Reading:
The Top 10 Dark Web Telegram Chat Groups and Channels

The Top 10 Dark Web Telegram Chat Groups and Channels

April 14, 2022

After the privacy policy scandal of WhatsApp in January 2021, Telegram was one of the trending apps to replace WhatsApp regarding its privacy policy. This situation makes Telegram more popular than ever before! Due to Telegram’s high privacy standards, this popularity attracted a brand-new customer channel, threat actors.

Under these standards, many malicious groups move their platform to Telegram, where they can talk, exchange data, or even sell the leaks they had online. Regarding it all can be done in secret without exposing any identity due to the privacy policy, Telegram has become a malicious groupsfavorite messaging app.


Receive a Free Deep Web Report for Your Organization


What Happens in Telegram Channels? 

Aside from messaging with groups or individuals, Telegram allows one to open groups that can hold up to 200.000 members and create a total anonymous environment. With this opportunity, threat actors can, 

  • Share news in the cyberworld
  • Address corporations’ gaps in their cyber defenses
  • Create smaller chat rooms for accepting new members for their subsequent attacks.
  • Market & sell leaked data from corporations 
  • Start auctions for selling some high-value information
  • Form VIP groups where they receive periodic fees to get in and periodically share their leaks
  • Use telegram bots to deliver malicious software to more device 

Long story short, Telegram has become a private shelter for threat actors across the web. Here are the top ten telegram channels.

With the ThreatShare module, SOCRadar will instantly inform you about what is happening in Telegram channels, what hackers are talking about on dark web forums and cyber security incidents against your digital assets. Learn more about our Extended Threat Intelligence concept.


1. LAPSUS$ Telegram Channel

Main Telegram channel of Lapsus$ 
Main Telegram channel of Lapsus$ 

The famous hacker group shook several government and technology corporations with their attacks within a year, just after they emerged. Lapsus$ has come to the fore by recent takedowns in the UK and ended up arresting seven suspects aged between 16 and 21; two of the suspects are charged with multiple cyber-related crimes.

This telegram channel enables them to post about their attacks & share leaks and contact their victims anonymously. Also, they sometimes use other chatrooms to talk about sharing previous leaks or building infrastructure or teams for their future attacks. Today, this channel has 54k+ subscribers around the globe.


2. RF/RB Bases

A screenshot that shows the leak traffic on the Telegram channel
 A screenshot that shows the leak traffic on the Telegram channel

Russian originated telegram channel that posts sample leaks regularly to market their stolen information. The channel currently has 260+ subscribers, yet it has 2-3 times more visitors to its posts.

3. Null Leak

Leak announcement from Telegram channel of Null Leak
 Leak announcement from the Telegram channel of Null Leak

Another leak-sharing platform with 3.900+ subscribers, this Ukrainian-based group not only shares leaks but also explains the story behind them. Interestingly, the channel also has a VIP sub-group where all the leaks are shared, and people are encouraged to join this premium channel. However, one of Ares’s admins reached out to SOCRadar and stated that no data was shared with anyone other than VIP users. For Ares’ new channels: @aresmainchannel, @aresfreedatav2, @aresdatabaselist, @ARESNEWSCHANNEL, @aresdatachat .

4. vx underground

 Telegram channel of vx-underground
 Telegram channel of vx-underground 

Even though they are not known as a cyber threat, vx-underground is a well-known and visited platform in the cyber security world. vx-underground uses Telegram as well as Twitter and their websites. They often collect paper and malware source codes for their database and share news & leaks and updates on their website and collections.


5. Ares

 A promotion of VIP group in Ares Telegram channel
 A promotion of VIP group in Ares Telegram channel 

A leak-sharing platform that has been motivated by selling databases of prominent corporations, in Europe and the USA, via VIP sub-groups. Today the Telegram channel has 1.500+ subscribers.

6. W BH (Against the West/BlueHornet)

In general, ATW BH -which is of USA origin and against China and Russia- hacks documents, personal information, and information that has a privileged background that belongs to the target companies, groups, or countries. Additionally, they ruin the hackers of the target countries. All their actions and leaks are published on their Twitter accounts and their Telegram group, which everyone can easily access. 

Not only do they explain leaks in a language everyone can understand, but they also quickly respond to the most amateurish questions about the leaks and the hacks vis their account and Telegram group. They also use their Telegram channels as an online sales channel.

Twitter account of BlueHornet, which is the source group of ATW BH
Twitter account of BlueHornet, which is the source group of ATW BH

7. STORMOUS RANSOMWARE

Since early 2022, the STORMOUS Ransomware organization has claimed responsibility for several assaults.

This group, which has been sharing leaks and information via the dark web for a long time, also shares its actions with people through Telegram channels that everyone can access. They even find buyers for information through Telegram channels.

Screenshot of the communication in STORMOUS Ransomware’s Telegram channel 
Screenshot of the communication in STORMOUS Ransomware’s Telegram channel 

8. IT (Information Technology) Army

This group started to be used actively, especially after the war between Russia and Ukraine. This malware is taking advantage of the people’s intention to help Ukraine. They are infecting trojans, the people, by using this situation. After collecting data, they are sharing them through Telegram channels.

Screenshot of data dumps from IT ARMY Telegram channel 
Screenshot of data dumps from IT ARMY Telegram channel 

9. Kelvin Security

Kelvin Security targets the military of the target countries and several areas such as financial services, government agencies, management, aviation, casino & gaming, communications, education, energy, health, and transportation.

Kelvin Security shares their actions and simultaneously leaks from their Telegram accounts, like other hacker groups with Telegram channels. In fact, in March 2022, they hacked the nuclear reactor belonging to Russia during the Russia-Ukraine war. They shared this development with the public on their Twitter accounts and Telegram channels.

An announcement tweet about Kelvin Security hacking the nuclear reactor
An announcement tweet about Kelvin Security hacking the nuclear reactor 

10. Breached Data

The intent of this group is to share knowledge about sensitive data like social security numbers, passwords, phone numbers, etc. Also, they may share information such as when it happened or who did this and similar subjects related to this action. They utilize chat rooms for this purpose.

A screenshot of chat room in the Breached Data
A screenshot of chat room in the Breached Data

Get SOCRadar Freemium, Follow Dark Web Telegram Channels for Free

With ThreatHose, you can get trends on threat actors and TTPs that can be used with the MITRE ATT&CK framework. ThreatHose can be easily integrated with your SIEM, SOAR, firewall, and EDR products. Discover now and provide a contextual and up-to-date feed to your threat hunting teams.

If you think you have the most up-to-date information on groups and channels here, please contact us: [email protected]

Discover SOCRadar® Free Edition

With SOCRadar® Free Edition, you’ll be able to:

  • Discover your unknown hacker-exposed assets
  • Check if your IP addresses tagged as malicious
  • Monitor your domain name on hacked websites and phishing databases
  • Get notified when a critical zero-day vulnerability is disclosed

Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets. Get free access.