The Top 5 Dark Web Telegram Chat Groups and Channels in 2025

Telegram launched in 2013 after In the wake of Edward Snowden’s revelations concerning government surveillance, Telegram launched in 2013, championing the mission to safeguard private conversations and data from third-party intrusion., championing the mission to safeguard private conversations and data from third-party intrusion. Since its launch as an anonymous chat application in 2013, Telegram has attracted many cybercriminals. In fact, Kaspersky noted that in the spring of 2024 there were 53% more posts discussing fraud, distributing leaked databases, and trading various criminal services than there were in the same time period of 2023. 

How Telegram became a safe haven for threat actors

This emphasis on privacy, combined with features such as end-to-end encryption, anonymous usernames, and the ability to forward messages without revealing the original sender, established Telegram as a secure communication platform.

The built-in anonymity and encryption make it difficult to trace the origins of illicit content, identify threat actors, and understand the full scope of their activities. This necessitates the development of advanced analytical techniques and tools to effectively monitor and analyze the vast amounts of data exchanged within these encrypted environments. The ephemeral nature of some Telegram communications, such as self-destructing messages, adds another layer of complexity to threat intelligence efforts, requiring real-time monitoring and analysis to capture and preserve crucial information.

The ability to create large, private groups and channels further amplifies the challenge, as threat actors can operate within these closed ecosystems with minimal risk of detection. Therefore, cybersecurity professionals must continuously adapt their strategies and methodologies to counter tactics that exploit Telegram’s privacy features for illicit purposes. To enhance their personal OpSec, threat actors often employ virtual phone numbers and encrypted messaging within Telegram’s Secret Chats.

Telegram and cybercrime in 2024 and beyond 

As a result of his arrest in August 2024, Telegram’s founder and CEO, Pavel Durov, made significant changes to Telegram’s privacy policy. The revised policy stipulates that Telegram will disclose user IP addresses and phone numbers in response to legitimate criminal investigations substantiated by court orders.

Despite this potential privacy setback, our analysis of illicit Telegram groups reveals that many cybercriminal communities opted to remain on the platform, valuing its robust encryption and existing infrastructure. The updated policy requires CTI analysts to adapt their monitoring techniques and consider the potential for increased data availability from law enforcement channels.

This one potential privacy setback did not encourage threat actors to leave Telegram for good. In fact, many cybercriminal groups announced their support for Durov. We used Lunar, our dark web monitoring platform, to analyze illicit Telegram groups for chatter about moving to other platforms. Not surprisingly, the results from our Telegram channels search engine showed that the majority of threat groups chose to remain on Telegram and continue to take advantage of its full encryption. 

What can you find on illegal Telegram channels?

Among the main illegal activities that take place on Telegram, you can find:

• Hacking – trade, and discussion of hacking-related topics, including malware, vulnerabilities, and ransomware.
• Data loss – Compromised data of brands or individuals that is offered for sale.
• Financial fraud – Stolen accounts, stolen credit cards, fake money, and tutorials to help other financial fraudsters.
• Drug and illicit traffic – Including vendors who trade in prescription drugs, weapons, and other illegal products.
• Radical and extremist discussions – Terror and extremist discussions, racist content such as right-wing movements, neo-Nazis, and radical Islamic groups.

Read this Dark Web Pulse to see examples of illicit content on Telegram and a thorough breakdown of why threat groups prefer instant messaging.

Within secret Telegram groups, threat actors prioritize individual OpSec to evade detection. For example, vendors selling stolen data or illegal substances often conduct transactions exclusively within Telegram’s ‘Secret Chats,’ utilizing self-destructing messages and end-to-end encryption. They further obscure their identities by employing virtual phone numbers and conducting financial transactions using cryptocurrencies, minimizing the risk of attribution by law enforcement or rival cybercriminal groups. This focus on personal OpSec underscores the challenges faced by cybersecurity professionals attempting to monitor and disrupt these activities.

The top Telegram chat groups and channels in 2025

1. Moon Cloud

• Main language: English
• Group size: 10K+ members
• Topics of interest: Credentials obtained from stealer logs

Moon Cloud serves as a hub for data obtained from stealer logs – mainly Redline. The data shared on this channel includes compromised credentials such as email addresses, IP addresses, passwords, user names, etc.

2. NoName057(16)

• Main language: English
• Group size: 2K+ members
• Topics of interest: Hacktivism, DDoSia Project, DDOS 

NoName057(16) is a prolific pro-Russian hacktivist group that targets NATO countries, Ukraine, and Ukraine’s allies in DDoS attacks. In 2024 and 2025 their official Telegram channel was taken down and then reestablished.

3. RipperSec

• Main language: English, Arabic, Malaysian 
• Group size: 5K+ members
• Topics of interest: Hacktivism

RipperSec is a Malaysian pro-Palestianian hacktivist group that targets Israel. Since the start of the Ukraine-Russia War, RipperSec has allied itself with pro-Russian threat actors. 

4. Observer Cloud

• Main language: English, Arabic, Malaysian 
• Group size: 13K+ members
• Topics of interest: Log-sharing, scams

Observer Cloud’s Telegram channel focuses on sharing logs and combo lists from across Telegram. The channel claims that all information was gathered from open internet platforms and intended for educational purposes, so they cannot take responsibility for any misuse of the information published on the channel. 

5. Omega Cloud 

• Main language: English
• Group size: 6.2K+ members
• Topics of interest: Log-sharing

Omega Cloud is a Telegram-based platform for distributing stolen credentials harvested from stealer logs. They offer free and paid services. Users who pay for a subscription can access a database of over 2 B records.  

The benefits of monitoring dark Telegram channels 

Although some of these Telegram groups and channels are technically open to the public, a large number of these secret Telegram groups are only  shared within specific communities. With so many threat groups and APT groups actively using Telegram, Telegram becomes a vital source of information. 

Monitor the groups listed in this article and others by setting alerts for your domain, products, and technology. When a cybercriminal mentions something relevant to your company, you’ll receive a notification so you can start investigating the threat immediately.

Navigating the complexities of Telegram’s encrypted ecosystem presents a significant challenge for cybersecurity professionals. Learn more about proactive monitoring and analysis remain crucial for identifying and addressing emerging threats with Lunar.