The Top 5 Dark Web Telegram Chat Groups and Channels in 2025

In the wake of Edward Snowden’s revelations concerning government surveillance, Telegram was built in 2013 to prioritize user privacy and safeguard private conversations and data from third-party intrusion. But over the years, it has become a hotspot for cybercriminal activity. From leaked data and fraud schemes to the sale of illicit services, the platform now hosts a thriving underground economy. In spring 2024 alone, cybercrime-related chatter on Telegram rose by 53% compared to the previous year (Kaspersky).

How Telegram became a safe haven for threat actors

Telegram’s focus on privacy quickly set it apart. Features like end-to-end encryption, anonymous usernames, and message forwarding without revealing the original sender reinforced its reputation as a secure communication platform. The built-in anonymity and encryption make it difficult to trace the origins of illicit content, identify threat actors, and understand the full scope of their activities. This necessitates the development of advanced analytical techniques and tools to effectively monitor and analyze the vast amounts of data exchanged within these encrypted environments. The ephemeral nature of some Telegram communications, such as self-destructing messages, adds another layer of complexity to threat intelligence efforts, requiring real-time monitoring and analysis to capture and preserve crucial information.

Additionally, the ability to create large, private groups and channels on Telegram significantly compounds the challenge for cybersecurity teams. Within these closed ecosystems, threat actors can coordinate and operate with little risk of detection. Many actors enhance their operational security by using virtual phone numbers and turning to Telegram’s Secret Chats for fully encrypted communication. Cybersecurity professionals need to therefore constantly refine their strategies to understand how these privacy features are being leveraged for illicit activity.

Telegram and cybercrime in 2024 and beyond 

Following the arrest of Telegram founder and CEO Pavel Durov in August 2024, the platform introduced a notable change to its privacy policy. Under the new terms, Telegram can now disclose user IP addresses and phone numbers in response to legitimate criminal investigations backed by court orders.

While this shift marked a potential turning point in the platform’s approach to privacy, our analysis of illicit Telegram groups on our dark web monitoring platform, Lunar, found that most cybercriminal communities chose to stay. Many cybercriminal groups announced their support for Durov and continue to rely on Telegram’s strong encryption and familiar infrastructure. For CTI analysts, this development underscores the need to adjust monitoring strategies, and to be aware of the possibility for increased data availability via legal channels.

What can you find on illegal Telegram channels?

Among the main illegal activities that take place on Telegram, you can find:

• Hacking – trade, and discussion of hacking-related topics, including malware, vulnerabilities, and ransomware.
• Data loss – Compromised data of brands or individuals that is offered for sale.
• Financial fraud – Stolen accounts, stolen credit cards, fake money, and tutorials to help other financial fraudsters.
• Drug and illicit traffic – Including vendors who trade in prescription drugs, weapons, and other illegal products.
• Radical and extremist discussions – Terror and extremist discussions, racist content such as right-wing movements, neo-Nazis, and radical Islamic groups.

Read this Dark Web Pulse to see examples of illicit content on Telegram and a thorough breakdown of why threat groups prefer instant messaging.

Within secret Telegram groups, threat actors prioritize individual OpSec to evade detection. For example, vendors selling stolen data or illegal substances often conduct transactions exclusively within Telegram’s ‘Secret Chats,’ utilizing self-destructing messages and end-to-end encryption. They further obscure their identities by employing virtual phone numbers and conducting financial transactions using cryptocurrencies, minimizing the risk of attribution by law enforcement or rival cybercriminal groups. This focus on personal OpSec underscores the challenges faced by cybersecurity professionals attempting to monitor and disrupt these activities.

The top Telegram chat groups and channels in 2025

1. Moon Cloud

• Main language: English
• Group size: 20K+ members
• Topics of interest: Stealer logs

Moon Cloud serves as a hub for data obtained from stealer logs – mainly LummaC2 or Redline. The data shared on this channel includes compromised credentials such as email addresses, IP addresses, passwords, user names, etc.

2. NoName057(16)

• Main language: Russian
• Group size: 1K+ members
• Topics of interest: Hacktivism, DDoSia Project, DDOS

NoName057(16) is a prolific pro-Russian hacktivist group that targets NATO countries, Ukraine, and Ukraine’s allies in DDoS attacks. Their Telegram channel was taken down several times in 2024. After each take down, the channel resurfaced and regained a major following in a short period of time.

3. RipperSec

• Main language: English, Arabic, Malaysian
• Group size: 1K+ members
• Topics of interest: Hacktivism and Data Leaks

RipperSec is a Malaysian pro-Palestinian hacktivist group that targets Israel and its allies. Since the start of the Ukraine-Russia War, RipperSec has allied itself with pro-Russian threat actors. Their group was also closed due to Telegram’s new guidelines but was reestablished in the past few months.

4. Observer Cloud

• Main language: English
• Group size: 15K+ members
• Topics of interest: Stealer logs, Combolists, Programs for sale, Marketplace

Observer Cloud is a long running project. It was started in April 2022. The various channels focus on stealer logs, combo lists, scam lists, and a community marketplace. The channel claims that all information was gathered from open internet platforms and intended for educational purposes, so they cannot take responsibility for any misuse of the information published on the channel.

5. Daisy Cloud

• Main language: English
• Group size: 14K+ members
• Topics of interest: Stealer logs

Besides having a very prominent presence on various dark web forums, the Daisy Cloud admin runs one of the most consistent log sharing groups on Telegram, uploading daily stealer logs for both free and premium buyers.

6. vx-underground

• Main language: English
• Group size: ~40K subscribers
• Topics of interest: Malware samples, cybersecurity research, source code

vx-underground operates as a prominent channel for sharing malware-related content, offering insights into recent threats, leaked tools, and historical malware samples. It serves as a resource hub for cybersecurity researchers, regularly posting files, reports, and threat actor-related commentary.

7. Omega Cloud

• Main language: English
• Group size: 6K+ members
• Topics of interest: Stealer logs, compromised credentials

Omega Cloud is focused on distributing credentials and other data harvested through info-stealer malware. It shares both free samples and premium packages containing stolen login details from platforms such as Google, YouTube, and advertising networks. The group claims to provide thousands of new logs daily, making it a consistent source of fresh compromised data.

8. Dark Storm Team

• Main language: Arabic & English
• Group size: Not publicly listed
• Topics of interest: Hacktivism, DDoS attacks, cyber operations

Dark Storm Team is a politically motivated group that uses Telegram to broadcast its cyber activities. It frequently shares updates about claimed attacks on public and private sector targets, including infrastructure, transportation, and government systems. The group also promotes DDoS services and seeks visibility for its operations through proof-of-attack screenshots.

9. BidenCash CVV [DISCUSSION]

• Main language: English
• Group size: 4.6K+ members
• Topics of interest: Carding, stolen credit card data

This group is tied to the broader BidenCash ecosystem and focuses on discussions around stolen financial data. Members exchange tips on using compromised credit cards, highlight recent data dumps, and discuss market-related updates. BidenCash is known for releasing large batches of credit card information publicly to attract buyers, with one of the most recent leaks exceeding 900,000 cards.

The benefits of monitoring dark Telegram channels 

Although some of these Telegram groups and channels are technically open to the public, a large number of these secret Telegram groups are only shared within specific communities. With so many threat and APT groups actively using Telegram, the platform becomes a vital source of information.

Effectively navigating Telegram’s encrypted and fragmented landscape remains a serious challenge. That’s why proactive monitoring and deep analysis are key. Learn how Lunar equips your team to uncover hidden threats and gain visibility into conversations that matter most.

Frequently asked questions

Why is monitoring dark Telegram channels important for cybersecurity professionals?

Telegram channels have become one of the primary communication channels and hubs for illicit activity on the deep web including the exchange of stolen data, tools needed for hacking, and logistical attack coordination. With access to such crucial data, cybersecurity professionals can detect threats earlier, identify data leaks, and take proactive hardening measures to prevent or stop active breaches. Leveraging real-time visibility into Telegram will empower cyber pros to rapidly respond thus reducing the risk of critical security incidents.

What makes Telegram an attractive platform for cybercriminals?

Telegram offers near-indestructible anonymity to cybercriminals by giving them the power to create accounts that are not linked to valid phone numbers or identities. With the additional end to end encryption features, “Secret Chats”, and auto-delete functionality, their communications are easily concealed. Finally, Telegram has very relaxed content moderation policies which makes it easy for cybercriminals to coordinate attacks, share or sell stolen data, recruit new members to their groups, and, in general, manage their illicit activities across the globe.

What kind of illegal activities are commonly found on Telegram channels?

There are a variety of illegal activities that take place on telegram channels including the sharing or sale of stolen data (credit cards, banking information, stolen credentials, etc.). With the large number of illicit channels that exist on Telegram, we also see malware being distributed, ransomware being sold (as well as other hacking tools), step by step guides for cybercrime, and payment facilitation using cryptocurrencies for illicit transactions. While this list is not comprehensive, it is a short overview of the types of activity you might see on Telegram.

How do dark web monitoring platforms like Lunar help in tracking activities on dark Telegram channels?

Dark Web Monitoring platforms are necessary to track activities on Telegram because they continuously scan and monitor across Telegram at scale (tens of thousands of channels) which is also then analyzed to identify and summarize threats in real time. This means you would be able to see the most relevant threats to your organization, have the messages translated from its original source language to English, contextualize threat actor jargon, and provide a risk score among many other analysis tools. Leveraging these tools ensures you can detect, prioritize, and respond to cyber threats more efficiently and effectively while maintaining visibility even as threat actors raise and close channels, go private, or migrate to new platforms.