Pro-Iran Hacktivists Use Telegram to Coordinate DDoS and Hack-and-Leak Campaigns
Pro-Iran hacktivist groups are using Telegram to coordinate distributed denial-of-service attacks, circulate target lists, publish alleged stolen data, and amplify claims of successful intrusions. The campaigns are designed to disrupt public services while creating political and reputational pressure during periods of regional conflict.
A July 2026 DomainTools Investigations report describes a decentralized network of ideological collectives, nationalist groups, state-adjacent influence operators, and opportunistic actors. They share political narratives but do not appear to operate through one command structure.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Many of the observed operations rely on relatively accessible methods, including commercial DDoS services, website defacement, credential reuse, recycled breach data, and public leak claims. Their impact comes from rapid mobilization, repeated disruption, and the ability to push attack claims into wider news and social media discussions.
How Telegram Supports Pro-Iran Cyber Campaigns
Telegram acts as a public coordination and publicity platform. Channel administrators can announce targets, distribute instructions, share links to attack tools, post screenshots, and encourage supporters to repeat an operation. Other channels then repost the material, making a limited campaign appear larger and more organized.
This structure allows groups with different skills and motivations to participate in the same operation. One actor may run a DDoS service, another may publish a list of targets, and several others may circulate claims or graphics. The groups do not need to share infrastructure or formal leadership to produce a coordinated public effect.
The model also creates attribution problems. A group publishing an attack claim may have conducted the operation, assisted another group, or simply copied the announcement. Pro-Russian brands such as NoName057(16), Killnet, and MONARCH have also joined parts of the wider anti-Western campaign environment, according to the research.
Groups and Tactics Identified in the Pro-Iran Ecosystem
| Group or network | Reported activity | Primary risk |
|---|---|---|
| 313 Team | DDoS attacks, website disruption, Telegram propaganda, and symbolic targeting | Service outages and campaign amplification |
| Handala Hack Team | Hack-and-leak operations, intimidation, identity exposure, and coercive messaging | Data exposure and reputational damage |
| Cyber Fattah Team | DDoS activity, defacement, public target selection, and propaganda | Disruption and psychological pressure |
| Keymous+ | Persistent, high-volume DDoS campaigns | Sustained availability problems |
| DieNet | DDoS attacks against government and public-sector targets | Repeated public-service disruption |
| Cyber Isnaad Front | Target lists, doxxing, and intimidation of people connected to critical sectors | Harassment and personal security risks |
Government, telecommunications, healthcare, finance, logistics, public-sector, and open-source infrastructure are among the sectors named in the report. The choice of victim is often symbolic. A short outage affecting a recognizable organization can generate substantial attention even when no internal system has been breached.
UK authorities have also warned organizations to prepare for indirect effects from Iran-linked hacktivist activity. A March 2026 National Cyber Security Centre alert advised organizations with operations or supply chains in the Middle East to review their external attack surface, increase monitoring where appropriate, and prepare for DDoS and phishing activity.
DDoS Attacks Cause Disruption Without Proving a Breach
A DDoS attack floods a website, application, or network service with more traffic than it can handle. A successful attack may slow the service or make it unavailable, but it does not automatically mean the attacker entered the victimโs internal network or stole information.
This distinction is important when reviewing hacktivist announcements. An outage screenshot may show that a service became unreachable, but it does not establish the cause. The disruption could be brief, limited to one region, or unrelated to the group claiming responsibility.
The UK NCSCโs denial-of-service guidance recommends understanding which services are essential, discussing mitigation options with hosting and internet providers, monitoring traffic, and preparing a response plan before an attack begins.
Hack-and-Leak Claims Require Careful Verification
Hack-and-leak operations create a different problem. Actors may publish documents, credentials, database samples, or screenshots and describe them as evidence of current access. Some material may be genuine, while other content may be old, recycled, publicly available, or taken from an unrelated breach.
The Pro-Iran Hacktivist Ecosystem 2026 report advises defenders to separate access from amplification. A Telegram claim is not proof of intrusion, a leaked sample does not prove continuing access, and a public DDoS claim does not demonstrate control of the targeted network.

Organizations should still treat every credible claim as an investigative lead. The response should begin with internal evidence, including authentication records, web logs, endpoint telemetry, database activity, data-loss alerts, and changes to exposed systems.
- Preserve the original post, timestamps, account details, screenshots, and downloadable samples.
- Compare published data with internal records without opening untrusted files on production systems.
- Determine whether the material is new, previously leaked, fabricated, or obtained from a third party.
- Check for unusual logins, mass queries, archive creation, cloud downloads, and outbound transfers.
- Coordinate technical, legal, privacy, communications, and executive response teams.
- Avoid repeating an attackerโs claims publicly before the evidence has been assessed.
How Organizations Can Reduce the Risk
Organizations should identify the public services most likely to attract politically motivated attacks. Internet-facing portals, media sites, payment systems, customer login pages, government services, and infrastructure dashboards may require stronger capacity, filtering, rate limits, or cloud-based traffic scrubbing.
The NCSCโs Middle East cyber threat warning recommends proportionate monitoring and a review of exposed systems. This is particularly relevant for organizations with regional operations, suppliers, customers, or public positions that could place them on a hacktivist target list.
Security teams should also plan for the reputational side of an incident. A technically contained event can still become a public crisis if false or exaggerated claims spread faster than the organization can verify them.
- Map critical public-facing services and confirm who is responsible for each one.
- Test CDN, web application firewall, rate-limiting, and DDoS protection settings.
- Remove unnecessary internet exposure and patch known vulnerabilities.
- Enforce phishing-resistant multifactor authentication for administrators and remote access.
- Monitor for credential stuffing, leaked passwords, impersonation, and executive doxxing.
- Establish contacts with hosting providers, internet service providers, and DDoS mitigation vendors.
- Prepare approved communications for outages and unverified breach claims.
- Run exercises covering simultaneous disruption, data-leak claims, and media inquiries.
What Defenders Should Watch Next
Telegram monitoring can provide early warning when groups publish new target lists or announce coordinated attacks. However, social media intelligence should support, rather than replace, technical investigation. Public claims must be compared with network, identity, endpoint, and application evidence.
Organizations should expect activity to increase quickly around military action, diplomatic disputes, sanctions, and other high-profile events. The low cost of DDoS services and the speed of social media coordination make short-notice campaigns possible even for groups with limited technical resources.
The most effective response combines resilient public services, strong access controls, careful leak verification, and clear communications. Following established NCSC DoS guidance can reduce service disruption, while a disciplined evidence process can limit the reputational value of false or exaggerated attack claims.
FAQ
They use Telegram to announce targets, distribute instructions, share attack tools, publish alleged leaks, recruit supporters, and amplify claims made by allied groups.
No. A DDoS attack is intended to make a service unavailable by overwhelming it with traffic. It does not by itself prove that attackers accessed internal systems or stole data.
Not necessarily. Researchers describe a loose ecosystem that includes ideological groups, state-adjacent networks, nationalist actors, and opportunistic participants. The level of Iranian support or direction can differ between groups and is often unconfirmed.
It should preserve the claim, examine internal logs and security telemetry, validate any published samples, determine whether the data is new, and coordinate technical, legal, privacy, and communications teams before making public conclusions.
Organizations should identify critical public services, test DDoS protection, configure rate limits and web application firewalls, remove unnecessary exposure, preserve logs, and maintain response contacts with hosting and network providers.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages