BANNER: Russia’s new super-app MAX. (Source: Schnelsen Hamburg via Reuters)

A new state-controlled Russian app, MAX, is part of the Kremlin’s broader effort to replace foreign digital platforms with a centralized domestic ecosystem for communications, public services, and everyday online activity. Combining core digital and administrative functions into a single platform, the super-app reflects Moscow’s push towards a sovereign and state-aligned infrastructure integrated into the everyday life of residents. Discussions around the MAX app have largely focused on how it represents the latest instrument in domestic censorship and digital authoritarianism. But the threat posed by the app extends beyond Russia’s borders.

A more strategic question should be asked about its extraterritoriality and potential use outside of Russia. If integrated into foreign digital environments, MAX’s architecture and governance model could allow it to freely function as a mechanism enabling surveillance, coercion, and transnational repression, without relying on traditional digitally infectious mechanisms, like malware. The strategic significance of MAX may lie less in its technological sophistication than in the possibility of creating coercive ecosystem dependency: a state-linked space that could become institutionally unavoidable not only inside Russia, but also for diaspora communities, cross-border entities, and individuals abroad operating across Russian-linked social, administrative, and communications networks.

Internet control in Russia has accelerated in the past couple of years, the culmination of several years-long preparatory initiatives. Russia established a legal foundation in 2019 with the passage of the “sovereign internet” law, which created the basis for centralized traffic management and deployment of deep packet inspection infrastructure. In the following years, Russia invested heavily in building nationwide traffic control and censorship capabilities, with a budget estimated at more than half a billion US dollars. Following Russia’s full-scale invasion of Ukraine, authorities escalated restrictions by blocking major Western online and social media platforms, increasing pressure on virtual private networks (VPNs), and enhancing censorship capabilities through nationwide traffic manipulation and filtering hardware.

In the past two years, Russia has moved from selective platform blocking to systemic internet control, attempting to isolate any remaining independent digital spaces, including YouTube and Telegram, while doubling down its enforcement against VPNs, all while trying to corral users into state-controlled digital ecosystems. In this context, the introduction of MAX is the logical next phase towards a sovereign Russian internet. But treating MAX solely as a domestic threat misses a larger picture: the risk of extraterritoriality in Russia’s digital control matrix.

MAX should be understood as state infrastructure, a super-app intended to merge communications, identification, payment, government services, housing, and other everyday administrative functions into a single ecosystem. The app was developed by state-controlled tech giant VK, whose CEO stated that they modeled it on China’s WeChat app. The app’s user interface resembles Telegram.

According to a BBC report, MAX “collects user data including IP addresses and behavioral metrics, and crucially, its privacy policy openly states that data may be shared with third parties and state agencies. ” Some experts have assessed that “any data that passes through this application can be considered to be in the hands of its owner, and in this case, the hands of the Russian state.” Because the app operates within Russia’s broader lawful interception and data retention policies, including the System for Operative Investigative Activities (SORM ) surveillance infrastructure, data stored by the platform is likely accessible to the Federal Security Service (FSB) and other authorized agencies under Russian law. SORM is Russia’s longstanding lawful interception framework, which enables security services to monitor telecommunications and internet traffic through infrastructure integrated with telecom and digital service providers. Russian legislation has progressively expanded data retention and platform cooperation requirements, obliging providers to store user data and provide access to security authorities under legally defined procedures. This surveillance architecture operates through technical integration with provider networks, allowing the FSB to interact with communications infrastructure through locally installed control systems. In practice, this creates an environment where state authorities can obtain broad visibility into communications-related metadata and other user information held by platforms operating within Russian jurisdiction.

As of September 1, 2025, MAX is required to come pre-installed on new phones sold in Russia. But the Kremlin has also applied other tactics to force its citizens into the app. Authorities ordered banks to stop using Telegram and WhatsApp for client communication, while reportedly pushing universities, schools, and public agencies and their employees to adopt the app. It was “recommended” that leading companies in Russia migrate communications to MAX. Additionally, new legislation requires property managers to communicate with tenants through the app. According to Russia’s Parliamentary Newspaper, the platform is expected to work during times of internet disruptions, making it increasingly difficult to avoid the app. The trajectory of MAX’s release suggests Russian authorities aim to normalize MAX as the default communications layer across everyday life. The impact of this process is the gradual creation of functional dependency on a state-aligned ecosystem.

The app appears to have already caused distrust in Russia, including inside state apparatuses. According to reporting by journalist Farida Rustamova, some Russian officials, distrusting of the app, are buying separate phones and SIMs to install MAX.

Russian military bloggers have criticized the effort to replace Telegram with the MAX app. Moscow has gradually limited Telegram since the summer of 2025, before fully shutting it down in April 2026. Despite the block, the messenger app remained accessible through VPNs, with Telegram founder Pavel Durov stating that roughly 65 million users in Russia continue to access the app on a daily basis. Durov also announced a “digital resistance” initiative, stating that Telegram had introduced an update designed to disguise its traffic as Google Chrome browser activity, complicating Russian authorities’ efforts to block the service.

At the same time, Russian investigative platform The Insider found that “despite administrative pressure, MAX had not become a viable alternative to Telegram in Russia by the time of the planned” blocking of Telegram by the beginning of April. Separately, OpenMinds found anomalies in MAX’s channels, with “inflated view counts and rates of view accrual incompatible with normal daily use, suggesting an apparent attempt by authorities to manufacture the popularity MAX has so far failed to achieve on its own.” MAX’s channel architecture closely mirrors Telegram’s system of public and private one-to-many broadcasting channels, where administrators publish content to subscribers inside centralized feeds. Despite similarities in interface, MAX operates within a more tightly regulated governance environment.

MAX’s expansion beyond Russia’s domestic digital space seems increasingly likely as the platform becomes more integrated into Russian administrative systems and communications, creating new risks for diaspora, international governments, civil society, businesses, and others. Understanding the areas in which such vulnerabilities may emerge is crucial for assessing the broader international security implications:

Diaspora dependency. Many Russians living in the West keep regular contact with family, banks, employers, schools, and government agencies back in Russia. The practical necessity for diaspora communities in maintaining administrative and social ties creates incentives to adopt any dominant or required platforms in their home country. Therefore, the app’s expansion internationally may unfold less through conventional market growth but rather through administrative necessity and dependence for people tied to Russia through family, economics, or other ties.  

Migrants, students, and occupied territories. Migrant workers, students, dual nationals, and residents of Russian-occupied Ukrainian territories may also become tied to the Russia-controlled MAX ecosystem through employment systems, services, and communications, among other needs. For example, labor migrants from Central Asia who work inside Russia regularly depend on Russian banking systems, mobile networks, digital and other services, while the Russian occupation authorities have increasingly pushed residents of occupied Ukrainian territories into Russian identification, economic, and telecom systems.

Business and institutional exposure. The expansion of the MAX ecosystem may also affect commercial, logistical, and institutional networks outside Russia that remain connected to the Russian economy. Companies and actors involved in logistics, sanctions compliance, energy sector firms, financial and payment intermediaries, research institutions, as well as intermediaries helping facilitate Russia-linked trade through third countries that do not have a sanctions regime on Russia may be pressured to interact with Russian counterparts via state-approved channels. Such exposure might persist despite Western sanctions as Russia-linked ecosystems continue to operate across international networks.

Cross-border ecosystem expansion. At first, registration in MAX required a Russian phone number, effectively limiting the platform mostly to Russia-based users and networks. However, in March 2026, Moscow announced that registration became available through telecom operators across forty countries in Latin America, Asia, Africa, the Middle East, and Eastern Europe, significantly expanding the portability of the ecosystem beyond Russian territory. The strategic importance is not so much in downloading the app or international availability, but potentially, in ecosystem dependency. A platform becomes strategically significant when it is hard to avoid it, when it is socially required, institutionally rooted, and administratively connected.

Exportable authoritarian tech. Russia did not pioneer the concept of a multipurpose state-owned app integrating communications, payments, and access to state and other services; it is adapting a model developed by China’s WeChat. Such models could become increasingly attractive to authoritarian governments seeking not only more control over domestic information space, but also broader visibility and influence across transnational spaces.

Data harvesting without malware. According to Russian media reports, MAX gathers and keeps user metadata, including IP addresses, contact lists, and timestamps associated with activity, while the privacy policy permits providing user data to state authorities. The raised threat model for MAX is centered around metadata aggregation, identity integration, and operation inside Russia’s broader surveillance and lawful interception environment. Its architecture, encryption scheme, and permissions may leave users vulnerable to having Russian security and intelligence agencies be granted visibility into location data, behavioral patterns, contacts, and communications. The strategic importance of such data lies in how it can be abused by an authoritarian system. Russian political communications expert Ivan Korzh identified de-anonymization as another risk in this regard, because MAX links communications, contact lists, identification, public, and other services in a state-aligned infrastructure, and anonymity in such an environment becomes nearly impossible. The DFRLab previously reported on the Kremlin’s crackdown on anonymous Telegram channels and various operations to deanonymize and punish critical authors.

Intelligence value. Metadata can have considerable intelligence value by revealing patterns of human behavior, movement, relationships, and institutional connectivity. Communication frequency, travel patterns, and timing data, among other things, can allow Russian authorities to map diaspora communities, trace networks of activists and journalists, and monitor cross-border relationships. Such information may become particularly valuable when combined with state-linked identity systems and databases. This kind of access by Russian authorities can also contribute to recruitment for intelligence purposes and make MAX operational for intelligence targeting, as identity-linked data and social graph visibility could plausibly create conditions for such activities. Even those who will never install MAX themselves may become indirectly visible.

Transnational repression. The expansion and potential exposure discussed above raise concern about transnational repression: the use of surveillance, intimidation, and coercion against individuals living outside of Russia. For Russians abroad, especially for anti-war activists, dissidents, defectors, journalists, and other targeted groups, digital dependency on Russian platforms, either with their own account or accounts of relatives or contacts based in Russia, may create vulnerabilities extending beyond standard privacy concerns.

Influence. The centralized infrastructure of MAX may increase Russia’s ability to shape information environments. This may extend beyond Russian borders. Russian diaspora living abroad, as well as other above-described groups, who would rely on Russian digital infrastructure, could become more exposed to centralized narratives and state-managed information flows operating across borders. Similar to Telegram, MAX includes public and private broadcasting channels through which administrators distribute information to subscribers.

The strategic importance of MAX lies in the political, legal, and technological environment in which it operates. Here, the significant lens through which to view MAX’s trajectory is whether state-linked digital ecosystems operating inside authoritarian systems can generate forms of coercive ecosystem dependency, visibility, and influence extending beyond national borders.

A significant part of the current discussion around MAX is focused on Russia’s domestic censorship. But the app’s evolving architecture, international expansion, and integration ambitions suggest the need for broader scrutiny from Western policymakers, security institutions, and the research community. As Russia continues consolidating sovereign digital infrastructure, understanding how such ecosystems may operate beyond the country’s borders is likely to become an increasingly important strategic and policy question.

To start addressing potential risks associated with MAX, the following initial steps should be taken:

First, there is a need for considerably larger research and monitoring of how state-aligned digital ecosystems expand beyond domestic environments through diaspora networks, migration systems, and cross-border commercial relationships, among other forms.

Second, governments, civil society organizations, and private-sector actors operating within Russia-linked environments would need to assess the risk of engaging such platforms in their broader institutional risk-assessment and digital-security frameworks.

Third, increasing attention should be dedicated to transnational repression risks from identity-linked state-controlled digital ecosystems that may create new vulnerabilities for surveillance, coercion, or intimidation of various groups.

Eto Buziashvili, “How a domestic Russian ‘super-app’ could create cross-border security risks” Digital Forensic Research Lab (DFRLab), May 21, 2026, https://dfrlab.org/2026/05/21/how-a-domestic-russian-super-app-could-create-cross-border-security-risks/.