Compromised from Within: The Unauthorized Restoration of TorGuard’s Telegram Channel
This is the comprehensive, substantiated account of how TorGuard’s deleted Telegram Channel was improperly resurrected and handed over to a known fraudster, by a paid insider at Telegram. We bring forth irrefutable evidence, shedding light on this disturbing violation, which calls into question the integrity of Telegram’s internal security mechanisms.
UPDATE: We published Part 2 clearing up our misunderstanding of channel deletion on Telegram.
In October of 2022, TorGuard found itself responding to a critical situation in Iran. Thousands of Iranian users had fallen victim to a devious scam by a Telegram channel dubiously named “VPNclub”. During a period of profound internet restrictions in the country, this channel was ruthlessly exploiting and stealing money from the Iranian people, while masquerading as an official TorGuard reseller. After receiving thousands of complaints through email, we were compelled to intervene.
Empowered by the issuance of Iran General License (GL) D-2 by the U.S. Department of the Treasury, we were able to bring our VPN services to the Iranian market officially. This license, aimed at bolstering internet freedom in Iran, had realigned U.S. sanctions guidance with the nuances of contemporary technology. It offered us the opportunity to step in and attempt to restore open internet access to a region that was being alarmingly isolated.
The internet blockade in Iran, home to some 80 million citizens, was not just a digital inconvenience. It was a human rights violation, enacted to blind the world to Iran’s oppressive handling of peaceful protests triggered by the tragic death of Mahsa Amini, while under the custody of Iran’s Morality Police.
Understanding Telegram’s extensive reach in Iran, despite its low popularity in the U.S., we established an official TorGuard channel on the platform. Our aim was simple — to provide a safe, trustworthy avenue for Iranians to maintain internet access and signup for TorGuard. At first it seemed like a good alternative since the official torguard.net domain is blocked in Iran.
However, this mission was fraught with unexpected challenges. As we endeavored to uphold digital rights, we found ourselves locked in combat with numerous unauthorized VPN sellers operating on Telegram, most notably “VPNclub” aka wbnet.
The ensuing months provided us with eye-opening exposure to the alarming vulnerabilities of conducting business on a platform that prided itself on privacy and encryption. It was an uphill battle, made more challenging by the lack of accountability and silence from Telegram.
However, we were not alone in this endeavor. Along the way, we were assisted by dedicated security researchers and insiders who helped us counteract the systemic corruption. They offered us insight into a clandestine “paid access” program, where money could procure insider privileges from Telegram employees.
This narrative provides a detailed account of our experience, bolstered by undeniable evidence, to expose the breach that should concern any user trusting Telegram with their privacy and security. As we delve into this, TorGuard extends our deepest gratitude to those who stood by us during this journey, their assistance has proven invaluable in our fight for internet freedom. We will forever be thankful to each and every one of you.
The VPNClub (wbnet) Problem
As we peel back the layers of our story, we must begin with an introduction to the Telegram channel at the center of this tale — “VPNclub”. Operating under the guise of a Telegram based VPN service provider, VPNclub has a notorious history marred with manipulative practices and fraudulent activities. Its dubious reputation precedes it, having left a trail of scammed users in its wake. Aided by the veil of the internet and the anonymity that platforms like Telegram offer, VPNclub exploited and deceived users, particularly in Iran, to an alarming extent.
The extent of VPNclub’s misdeeds came to our attention through a deluge of communication from users — thousands of emails, hundreds of Telegram messages, and daily Twitter alerts warning us about this scamming operation. This avalanche of messages painted a grim picture of the relentless exploitation endured by innocent internet users. People were taken advantage of in their most vulnerable moments — their desperation for unfettered internet access amidst stringent governmental restrictions.
VPNclub’s deceitful tactics involved a fraudulent scheme intricately designed to exploit TorGuard’s goodwill. It began with the misuse of our 7-day free trial program, which they brazenly resold as paid 1-year accounts. Users, oblivious to the deception, would find their service abruptly terminated after the free trial period. VPNclub, having pocketed the payments, would conveniently ignore the bewildered customers’ inquiries, leaving them without the service they paid for and without a refund.
The severity of this abuse compelled us to take the unprecedented step of discontinuing our free trial program, a service aimed to provide value to potential customers. This move, however, did not deter VPNclub; it simply forced them to modify their devious tactics.
VPNclub then shifted to purchasing 1-month VPN accounts from us and selling them as 1-year accounts. But their duplicity didn’t end there; each VPN account, designed to accommodate 8 simultaneous connections, was sold to upwards of 20 individuals. This overselling led to an inevitable connection bottleneck. Once the connection limit was reached, the remaining users found themselves unable to log in, causing mass confusion and frustration.
Profiting off their own countrymen’s desperation for open internet access, VPNclub amassed substantial illicit gains through this scheme. Meanwhile, scores of perplexed Iranian users approached us, under the impression they had purchased from an authorized TorGuard seller. This misconception was fueled by VPNclub’s audacious claims that they had TorGuard’s express permission to resell our services. They even went as far as stating that they had direct discussions with TorGuard’s CEO to establish this agreement of participation — a complete fabrication.
As months rolled on and fraudulent activities escalated, Iranian TorGuard users inundated Telegram support with tens of thousands of complaints reporting this malicious scheme. We took every measure within our means to bring this to Telegram’s attention. Our legal team sent multiple formal complaints detailing the extent of the fraud; we reached out through Twitter, urgently asking for intervention against this flagrant scam. Yet, much to our dismay, our calls for action fell on deaf ears. We never received a single response from Telegram, and shockingly, the VPNclub channel continued to operate unhindered, without even a “scam label” to warn unsuspecting users of the imminent financial risk.
The financial fraud perpetrated by VPNclub was not the only concern; the group also posed a severe threat to user privacy. VPNclub members repurposed an outdated seven-year-old TorGuard Android app, recompiling it to work with modified servers under their control. Customers who unsuspectingly bought these servers thought they were purchasing resold TorGuard accounts; they had no idea they were entrusting their Internet traffic to a known scammer. This deceit not only placed them at risk of man-in-the-middle attacks and potential logging of their internet activities, but it could also have put their personal safety in jeopardy.
Trust is the cornerstone of any VPN service, and it becomes clear that those engaging in such fraudulent practices are the last ones you would want to entrust with your internet traffic. So who exactly is behind VPNclub? His name is Moslem Motaghi, an Iranian man known on Telegram as https://t.me/Aghay_halo.
Surprisingly, Moslem didn’t begin his deceitful endeavors by exploiting his fellow Iranians. He has a long history of running various scams, including a Telegram group named ‘ccclub’ that taught users how to commit credit card fraud. His nefarious operations ranged from schemes that defrauded the U.S. government through fraudulent SBA loans to extracting money from CashApp using stolen credit card details. His activities even stretched to identity theft for siphoning money from online bank accounts and operating a fraudulent import business that used stolen data to buy products from Amazon outside Iran, smuggle them into the country, and then resell them at exorbitant prices.
One might imagine that a figure with such a checkered past, especially when faced with an avalanche of daily scam reports and complaints from Telegram users, would be due for some form of corrective action by the platform. However, astonishingly, Moslem’s Telegram channels remain active and unscathed to this day, operating with unfettered impunity. Despite the countless alerts sent to the platform, Telegram displayed a baffling indifference to the ongoing malicious activities.
Something is Not Right.
TorGuard’s CEO harbored suspicions about Telegram’s inaction, suspecting that it was rooted in more than just flawed email configurations or under-staffing issues. Persistent rumors of a covert pay-to-play program led by Telegram employees instigated thoughts that VPNclub might have bought its way into this exclusive circle, effectively bribing Telegram insiders to dismiss abuse reports and turn a blind eye to the weekly deluge of complaints. Reports of dark web vendors offering six months of access to Telegram user messages for a hefty sum of $30,000 only fueled these suspicions, as did the recent re-accessibility of Telegram in Russia following a hush-hush agreement with the Russian Federal Service for Supervision in Telecom, Information Technologies, and Mass Communications.
Driven by intuition and mounting evidence, TorGuard’s CEO decided it was time to torch the Official TorGuard Telegram channel and the associated signup bot for Iranian users. On April 17th, 2023, he pulled the plug. Telegram’s channel deletion process, with its multiple warnings and clear indication that the action was “irreversible,” seemed unequivocal, with all data set to be purged from their cloud servers within 48 hours. The company shifted its focus towards building a new secure signup process and a self-hosted private RocketChat platform on domains that are accessible inside Iran.
However, just four days later, an alarming revelation corroborated the CEO’s hunch. On April 21st, 2023, the team was aghast to discover that the very Telegram channel they had deleted was entirely restored, complete with its original channel message history and 12,000 followers. Adding fuel to the fire, the TorGuard bot username was back in action, accepting payments and selling TorGuard services. To top it all off, the new controller of the channel was none other than Moslem Motaghi.
Moslem, no stranger to provoking our team via email, reveled in his newfound control, blatantly defrauding users under our name, seeking to tarnish our reputation and turn us into a scam in the eyes of the public. Over the next two days, numerous Iranians fell prey to his deception, fostering fear and confusion about their online safety. We were left in a state of utter bewilderment; the channel’s restoration four days post-deletion directly contravened Telegram’s own privacy policy, and it had been handed over to a notorious scammer. Despite our multiple attempts to reach Telegram support, we again received no reply.
At this low point, feeling the weight of an entire platform seemingly bent on our destruction, a beacon of hope emerged in the form of an unlikely ally: a VPNclub insider who disapproved of the underhanded actions. This individual seized control of the channel, returned it to us, and refunded each defrauded user. However, during the transfer of the channel admin’s phone number, the TorGuard Telegram channel lost all administrative rights, leaving it without an admin overseer. This is significant to note, as only the TorGuard CEO and the insider were aware of the channel’s admin-less state.
Zheka and The Golden FX Bot
After experiencing such a disheartening incident, TorGuard could have abandoned its course, but instead, our team channeled their frustrations and responded with renewed determination. Facing unprecedented VPN-blocking crackdowns by the Iranian firewall, we re-engineered our V2Ray proxy service, employing a novel method hidden behind multiple CDNs, expanded the IP pool, added hundreds of new servers, and deployed a localized firewall CDN IP testing tool, effectively rendering our service undetectable by the Iranian firewall’s DPI sensors.
In the weeks that followed, the response and demand was astounding, propelling the growth of our new V2Ray service. The gratitude expressed by countless Iranians was overwhelmingly supportive, inspiring us to continue fighting for the right to unrestricted internet access in Iran. This surge in new customers also helped illuminate the murky underbelly of clandestine pay-to-play arrangements on Telegram. Soon after re-launching this new service another brave VPNClub insider reached out to us and revealed Moslem Motaghi’s secret conduit with Telegram employees: a covert Telegram bot that orchestrated the resurrection and hijacking of our deleted Telegram channel.
This insider disclosed detailed procedures, communication rules, and strategies to garner the attention of the elusive Telegram contact. Given Telegram’s continuing disregard for our inquiries and its failure to provide an explanation for the incident, TorGuard’s CEO made a daring decision: to penetrate this secret channel by assuming the guise of Moslem Motaghi.
The provided instructions were precise: first, TorGuard’s CEO set up a burner phone and initiated his covert operation. This Telegram contact could only be reached through a Telegram bot, the “FXGolden Bot,” yet ironically, actual communication took place via another messenger app. The bot served a singular purpose: to procure a session app ID. This insider stipulated that all contact should be made via a new session app ID, obtained through the bot. The FX Golden Bot, made to look like a customer support avenue for a non-existent “FXGolden” investment app, revealed nothing of its true purpose. The secret bot command to summon the insider, /zhk, was the only way to break the silence.
One week ago, TorGuard’s CEO, in his Moslem guise, sent the secret command via the bot, which responded with a lengthy session ID. After procuring the session ID, he switched to the session app assumed the name “Aghay Halo” and ventured into the unknown. Masquerading as Moslem and struggling to imitate broken English, he initiated the conversation with a casual, “Hello bro.” To his astonishment, the insider reciprocated. The conversation that ensued, documented in the unaltered images below, provides compelling evidence of these clandestine dealings. Since the session app disallows screenshots, TorGuard’s CEO resorted to capturing the exchange with a secondary device, thereby preserving this extraordinary encounter. The CEO’s strategy was twofold. He would mimic Moslem’s fear of having his illicit connections exposed, and simultaneously appeal to the Telegram insider to delete the TorGuard Telegram channel. This tactic was designed to both establish trust and achieve an imperative objective.
How “Zheka” Proved They Were a Telegram Employee, or worse.
In the clandestine exchanges between TorGuard’s CEO and Zheka, the latter provided compelling evidence of his elevated access and insights into the Telegram platform, which couldn’t be achieved by ordinary users. Initially, Zheka astutely identified the TorGuard Telegram Channel’s current lack of admin, a detail indiscernible to the public. This was followed by Zheka accurately pinpointing the renaming of the TorGuard_Iran_Bot username, and even correctly identified the exact identity of the channel owner as TorGuard_CEO. Such potentially invasive intrusions into user privacy could present serious risks to Telegram channel administrators who operate under the belief that their identities are secure.
Recent reports have suggested that Rostec, a Russian corporation, acquired a platform called “Okhotnik” or “Hunter,” which ostensibly unearths the identities of anonymous Telegram users. This is presumably to counter unfavorable narratives emerging out of Russia. It is believed that “Hunter” employs over 700 data points collected from diverse sources, including social networks, blogs, instant messengers, forums, bulletin boards, cryptocurrency blockchains, darknet, and governmental services. These data points encompass names, nicknames, email addresses, websites, domains, crypto wallets, encryption keys, phone numbers, geolocation info, IP addresses, and more.
Rostec purportedly plans to vend “Hunter” to all departments of Russia’s Ministry of Internal Affairs and the operational and technical units of the Federal Security Service (FSB) within 2023. However, a seasoned IT expert from Roskomsvoboda, a digital protection rights organization in Russia (now labeled as a foreign agent by the country’s Ministry of Justice since December 2022), has expressed skepticism over “Hunter’s” methodology. The expert proposes that the tool either exploit a zero-day vulnerability in Telegram or colludes with an internal element within the company to de-anonymize users.
A Telegram spokesman confirmed to bleepingcomputer.com that:
“Telegram does not allow any means of identifying the admins of channels through the apps or through the API. Channels were designed with this in mind to facilitate pro-democracy movements in authoritarian countries and protests worldwide.”
Given the ease with which TorGuard’s CEO managed to engage with a Telegram insider — who effortlessly revealed intricate details such as the exact owner of the channel, the last login time, wallet balance, and more — it appears plausible that “Hunter” might not utilize a sophisticated network of data points but simply benefits from insider access at Telegram through compromised employees. This incident should serve as an urgent call to action for all Telegram users, especially those who rely on it for secure communication and privacy in high-stakes environments.
Zheka Makes an Offer to Forget this Happened
In a surprising turn of events about an hour after Zheka ceased communicating over Session messenger, they reestablished contact, this time via the GoldenFXbot. Zheka was evidently desperate to erase any traces of the incident, going to great lengths to convince TorGuard to forget everything that had transpired. Zheka explained that the payment had been meticulously shuffled across the exchange in a bid to stifle any potential tracking and offered to not just return the funds, but to pay even more — essentially, any amount that we might demand. We turned this down.
Another proposition from Zheka was the prospect of finally taking down the TorGuard Telegram Channel. However, they cautioned that this process could take a couple of weeks due to the sensitivities surrounding TorGuard within Telegram. This was largely because of the relentless barrage of complaints Telegram has been receiving due to channels that exploit the TorGuard brand name to defraud Telegram users.
Unexpectedly, Zheka confessed to being a Telegram employee, expressing their apprehensions about stirring any trouble that could potentially cost them their job. And it’s not hard to see why. From our estimates, even an entry-level position at Telegram could potentially rake in an extra $50K per month or more in cryptocurrency income by selling insider access, if they can pull it off without getting caught.
But when their initial offers failed to convince us, Zheka even proposed acquiring the banned “@TorGuard” username or channel for us. However tempting that might be, TorGuard has decided to never go back to using Telegram as an active promotional platform given the immense privacy risks it presents to our users. Plus, our Telegram burner phone now resides in a Faraday bag, only taken out for a few fleeting moments at a time.
Here are some of Zheka’s proposals sent via the GoldenFXbot are captured in the screenshots below:
Moslem Motaghi also got in touch with us, true to his typical style of taunting. But this time, he seemed notably agitated that we had spoken with Zheka. He proposed a rather audacious offer — if we were to pay him $2,000 per month, he would cease selling TorGuard VPN. Yes, it was indeed as laughable as it sounds.
Without wasting any time, he returned to his old maneuvers. He set up local bridge servers in Iran, which were designed to tunnel traffic out to TorGuard servers via accounts he was attempting to acquire. However, his schemes were short-lived as these accounts were promptly shut down soon after he emailed us.
Conclusion
In conclusion, this harrowing account is a stark testament to the multifaceted risks associated with reliance on digital platforms, particularly those that can be compromised from within. While VPNClub, spearheaded by Moslem Motaghi, defrauded its customers by peddling tampered versions of TorGuard VPN, it was the seeming involvement of Telegram’s own employees that introduced a new layer of threat.
Telegram, a platform that many individuals and companies rely on for secure communication, was allegedly manipulated by its own employees in order to support Motaghi’s activities. This led to a cascade of illicit activities, from allowing the fraudulent VPNClub to thrive, to ignoring abuse reports and user complaints, to even restoring a deleted Telegram channel against all policy rules.
Indeed, the key takeaway from this cautionary tale is that no matter how secure a platform may appear, its integrity ultimately lies in the hands of the individuals who maintain and operate it. If those individuals can be bought or bribed, the platform’s security and trustworthiness are fundamentally undermined.
As the world becomes increasingly digital, it is crucial for both individuals and organizations to scrutinize not only the technical security features of a platform, but also the reliability and ethics of those running it. Unscrupulous insiders can turn a theoretically secure platform into a weapon against its users, inflicting damage that can range from financial losses to breaches of privacy.
This story serves as a stark reminder of the dangers inherent in placing blind trust in any platform. It underscores the importance of rigorous due diligence, ongoing scrutiny, and a healthy level of skepticism when entrusting our data to digital platforms. It’s a wake-up call for all of us to be more vigilant and mindful about our digital interactions and the platforms we use.