Dark Web Telegram Groups aren’t quite the Wild West for hacktivists and cybercriminals that they were a little over a year ago, but it’s still an important source of cyber threat intelligence for researchers and cybersecurity teams alike.

Since the introduction of AI-based moderation in 2025, Telegram now routinely blocks more than 100,000 groups and channels a day that violate its Terms of Service.

That can make tracking threat actors particularly challenging, as their channels can – and do – change frequently. In fact, several threat groups researched for this article have had their channels shut down or moved. 

With that as background information, here are some of the more stable Telegram groups and channels that should be of interest to security pros. Several offer very good threat intelligence, while others may be more interesting for the insight they offer into the mindset of actors. 

One caveat: Many of these channels and groups publish raw data taken directly from threat actor claims, and as such they should be viewed with skepticism unless verified.

That’s where dark web researchers earn their keep, by assessing which claims and threat groups are valid and reliable enough to be taken seriously. Raw data is rarely of much use to security teams unless enriched and prioritized to give it meaning and context. 

So, let’s have a look at these telegram groups. Below are 11 dark web Telegram groups and channels that all cybersecurity professionals should keep an eye on. 

How Threat Actors Leverage Telegram

Telegram has evolved into a preferred communication platform for cybercriminals, ransomware groups, and hacktivists due to its combination of scale, encryption features, and minimal friction for channel creation.

Unlike traditional dark web forums that require Tor access, Telegram operates on the surface web while still offering anonymity and private group functionality.

Threat actors use Telegram for several strategic purposes:

• Rapid broadcasting of attack claims: Ransomware groups and hacktivists frequently announce victims before publishing data on leak sites.
• Channel migration and resilience: When Telegram removes a group, actors quickly spin up mirror or backup channels, maintaining continuity.
• Recruitment and affiliate programs: Cybercrime syndicates recruit developers, initial access brokers, and ransomware affiliates directly through Telegram.
• Automated leak distribution: Bots are used to distribute stolen databases, credentials, or malware samples at scale.
• Propaganda and ideological messaging: Hacktivist groups blend cyberattack claims with political narratives to amplify impact.

This dynamic, fast-moving ecosystem makes Telegram an essential intelligence source—but also one that requires structured monitoring and contextual analysis.

11 Dark Web Telegram Groups to Lookout for

In this list, the first four Telegram channels are more of an information sharing and threat intel Wikipedia that will give you a slice of the raw data that threat intelligence researchers and platforms work with. 

1- Dark Monitor

This is one of the most active cybersecurity-related channels on Telegram. In fact, the constant stream of threat intelligence research, CVEs, ransomware victims and more makes it a little TMI – and a good argument in favor of AI-powered threat intelligence platforms that can sift through and prioritize all that data and more for you.

2- Data Leak Monitor 

2. This is even more TMI than Dark Monitor, at times posting several new data leak detections a minute. But with more than 25,000 subscribers, the channel clearly has a devoted audience that finds the information useful. 

3- Daily Dark Web

This telegram group is a little more manageable. The channel posts roughly five to 10 digests of ransomware and data breach victims daily, culled from sources like threat group claims on data leak sites.

4- Ransomlook

This dark web intelligence Telegram group posts roughly 20 ransomware victims a day. If you want to see who’s allegedly been hit, it will give you the names and basic claim info briefly.

Of the threat groups active on Telegram, hacktivists are the most interesting to follow because they combine cyberattacks with ideological messaging – and they’re not trying to blackmail victims so they typically release all the data they have. So, let’s have a look at the Telegram groups and channels of the top-most active threat actors on this social messaging application.

5- NoName057(16)’

Russia-linked NoName057(16) is the most active hacktivist group – and, as such, the group frequently needs to move to a new channel. The group’s current English-language Telegram username is only about 10 days old, yet posts several new victims a day.

6- Z-Pentest

It is one of the more interesting hacktivist groups to be found on Telegram – although members posting videos of themselves tampering with critical infrastructure control panels might be more scary than interesting. Still, the group has been at the forefront of hacktivist groups that have been moving away from the more traditional DDoS attacks and website defacements and into more destructive areas like data breaches and unauthorized access.

7- IT Army of Ukraine

This group has been one of the more stable hacktivist channels, with 115,000 followers. A good source for information on pro-Ukraine hacktivist activity and has been highly active since the beginning of the Kremlin’s invasion.

8- Ghost Princess

This threat actor channel describes themselves as a journalist and activist, and is a good source for information on Middle Eastern region hacktivist attacks as well as pro-Palestinian political perspectives.

9- RipperSec

This is another pro-Palestinian group on Telegram, and a source for information on hacktivists’ cyber activities. On the day this article was written, the group shared 10 documents allegedly stolen from Israel Defense Forces.

10- Cyber Security – Information Security – IT Security

With over 52,000 members, this interactive group fosters real-time discussions among security experts on: emerging threats; best practices; incident response tactics. A good place to network and exchange intelligence.

11- Threat Intelligence Sharing

Boasting 2,000+ members, this group encourages collaboration among threat researchers. It also connects to related groups focused on:

• SOC operations
• Malware analysis
• Reverse engineering
• Incident response

It’s a hub for crowdsourced cyber defense knowledge.

What Security Teams Should Monitor Inside Telegram Channels

Simply following Telegram groups is not enough. The real value lies in identifying high-signal indicators that translate into defensive action. Security teams should prioritize monitoring for:

• Mentions of company names, domains, or executives.
• Credential dumps and database leak announcements.
• Ransomware victim listings are tied to relevant industries.
• Exploit discussions targeting technologies in your stack.
• Threat actor recruitment posts seeking affiliates or access brokers.
• Geopolitical escalations that may trigger hacktivist campaigns.

Because Telegram generates a high volume of unverified claims and reposted content, distinguishing noise from credible threats requires correlation with additional intelligence sources. Structured enrichment and prioritization are critical to transforming raw Telegram chatter into actionable cyber defense measures.

Stay Ahead of Telegram-Based Threats

Monitoring dark web Telegram groups has become essential for cybersecurity teams looking to stay ahead of emerging threats. These channels offer valuable early warning signals about data breaches, planned attacks, and new exploit techniques.

However, the ephemeral nature of these groups, combined with their frequent shutdowns and migrations, makes manual monitoring extremely challenging and resource-intensive.

How Cyble Can Help

Cyble’s threat intelligence platform provides comprehensive monitoring of dark web Telegram channels and groups, enabling security teams to track threat actors without the manual overhead.

Through automated collection and AI-powered analysis, Cyble continuously monitors thousands of threat-related Telegram channels, identifying relevant threats specific to your organization.

The platform contextualizes raw data from these groups, filtering out noise and delivering actionable intelligence about credential leaks, planned attacks, and emerging vulnerabilities.

With real-time alerts and detailed threat actor profiles, Cyble helps security teams transform dark web chatter into proactive defense measures, ensuring you’re always one step ahead of cybercriminals operating in the Telegram ecosystem.

FAQ Abouts Dark Web Telegram Groups