Rather, one of France’s reported complaints is that Telegram won’t cooperate with law enforcement requests. Even though all these threads via which the Proud Boys planned January 6 and the texts sent between the allegedly corrupt cop Lamond and Tarrio before December 18 were likely readily available on Telegram’s servers, even if the FBI had asked after Tarrio’s arrest, Telegram wouldn’t have provided them, at least not without a whole bunch of squawking. That also means that Telegram wouldn’t provide a whole bunch of other information that proves useful to solving crimes. In the Proud Boys case, because prosecutors couldn’t get metadata directly from Telegram, it likely required cooperating witnesses like Bertino to attribute the handles used by some of the Proud Boys to specific users (at the time, Signal did not yet have this capability, so investigators could more easily match phone numbers to users).

By comparison, prosecutors could and did serve preservation orders on Google and Facebook, which preserved a lot but by no means all relevant content, even as individual users were trying to cover their tracks just like the Proud Boys were. In response to legal process, those platforms, as well as Twitter and others (but not Signal, which doesn’t keep most of this data), provided user data, address, credit card data, and access times.

But it’s the issue of prevention for which Telegram poses the biggest concern. Telegram is the platform of choice for extremists of all ideologies, both for broadcast messaging and for more discreet threads like the ones the Proud Boys used. And in quick moving situations, like the extremist mobilization in the wake of the Southport stabbing in the UK, Telegram channels can grow to include tens of thousands before they’re even discovered. While Telegram took the rare step, in that case, of shutting down the most violent channels tied to British riots, it left many of them up.

It’s still too early to know the scope of the French investigation, beyond that it implicates both non-cooperation and slow moderation. It’s a complaint both that Telegram won’t provide information to solve crimes already committed and won’t take steps to prevent them from happening.

Two of the most important questions are whether Durov derives a material benefit from letting crime and extremism flourish on Telegram. Another is whether Durov gives the Russian government preferential access to all the channels that are otherwise difficult to access. This post provides a sense of the degree to which Durov’s likely cooperative relationship with Russia conflicts with his public claims of animosity.

There are a lot of people claiming that France is targeting Durov because Telegram is an encrypted messaging platform. While that may be a factor, the far more important one is that Telegram allows crime to flourish on its platform, and until he arrived in France, where his French citizenship will actually help France thwart any Russian attempts to help him, he was protected by regimes that similarly preferred to let certain kinds of noxious content to thrive.

Update: The French have released the possible charges. There is one charge of refusing to cooperation in criminal investigations.

They include six charges of “complicité,” what I guess is the US equivalent to aid and abetting:

  • Illegal transactions for organized crime
  • Child sexual abuse material
  • Organized dissemination of CSAM
  • Narcotics sales
  • Hacking tools
  • Organized fraud

Then there are three crimes pertaining to the provision of encryption and importation of encryption without declaration.

The most interesting — and the ones that might make this prosecution akin to those of people like Ross Ulbricht — are:

  • Association with criminals with the intent to commit crimes punishable by 5 years
  • Money laundering

I noted above that one of the big questions is whether Durov derives a material benefit from letting crime flourish on Telegram. If he’s personally involved in money laundering, he may.

Note, none of the crimes suggest an unlawful relationship with Russia (though some of those encryption crimes may originally have been targeted towards spooks).

image_print
34 replies
  1. Dean Alper says:

    There doesn’t seem to be recent press reporting on Lamond prosecution, or delays in getting to trial.

    • Flock of Bagels says:

      Had a similar thought. I searched Google News and only found stories about setting a trial date…which was supposed to be back in February? But it never started? (I’m inferring.)

      Fun fact: When I filtered Google News for articles within the last month, I got exactly one hit…the emptywheel blog post we just read!! Great illustration of why so many folks come to this site, to learn about things that the Big League Media literally are not covering.

  2. harpie says:

    From Heather Cox Richardson’s 8/25/24 “Letters From an American”:
    https://heathercoxrichardson.substack.com/p/august-25-2024

    […] Trump and the MAGA Republicans have not taken the Democrats’ momentum quietly. Trump has been frantically posting. […] [<brutal lol!]

    One other item came from Trump this week, but it got little oxygen with everything else that was going on. Donald Trump Jr. and Eric Trump have been teasing a “big announcement” this month related to cryptocurrency and decentralized finance, or DeFi. On Thursday, Trump announced a new cryptocurrency project called “The DeFiant Ones” and linked to a Telegram channel set up on August 6, the same day Eric posted that such a project was in the works.

    Telegram is a social media app launched by Russian-born billionaire Pavel Durov, and it is the main communications tool in Russia [SEE Anton Gerashchenko Xitter link below]. Durov was arrested today in France on charges that Telegram has been used for money laundering and other crimes.

    https://x.com/Gerashchenko_en/status/1827621486602936562
    4:18 AM · Aug 25, 2024

    After Telegram founder Pavel Durov was arrested, Russian social media share the following thoughts, rumors and panic moods:

    Allegedly, several days ago Durov asked for a meeting with Putin in Baku and was refused. […]

  3. Sussex Trafalgar says:

    Great post!

    And never trust Pavel Durov and his father, Valery Durov. They are members of team Vladimir Putin and Roman Abramovich.

    The French authorities have more courage than the US authorities to prosecute Pavel Durov and Roman Abramovich. I hope they are tenacious in their prosecution of Pavel Durov. And I hope they relentlessly pursue the Abramovich financial connection as well.

    Look for Putin to put pressure on France and the US to exchange Pavel Durov for another American currently in Putin’s gulag.

    • RipNoLonger says:

      Guessing that the suckers “go wrong” will end up in trump’s “go right” bank accounts. (Those accounts will be in hard currencies and outside of US jurisdiction. No stashed crypto for the con!)

  4. Joseph Andrews says:

    Initially, I read this post the way I look at a lot of articles on the ‘net on a Monday morning: with the sound of a TV (and the sound of my wife, teaching yoga via Zoom) on in the background, occupying part of my brain.

    But I realized that this particular post deserved my full attention. So after reading it again (and again, actually), I built my own flow chart in a further effort to bring some clarity to it all.

    Thank you. It is why this website is important to me.

    Now back to the flow chart.

  5. Badger Robert says:

    Amazing post, thanks, for whatever reason, Durov seems to have computed he would safer in Paris than in Baku. And there is little reason to assume that Durov would agree to be exchanged and returned to Russia.

    • emptywheel says:

      As I alluded to, because Durov has French citizenship (along with Russian, St. Kitts, and Emirati), he can’t be extradited. So the normal RU trick of inventing charges when it wants to thwart charges won’t work.

      But I think it’s premature to say he intended to be arrested in France. I get why people are saying that, it’s possible, the RU panic would support that. But I’m not sure that’s confirmed yet.

      • Badger Robert says:

        Right. We can only speculate on the motivations.
        What are the implications with respect to Russian interference in the USA election?

  6. harpie says:

    Telegram Founder’s Arrest Part of Broad Investigation, French Prosecutors Say A case was opened last month to investigate child pornography, drug sales, fraud and other criminal activities on the platform. The app’s founder, Pavel Durov, was detained over the weekend near Paris. https://www.nytimes.com/2024/08/26/business/telegram-founder-arrest-france.html
    Aug. 26, 2024, 12:22 p.m. ET [Aurelien Breeden reported from Paris, Adam Satariano from London and Paul Mozur from Taipei, Taiwan.]

    NYT links to a Xitter comment by Macron:
    [NYT: It was an unusual step for Mr. Macron, as French leaders usually refrain from commenting on the early stages of criminal investigations.]

    https://x.com/EmmanuelMacron/status/1828077245606342672
    10:29 AM · Aug 26, 2024 [< ET]

    • SteveBev says:

      Just to clarify for those who don’t want to click through to Xitter, the essential point of Macron’s post was to contradict claims of political influence and emphasise judicial independence
      “The arrest of the president of Telegram on French soil took place as part of an ongoing judicial investigation. It is in no way a political decision. It is up to the judges to rule on the matter.”

  7. Peeping Tom_26AUG2024_1354h says:

    I know little about Telegram and found this thread interesting. The OP says he’s been following TG since 2017, and the thread has links to stories about Telegram’s owners, history, etc.

    https://x.com/YaroslavAzhnyuk/status/1827534635171029099

    [Welcome to emptywheel. Please choose and use a unique username with a minimum of 8 letters. Unfortunately “Peeping Tom” is too common; your name will be temporarily changed to match the date/time of your first known comment until you have a new compliant username. /~Rayne]

    • Rayne says:

      Using an app which shares an entire X thread would be helpful as X doesn’t display the full thread to readers who don’t log into X.

        • Rayne says:

          Thank you for that – I wasn’t certain we’d hear back from Peeping Tom with a link and I don’t log in to my dead bird app account any longer.

          Entry 49 is interesting. Was Durov avoiding windows and tea?

        • EuroTark says:

          Thank you, that one was actually very well worth reading (along with the texty article linked both from Marcy’s post and this thread)

          The biggest question remains why Durov would use France to refuel. Is he avoiding Russian tea or trying to plant a fake discussion about censorship? My money is on the first, for now.

  8. vigetnovus says:

    Interesting timing with regards to what might happen this week. I’d say that while maybe exploiting Telegram didn’t foil the attack fully, it may have made the worst parts of it unlikely to succeed. And I’d be willing to bet the IC had exploited Telegram prior to J6, but to use any of that as evidence would give up sources and methods, hence the need to crack the phones the usual way.

    In my heart, I believe the real plan was to have “Antifa” show up and use that as pretext to invoke the insurrection act. Except that was somehow foiled, certainly arresting Tarrio may have been part of the reason. But maybe the IC also knew more then they have let on.

    • Rayne says:

      LOL it’s like Durov is a warning to Musk and the Trump boys not to fuck around and find out about crypto cybercrime in France let alone the EU.

  9. Savage Librarian says:

    There was also this on Friday:

    “The US has announced new sanctions targeting Russia’s war machine — and says more are coming” – 8/23/24
    …..
    “Included are measures against transnational networks that provide Russia with ammunition, military supplies, and advanced machine and electric components. These networks also help Russian oligarchs circumvent prior restrictions, the Treasury said, and have helped one company launder gold.”

    https://www.businessinsider.com/us-russia-sanctions-war-spending-exports-ukraine-china-banks-treasury-2024-8

    • RipNoLonger says:

      And it’ll just be called a “to-do” list. No mention or thought of “retribution” or “revenge”. Just clean-up is needed in aisle 1,

      And I believe President Harris has a good understanding of the list and the reasons.

    • vigetnovus says:

      Absolutely. I think it’s also a strategic move on his part, if Telegram has been exploited by the IC for some time now, why tip your hand until you absolutely have to?

      I wish this guy could be tried in the US as well, but I’m sure the French justice system will take care of it appropriately.

Comments are closed.