When WhatsApp announced its controversial privacy policy update in January 2021, millions of users began searching for more secure alternatives. Telegram quickly emerged as the top choice, thanks to its focus on privacy, encryption, and the ability to create large groups without sharing personal information.
However, this same appeal did not go unnoticed by cybercriminals. The platform soon became a key node in the Dark Web ecosystem, where malicious actors found the perfect environment to operate with a certain degree of anonymity.
Hacker groups, underground markets, and ransomware networks began using Telegram to distribute stolen data, sell hacking tools, and coordinate illicit operations. For a long time, the lack of strict moderation allowed these communities to grow unchecked, turning the app into an extension of Dark Web forums. Although in recent years the platform has taken steps to crack down on these activities, it remains a central hub in the world of cybercrime.
Telegram has become a key tool for cybercriminals thanks to its massive group capabilities, encryption features, and user anonymity. Many of these channels operate almost like Dark Web forums, facilitating the exchange of stolen data, hacking tools, and all kinds of illegal services.
Within these groups, you can find activities such as:
Sale of stolen data, ranging from login credentials and credit card information to entire corporate databases.
Distribution of malware, ransomware, and ready-to-use hacking tools.
Coordination of DDoS attacks and hacktivist campaigns targeting governments, banks, and large corporations.
Discussion of security vulnerabilities, identification of potential targets, and leaking of sensitive information.
Use of exclusive private groups where "trusted" members exchange even more sensitive services and data.
Deployment of automated bots to distribute malware and steal credentials without human interaction.
Hacking-for-hire services, such as system intrusions, data breaches, or website defacements.
Despite all of this, Telegram is just one piece of the broader Dark Web ecosystem. Malicious actors use multiple platforms to coordinate, sell information, and launch cyberattacks. That’s why companies and organizations must remain vigilant about these underground networks, as a data breach or financial fraud can begin with a simple conversation on Telegram.
Read more: Top 10 Browsers for Accessing the Dark Web with Anonymity
vx-underground is a well-known name in the cybersecurity community. It is a platform that compiles a massive collection of malware samples, research articles, and threat analyses—making it a key resource for researchers and hacking enthusiasts.
Since its creation in 2019, vx-underground has gained recognition for hosting one of the largest online malware repositories. Its activity isn’t limited to Telegram—they also operate on Twitter and their official website, where they share information about new security breaches, malware trends, and verified threat reports.
On their Telegram channel, which has over 43,000 subscribers, you can find everything from technical reports and malware source code to data breach analyses. While vx-underground is not a cybercriminal group per se, its content is highly technical and can serve both as an educational tool for security professionals and, potentially, as inspiration for malicious actors.
Moon Cloud is a Telegram channel specialized in distributing stolen credentials. With over 20,000 members, this community shares compromised databases containing usernames, passwords, email addresses, IP addresses, and more.
In their bio, they describe themselves as “the largest and most versatile cloud on Telegram”, where logs extracted from other cybercrime channels are posted for easy access. Their operation is based on a mixed model—offering both free and paid services—and they claim to add more than 2,000 new logs daily, collected from various sources, including specialized malware like LummaC2 and Stealc.
Moon Cloud is a clear example of how cybercriminals have turned Telegram into a hub for the trade of stolen data. This poses a serious risk to both individuals and organizations, as such credentials can be used in account takeovers, financial fraud, and unauthorized system access.
NoName057(16) is a pro-Russian hacker group that emerged in March 2022, amid the Russia-Ukraine conflict. They have gained notoriety for their DDoS attack campaigns targeting Ukraine, NATO countries, and allies of the Ukrainian government.
The group operates several Telegram channels, the most notable being the DDoSia Project, where they recruit volunteers to carry out coordinated DDoS attacks. In return, participants receive cryptocurrency rewards, incentivizing involvement in these cyber offensives.
Although Telegram recently shut down their main channel due to updated platform policies, the group quickly reorganized and regained over 1,900 subscribers, down from their peak of more than 30,000 members.
NoName057(16) is a clear example of how Telegram continues to serve as a critical tool for hacktivist groups and politically motivated cyber operations, leveraging the platform’s anonymity and ease of communication.
RipperSec is a pro-Palestinian hacker group from Malaysia that appeared on Telegram in June 2023. With over 5,100 subscribers, this group has focused on launching attacks against Israel and its allies, and has also collaborated with pro-Russian threat actors.
While their specialty is DDoS attacks, they have also conducted website defacements and intrusions into SCADA systems (industrial infrastructure), aiming to cause disruption and amplify their political message.
One of their most well-known contributions is MegaMedusa, a Layer 7 DDoS tool based on NodeJS. What makes MegaMedusa noteworthy is that it enables large-scale attacks without requiring advanced technical skills, making it accessible to anyone with malicious intent. It runs on Debian, Ubuntu, Kali Linux, Termux, and Windows, making it a popular tool in the hacktivist ecosystem.
Read more: Lazarus Group Launches Cyberattacks against Organizations in Mexico
Observer Cloud is a Telegram channel with over 12,700 subscribers, dedicated to collecting and republishing leaked credentials from various sources. Since its launch in April 2022, it has become a centralized access point for stolen data—essentially functioning as a kind of Google Drive for cybercrime.
In addition to sharing leaked records, the channel also offers custom scripts, scammer lists, and discussion groups, where members can exchange information and engage in transactions related to compromised databases.
To cover themselves legally, their bio claims that all shared content comes from open sources on the internet, and that their purpose is educational. However, in practice, Observer Cloud serves as a critical node in Telegram’s Dark Web ecosystem, providing easy access to stolen data belonging to thousands of individuals.
Omega Cloud is another Telegram channel focused on log distribution, but with an even more sophisticated approach. With over 6,200 subscribers, this platform offers both free and paid services, allowing access to real-time stolen credentials.
Its catalog includes data harvested via infostealer malware, such as passwords and access tokens for Google Ads, YouTube, and other popular services. Although Omega Cloud operates globally, it primarily targets the United States, Canada, Europe, and Brazil. The channel offers two main services:
Live Traffic – delivers logs in real time as soon as they are stolen.
Private Cloud – provides access to up to 5,000 logs per day, totaling around 120,000 logs per month.
Currently, the channel claims to have a database of over 2 billion records available via a subscription-based model, making it one of the most active sources for buying and selling stolen credentials.
This Telegram channel specializes in tracking data breaches and cybercriminal activity, particularly those linked to ransomware groups and underground forums. With more than 23,400 subscribers, it operates as a news hub for security violations, sharing updates on compromised data and ongoing threats.
In short, it is a space where stolen databases, leaked credentials, and exploited vulnerabilities are collected and shared, becoming a key reference point for those who closely monitor the world of cybercrime and cybersecurity.
BidenCash is a well-known black market on the Dark Web where stolen credit card data is bought and sold. To expand its reach, the group has created a Telegram channel named BidenCash CVV, where they post real-time updates on compromised card data discovered across hacker forums, Telegram, and Discord.
Some posts even display full card numbers and financial details, clearly showing the level of exposure these data sets face online. BidenCash claims to penalize sellers who post the same information on open sources, thus preserving the “exclusivity” of its market.
This channel highlights how stolen financial data circulates through the Dark Web and Telegram, reinforcing the platform’s role in the distribution and monetization of illegal information.
Originally launched in April 2019 as a Russian-speaking community, EMP/mailpass/sqli Chat has since evolved into an international Telegram group focused on data breaches, financial fraud, and hacking techniques. It currently hosts over 5,600 active members. Unlike more specialized groups, this channel covers a wide range of topics, including:
Sale of stolen accounts from streaming services, social networks, and VPN providers.
SQL injection techniques used to extract databases from vulnerable websites.
Exchange of leaked credentials obtained via malware or security breaches.
Sale of private databases containing sensitive information, traded for money.
This channel acts as a marketplace and learning hub, where cybercriminals share knowledge, refine techniques, and commercialize stolen data.
Dark Storm Team is a pro-Russian and pro-Palestinian hacker group known for its cyberattacks against countries including Israel, France, Egypt, Denmark, the UAE, and the U.S.. They have collaborated with other actors like Anonymous Sudan, launching coordinated DDoS attacks and strategic hacks.
Their main focus is hacktivism, targeting victims aligned with their political agendas. However, they also offer hacking-for-hire services, including:
DDoS attacks on high-profile websites.
Leaking databases from banks, airports, and other major institutions.
Selling stolen data in exchange for cryptocurrency payments.
Despite having their Telegram channels shut down multiple times for violating platform rules, Dark Storm Team consistently manages to resurface and continue operating. Their resilience demonstrates how cybercriminal groups adapt and evolve, using Telegram as a critical tool for coordinating and executing attacks.
Telegram has evolved into an extension of the Dark Web, where stolen data, hacking tools, and illegal services are openly traded. This poses a growing risk for both companies and individuals, as data leaks can lead to fraud, cyberattacks, and identity theft.
To mitigate these risks, Dark Web monitoring has become a critical cybersecurity strategy. It allows organizations to detect breaches, identify threats, and anticipate attacks before they cause real damage.
TecnetOne’s cyber patrol service helps companies stay one step ahead by monitoring the Dark Web in real time to detect data leaks, threats, and potential attacks before they escalate. Through this proactive surveillance, organizations can protect their data, reduce exposure, and strengthen their defense against cybercrime.