Telegram CEO warns EU age app is hackable, can track identities

Telegram CEO Pavel Durov warned the EU’s age-verification app is hackable and could be used to track online identities. He referenced a technical analysis by security consultant Paul Moore that found the system could be bypassed in under two minutes.

Moore wrote that the system can be tricked so the age check is not properly tied to the actual user or their device, and added: “This product will be the catalyst for an enormous breach at some point.”

The European Commission released the first version of the app blueprint in July 2025. The framework was developed as open-source software intended to let users prove they are over 18 without sharing other personal data and to support future interoperability with European Digital Identity Wallets.

European Commission President Ursula von der Leyen described the app on Tuesday as “technically ready” and “completely anonymous,” saying users can prove their age without revealing personal data or being tracked.

Researchers published findings that the system can be bypassed in minutes. After those findings, officials and developers have faced questions about whether the app’s privacy and security promises will hold up in real-world use.

Durov wrote that the design was “hackable by design” and suggested the weaknesses could later be used to expand identity checks across online services. He accused EU officials of turning a privacy-focused measure into a surveillance tool and posted: “The EU bureaucrats needed an excuse to silently start turning their ‘privacy-respecting’ age verification app into a surveillance mechanism over all Europeans using social media.”

Durov has positioned himself as an advocate for free speech and digital privacy. He is also the subject of a judicial investigation in France over allegations related to illegal activity facilitated through Telegram, including organized crime and fraud, and claims that the company failed to cooperate with authorities.

The debate over the EU app is part of wider discussions about how to implement age checks online. Security researchers say balancing anonymity, ease of use and fraud resistance is technically difficult. Because the blueprint is open source, analysts were able to examine its design and point to trade-offs between privacy and technical robustness.

The Commission says the app should be an alternative to sharing identity documents with individual platforms and that developers designed it to avoid storing or transmitting identifying information. Critics point to the technical analysis and warn that vulnerabilities could be exploited at scale.