Pro-Iran Hacktivists Use Telegram to Coordinate DDoS and Hack-and-Leak Campaigns


Pro-Iran hacktivist groups are using Telegram to coordinate distributed denial-of-service attacks, circulate target lists, publish alleged stolen data, and amplify claims of successful intrusions. The campaigns are designed to disrupt public services while creating political and reputational pressure during periods of regional conflict.

A July 2026 DomainTools Investigations report describes a decentralized network of ideological collectives, nationalist groups, state-adjacent influence operators, and opportunistic actors. They share political narratives but do not appear to operate through one command structure.

Many of the observed operations rely on relatively accessible methods, including commercial DDoS services, website defacement, credential reuse, recycled breach data, and public leak claims. Their impact comes from rapid mobilization, repeated disruption, and the ability to push attack claims into wider news and social media discussions.

How Telegram Supports Pro-Iran Cyber Campaigns

Telegram acts as a public coordination and publicity platform. Channel administrators can announce targets, distribute instructions, share links to attack tools, post screenshots, and encourage supporters to repeat an operation. Other channels then repost the material, making a limited campaign appear larger and more organized.

This structure allows groups with different skills and motivations to participate in the same operation. One actor may run a DDoS service, another may publish a list of targets, and several others may circulate claims or graphics. The groups do not need to share infrastructure or formal leadership to produce a coordinated public effect.

The model also creates attribution problems. A group publishing an attack claim may have conducted the operation, assisted another group, or simply copied the announcement. Pro-Russian brands such as NoName057(16), Killnet, and MONARCH have also joined parts of the wider anti-Western campaign environment, according to the research.

Groups and Tactics Identified in the Pro-Iran Ecosystem

Group or networkReported activityPrimary risk
313 TeamDDoS attacks, website disruption, Telegram propaganda, and symbolic targetingService outages and campaign amplification
Handala Hack TeamHack-and-leak operations, intimidation, identity exposure, and coercive messagingData exposure and reputational damage
Cyber Fattah TeamDDoS activity, defacement, public target selection, and propagandaDisruption and psychological pressure
Keymous+Persistent, high-volume DDoS campaignsSustained availability problems
DieNetDDoS attacks against government and public-sector targetsRepeated public-service disruption
Cyber Isnaad FrontTarget lists, doxxing, and intimidation of people connected to critical sectorsHarassment and personal security risks

Government, telecommunications, healthcare, finance, logistics, public-sector, and open-source infrastructure are among the sectors named in the report. The choice of victim is often symbolic. A short outage affecting a recognizable organization can generate substantial attention even when no internal system has been breached.

UK authorities have also warned organizations to prepare for indirect effects from Iran-linked hacktivist activity. A March 2026 National Cyber Security Centre alert advised organizations with operations or supply chains in the Middle East to review their external attack surface, increase monitoring where appropriate, and prepare for DDoS and phishing activity.

DDoS Attacks Cause Disruption Without Proving a Breach

A DDoS attack floods a website, application, or network service with more traffic than it can handle. A successful attack may slow the service or make it unavailable, but it does not automatically mean the attacker entered the victimโ€™s internal network or stole information.

This distinction is important when reviewing hacktivist announcements. An outage screenshot may show that a service became unreachable, but it does not establish the cause. The disruption could be brief, limited to one region, or unrelated to the group claiming responsibility.

The UK NCSCโ€™s denial-of-service guidance recommends understanding which services are essential, discussing mitigation options with hosting and internet providers, monitoring traffic, and preparing a response plan before an attack begins.

Hack-and-Leak Claims Require Careful Verification

Hack-and-leak operations create a different problem. Actors may publish documents, credentials, database samples, or screenshots and describe them as evidence of current access. Some material may be genuine, while other content may be old, recycled, publicly available, or taken from an unrelated breach.

The Pro-Iran Hacktivist Ecosystem 2026 report advises defenders to separate access from amplification. A Telegram claim is not proof of intrusion, a leaked sample does not prove continuing access, and a public DDoS claim does not demonstrate control of the targeted network.

Iran Aligned Actor Groups (Source – DomainTools Investigations)

Organizations should still treat every credible claim as an investigative lead. The response should begin with internal evidence, including authentication records, web logs, endpoint telemetry, database activity, data-loss alerts, and changes to exposed systems.

  • Preserve the original post, timestamps, account details, screenshots, and downloadable samples.
  • Compare published data with internal records without opening untrusted files on production systems.
  • Determine whether the material is new, previously leaked, fabricated, or obtained from a third party.
  • Check for unusual logins, mass queries, archive creation, cloud downloads, and outbound transfers.
  • Coordinate technical, legal, privacy, communications, and executive response teams.
  • Avoid repeating an attackerโ€™s claims publicly before the evidence has been assessed.

How Organizations Can Reduce the Risk

Organizations should identify the public services most likely to attract politically motivated attacks. Internet-facing portals, media sites, payment systems, customer login pages, government services, and infrastructure dashboards may require stronger capacity, filtering, rate limits, or cloud-based traffic scrubbing.

The NCSCโ€™s Middle East cyber threat warning recommends proportionate monitoring and a review of exposed systems. This is particularly relevant for organizations with regional operations, suppliers, customers, or public positions that could place them on a hacktivist target list.

Security teams should also plan for the reputational side of an incident. A technically contained event can still become a public crisis if false or exaggerated claims spread faster than the organization can verify them.

  1. Map critical public-facing services and confirm who is responsible for each one.
  2. Test CDN, web application firewall, rate-limiting, and DDoS protection settings.
  3. Remove unnecessary internet exposure and patch known vulnerabilities.
  4. Enforce phishing-resistant multifactor authentication for administrators and remote access.
  5. Monitor for credential stuffing, leaked passwords, impersonation, and executive doxxing.
  6. Establish contacts with hosting providers, internet service providers, and DDoS mitigation vendors.
  7. Prepare approved communications for outages and unverified breach claims.
  8. Run exercises covering simultaneous disruption, data-leak claims, and media inquiries.

What Defenders Should Watch Next

Telegram monitoring can provide early warning when groups publish new target lists or announce coordinated attacks. However, social media intelligence should support, rather than replace, technical investigation. Public claims must be compared with network, identity, endpoint, and application evidence.

Organizations should expect activity to increase quickly around military action, diplomatic disputes, sanctions, and other high-profile events. The low cost of DDoS services and the speed of social media coordination make short-notice campaigns possible even for groups with limited technical resources.

The most effective response combines resilient public services, strong access controls, careful leak verification, and clear communications. Following established NCSC DoS guidance can reduce service disruption, while a disciplined evidence process can limit the reputational value of false or exaggerated attack claims.

FAQ

How do pro-Iran hacktivists use Telegram?

They use Telegram to announce targets, distribute instructions, share attack tools, publish alleged leaks, recruit supporters, and amplify claims made by allied groups.

Does a DDoS attack mean a network was breached?

No. A DDoS attack is intended to make a service unavailable by overwhelming it with traffic. It does not by itself prove that attackers accessed internal systems or stole data.

Are pro-Iran hacktivist groups controlled by the Iranian government?

Not necessarily. Researchers describe a loose ecosystem that includes ideological groups, state-adjacent networks, nationalist actors, and opportunistic participants. The level of Iranian support or direction can differ between groups and is often unconfirmed.

How should an organization respond to a hack-and-leak claim?

It should preserve the claim, examine internal logs and security telemetry, validate any published samples, determine whether the data is new, and coordinate technical, legal, privacy, and communications teams before making public conclusions.

How can organizations prepare for hacktivist DDoS attacks?

Organizations should identify critical public services, test DDoS protection, configure rate limits and web application firewalls, remove unnecessary exposure, preserve logs, and maintain response contacts with hosting and network providers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages