Top 10 risky Telegram channels your cybersecurity team should know about

Long gone are the days when cybercrime was associated solely with shady websites and illegal forums. Today, hackers exploit vulnerabilities in everyday apps and legitimate services to spread malware, launch phishing attacks, and steal company credentials.

One platform that threat actors are known to operate through is Telegram, a social media and messaging app with over 1 billion active users. In this article, we’ll explore the biggest cyber threats that organizations may face with Telegram and share ways to identify and protect your business against them.

Here’s what businesses need to know about the underground Telegram

As a service that allows users to easily send messages, photos, videos, files, and other media across virtually any device, Telegram has become a go-to communication app for millions worldwide. However, its popularity, combined with features like private groups and encrypted Secret Chats—along with the ability to create accounts with minimal personal information—makes it highly appealing to hackers.

Reports indicate that threat actors may use Telegram channels for illicit activities targeting both individuals and businesses. These activities include distributing malware- or ransomware-infected files that can compromise devices, launching sophisticated phishing campaigns, exposing sensitive company data, and even facilitating corporate espionage. As a result, employees using Telegram may encounter multiple security risks that could put the company in danger. To prevent serious damage, security teams must continuously monitor Telegram for threats.

For company leaders, there are three key points to keep in mind:

1. Threat actors may exploit Telegram to perform malicious activities.
2. Employees can infect company devices with malware or ransomware through the Telegram platform.
3. Monitoring Telegram for leaks involving your sensitive company data is essential.

How threat actors operate on Telegram

Knowing how Telegram works, you can probably imagine some ways cybercriminals could exploit it. However, some methods might surprise you. Below is a list starting with the more obvious uses and progressing to increasingly sophisticated tactics.

• Marketplaces for stolen data: Cybercriminals turn Telegram channels into bustling trading forums (similar to dark web marketplaces) where stolen data is bought and sold like everyday goods. These channels advertise everything from breached databases and leaked credentials to “cybercrime‑as‑a‑service” packages, complete with ready‑made hacking tools available for purchase.
• Phishing campaigns and scams: Some threat actors share templates of lure messages and impersonation tactics, while others use the platform directly to coordinate mass-messaging campaigns that trick victims into revealing personal or financial information. Often, victims receive messages that appear to come from credible sources, such as banks, government agencies, or trusted contacts, making the impersonation harder to detect.
• Malware and ransomware distribution: Cybercriminals circulate malicious files or links through private groups, and some use Telegram bots to automate tasks such as spreading malware, launching ransomware attacks, harvesting credentials, or delivering payloads to infected devices.
• Vulnerabilities and target analysis in public: Many Telegram hacking groups use the platform as an open forum for discussing cybersecurity vulnerabilities. Members dissect newly discovered flaws, speculate about potential exploits, and identify high‑value targets. This accelerates the spread of knowledge and provides a space for hackers to organize around those targets.
• Private cybercrime communities: To strengthen their networks, threat actors often gather in secret Telegram groups or semi‑private channels, forming loosely connected communities resembling dark‑web forums, but with the convenience of a mobile app. Private, invite‑only groups serve as hubs for vetted members to exchange sensitive data, coordinate operations, and trade cybercrime services away from public scrutiny.
• Hacktivist campaign coordination: Some hacker groups use Telegram channels to announce targets, schedule activities, and claim responsibility. Governments, corporations, and financial institutions are frequent targets, and Telegram’s broadcast features allow rapid mobilization of participants.

10 high-risk Telegram channels security teams should be aware of

Considering the sophisticated tactics of cybercriminals (which can be very hard to detect), it’s difficult to say how many hacking groups actually use Telegram for illicit activity. However, among the many that have been revealed or operate openly, several are commonly cited in public reporting as high-risk cybercrime hubs. Here are a few that security teams should be aware of:

1. Moon Cloud: This high-traffic channel is commonly described as a central aggregation hub for stolen logs allegedly harvested by infostealer malware like RedLine and LummaC2. It collects and republishes large volumes of compromised account data from various Telegram sources, often offering the stolen information at favorable prices with daily updates for cybercriminals.
2. NoName057(16): A pro-Russian hacktivist group active since 2022. They are reported to conduct DDoS attacks against countries supporting Ukraine, frequently targeting government, financial, and critical infrastructure sites using their tool, DDoSia.
3. RipperSec: Identified as a pro-Palestinian hacktivist collective, RipperSec is known for DDoS campaigns and data leaks against organizations aligned with Israel. Active on Telegram since June 2023, they reportedly leverage the platform for attack coordination, propaganda, and recruitment.
4. Daisy Cloud: A log-sharing group that reportedly publishes stolen credentials daily. Their activity supports credential stuffing and other downstream financial fraud.
5. Observer Cloud: Active since 2022, Observer Cloud is a Telegram channel that reportedly collects and distributes stolen credentials and scam data. Although it claims to be used for “educational purposes,” it's often mentioned as a log aggregator for cybercriminals.
6. Omega Cloud: A Telegram channel that is commonly reported as distributing large volumes of compromised credentials (UCLs) reportedly from info-stealer malware like RedLine. They run a subscription service giving buyers access to fresh login dumps, though the authenticity of all logs cannot be verified.
7. BidenCash: A channel widely cited in public reporting as focusing on the trade of stolen payment card data, such as credit card numbers and CVVs. The marketplace reportedly generated millions before law enforcement seized many of its domains in 2025.
8. EMP/mailpass/sqli Chat: A Telegram channel focused on email/password leaks and SQL injection data. It serves as a discussion and exchange space frequently referenced in connection with the sharing of tools and compromised data among cybercriminals.
9. Dark Storm Team: A politically motivated group, often cited as pro-Palestinian, reportedly conducting DDoS and ransomware attacks. They have claimed responsibility for high-profile attacks, including on airports, though their involvement hasn’t been confirmed in all cases.
10. Z-Pentest Alliance: A group claiming to target operational technology systems in oil, gas, and water infrastructure. They post videos on Telegram to demonstrate access and intimidate targets, though some claims remain unverified.

How to detect illicit activity on Telegram

Despite what might be your initial thought—that the scale of malicious activity on Telegram is so large it can feel out of control—it is still possible to protect your business effectively. With the advanced cybersecurity tools available today and a few proven strategies, you can actively monitor, detect, and mitigate risks on the platform.

For instance, you can start by using threat intelligence feeds that alert you to malicious Telegram activity before it reaches your systems, while internal scans help identify suspicious links or unauthorized app use. DNS and URL filtering can also be implemented to block access to known threats.

You can also use open-source intelligence (OSINT) tools to identify public mentions of your company that may indicate potential risks. Data Loss Prevention (DLP) rules can also help by ensuring that sensitive data is not shared outside your organization. Furthermore, Mobile Device Management (MDM) and Endpoint Detection and Response (EDR) solutions can provide secure monitoring of employee devices while maintaining compliance with legal requirements.

Finally, regular employee training is essential as it helps build a culture of vigilance, making staff aware of forbidden Telegram channels in the organization and encouraging them to report any suspicious activity on the platform. Together, all these strategies transform Telegram from an uncontrollable threat into a more manageable risk.

Use NordStellar to monitor malicious channels

NordStellar is a solution that helps businesses of all types identify external cyber threats targeting them. It’s a threat exposure management platform that gives you real-time visibility into data leaks, attack surface vulnerabilities, and brand abuse by continuously monitoring sources such as ransomware blogs, dark web forums and marketplaces, social media, and—yes—Telegram channels.

NordStellar provides actionable insights with full context behind each threat, helping your security team make more informed decisions. With solutions such as Data Breach Monitoring, Attack Surface Management, and Brand Protection, the platform covers the capabilities of three separate tools.

Therefore, if you want to quickly find out whether any threats on Telegram are targeting your business, NordStellar will keep you well-informed.

This article is published by Nord Security Inc. for informational and cybersecurity awareness purposes only. It does not endorse, promote, or encourage access to or interaction with any Telegram channel, group, service, or activity associated with illegal, harmful, or malicious conduct.

References to channels, groups, or threat actors are based on publicly available reporting and threat intelligence observations and are provided solely for defensive and educational purposes. Inclusion does not imply confirmed criminal liability, verified attribution of any cyber incident, or representation of any government, political movement, ideology, or organization. Certain claims or activities described may be unverified, disputed, or subject to change.

This content does not provide instructions or assistance for accessing illicit services. The information is provided on an “as-is” basis without warranties as to accuracy, completeness, or continued relevance. References to third-party platforms or services do not imply affiliation or endorsement. Laws vary by jurisdiction, and readers are responsible for compliance with applicable law. Nord Security Inc. disclaims liability for actions taken in reliance on this article. All trademarks are the property of their respective owners.