Source Intelligence from Telegram Channels | No Dark Web Mentions Found
Date Range: May 6 – May 12, 2025
Report Type: Confidential Intelligence Summary
Prepared By: Hariharan M
1. Key Note on Intelligence Sources
No substantial data or chatter was identified on dark web marketplaces or forums regarding the ongoing India-Pakistan geopolitical conflict during and after Operation Sindoor.
However, Telegram emerged as the primary coordination and communication platform for the involved hacktivist groups. Most of the actionable insights, data leak announcements, attack confirmations, and target disclosures were sourced from Telegram channels and bots run by threat actors.
2. Background
In retaliation for the April 22, 2025 terror attack in Pahalgam, India initiated Operation Sindoor on May 7. In response, more than 45 pro-Pakistan and affiliated hacktivist cells launched 310+ cyberattacks across Indian infrastructure within just seven days. These attacks—high in volume and impact—were not covered in mainstream media, but were actively discussed and coordinated over Telegram.
3. Telegram-Based Cyber Attack Intelligence
A. Coordinated Campaigns and Alliances
-
Hacktivist alliances included Keymous+, AnonSec, GARUDA ERROR SYSTEM, and Sylhet Gang-SG.
-
Groups operated under banners like OpIndia and IndiaUnderSiege, using Telegram bots to publish:
-
Daily attack schedules.
-
Live updates.
-
Screenshots of successful defacements or DDoS disruptions.
-
-
No matching content was found on dark web channels—Telegram was the exclusive platform of coordination.
B. Telegram-Based Data Leak and Attack Claims
| Date | Event | Actor(s) | Telegram Activity |
|---|---|---|---|
| May 6 | MOD credential leak | Mr Hamza, Keymous+ | Shared ZIP file + usernames/passwords via bot |
| May 7 | 247 GB data exfiltration from NIC | DieNet, GARUDA | Telegram-exclusive disclosure with POC |
| May 8 | ECI systems claimed breached | Kal_Egy, Keymous+ | Telegram channel poll on next target |
| May 9 | Defacement of education & medical sites | INDOHAXSEC, Sylhet Gang-SG | Auto-posted mirror links via Telegram bot |
| May 10 | DDoS & breach on Reliance Jio, Kurukshetra Univ. | Cyber Error System | Deface video + admin panel screenshot |
| May 11 | Spoofed Indian fintech apps + UPI phishing kits | Islamic Hacker Army | Kit download links dropped via private groups |
| May 12 | Malware targeting school and defense users | CyberVolk Arcanum | Lock-screen malware demo video shared |
4. Attack Types Confirmed via Telegram
-
Massive DDoS Attacks – Confirmed via status page screenshots.
-
Defacements – Screenshots and mirror links shared.
-
Data Leaks – ZIPs, CSVs, and internal screenshots circulated.
-
Phishing Kits & Malware – Tutorials and tools shared directly in Telegram channels, not dark web.
5. Intelligence Gaps
-
Dark Web Silence: Despite searching through prominent forums and marketplaces, no active discussion or data leaks related to the Ind-Pak geopolitical tension or Operation Sindoor were found in those spaces during the incident period.
-
This highlights a shift toward Telegram as the primary operational space for hacktivists involved in real-time geopolitical cyber conflicts.
6. Conclusion
There is no available dark web intelligence regarding the India-Pakistan geopolitical cyberwar triggered by Operation Sindoor. However, Telegram channels served as the operational hub for coordination, propaganda, and data dissemination. These findings reinforce the need to prioritize Telegram monitoring in geopolitical threat intelligence over traditional dark web tracking in such conflict zones.