Telegram CEO Pavel Durov publicly challenged the European Union’s new age-verification app on Friday, warning that security flaws in the system could give regulators a pretext to expand identity tracking across European social media platforms. The supporting evidence appears in the cited X post.
His comments followed European Commission President Ursula von der Leyen’s declaration earlier that week that the tool is “technically ready” and “completely anonymous.”
The pushback centers on an analysis by security consultant Paul Moore, who posted on X that the app can be bypassed in “under two minutes” after examining its technical design. Moore warned the system could be tricked so that an age check is never properly tied to the actual user or device, calling it a future “catalyst for an enormous breach.”
Hackable by Design, Durov Says
Durov went further, writing on X that the app is “hackable by design” and arguing that its weaknesses are not incidental but structural. He contended that EU officials could use those very flaws as justification to strengthen the system over time, gradually converting a privacy-branded tool into a surveillance mechanism.
“The EU bureaucrats needed an excuse to silently start turning their ‘privacy-respecting’ age verification app into a surveillance mechanism over all Europeans using social media,” Durov wrote. The statement frames the technical vulnerabilities as a political risk, not just a product defect.
Von der Leyen had promoted the app on X earlier this week, describing it as a way for users to prove they are over 18 without disclosing personal data or being tracked. The European Commission released a formal statement backing those claims, framing the tool as an open-source project designed for interoperability with European Digital Identity Wallets.
Broader Stakes for Digital Identity Infrastructure
The dispute carries real weight beyond age-gating. Age verification systems are being rolled out or debated in multiple jurisdictions, and the technical architecture being chosen now will shape how identity is managed online for years.
If a system built to be privacy-preserving proves trivially bypassable, it sets a poor foundation for the broader digital identity infrastructure regulators envision.
For crypto and Web3 platforms operating in Europe, the implications are direct.
Many decentralized applications and exchanges already navigate Know Your Customer requirements, and a pivot toward compulsory device-level identity verification would add new compliance pressure on platforms that have built their user experience around pseudonymity.
Durov’s broader credibility on this issue is complicated. He remains under judicial investigation in France over allegations tied to illegal content facilitated through Telegram, including organized crime and fraud, as well as claims that the platform failed to cooperate with law enforcement.
Critics argue that framing is self-serving, while supporters point out that surveillance concerns are legitimate regardless of the messenger.
The European Commission first published a blueprint for the age-verification framework in July 2025, positioning it as a privacy-first tool ahead of wider Digital Identity Wallet integration. Whether the security flaws identified by independent researchers will delay or alter that rollout remains to be seen.
Not Financial Advice: This article is for informational purposes only. Crypto investments are highly volatile. Always do your own research.
