IndoHaxSec: Inside the Expanding Network of a Pro-Palestinian Hacktivist Collective

In recent years, hacktivist groups have increasingly emerged as visible actors in the broader landscape of cyber operations. Often forming around shared political or ideological motivations, these collectives use digital attacks, data leaks, and public messaging to amplify their narratives and demonstrate technical capability. Among the groups that have surfaced within this environment is IndoHaxSec, a collective that presents itself as an Indonesian hacktivist entity and publicly frames its activities around political causes, particularly those connected to the Israel–Palestine conflict.

IndoHaxSec has appeared across several online platforms where it promotes its identity, claims cyber operations, and communicates with supporters. Like many hacktivist groups, its presence is distributed across multiple channels rather than centralized in a single space. Messages, attack claims, and other artifacts are shared through social platforms, messaging channels, and underground forums, creating a scattered but traceable digital footprint.

While the group positions itself as a politically motivated actor, the extent of its operations, its alliances with other hacktivist collectives, and the broader network surrounding it remain relatively unclear. Public claims and online messaging often provide only a partial view of how such groups function or how their activities connect across platforms.

This report traces IndoHaxSec’s digital footprint across several platforms in order to better understand how the group operates, how it communicates, and how it positions itself within the wider hacktivist landscape. By piecing together artifacts from defacement monitoring tools, Telegram channels, leak forums, and other open sources, the investigation reveals an expanding network of activity that goes well beyond isolated attack claims.

Incident Trigger and Initial Investigation

The investigation into IndoHaxSec began after the group appeared in connection with a data leak involving South Korean users. The breach, which was advertised online under the title “514.4K THOUSANDS OF SOUTH KOREAN POPULATION AND TRADER DATA,” drew attention due to both the scale of the dataset and the explicit attribution to IndoHaxSec.

• https://xforums.***/threads/514********************3/

To better understand the scope of the group’s activity, the keyword “INDOHAXSEC” was queried across multiple modules within the StealthMole platform. The first step involved examining the Leaked Monitoring module, which indexes publicly advertised breaches, database leaks, and stolen data shared across underground forums and related platforms.

The search results quickly revealed that the South Korean dataset was not an isolated incident. StealthMole’s indexing showed that 27 separate leak-related entries associated with IndoHaxSec had been detected between December 2024 and March 2026. These entries included datasets allegedly originating from multiple countries and sectors, indicating that the group had been active across several leak forums and platforms over an extended period of time.

To further understand the nature of these activities, additional StealthMole modules were queried using the same keyword. This included the Defacement Alert module, which monitors website defacements, as well as Government Monitoring, which tracks incidents involving government-related data exposures. Together, these tools provided a broader view of the group’s publicly visible operations and helped establish an initial timeline of IndoHaxSec’s activity across different types of cyber incidents.

These early findings suggested that IndoHaxSec’s presence extended beyond a single breach claim and pointed toward a wider pattern of activity across multiple platforms. As a result, the investigation expanded to examine the group’s online infrastructure, including the messaging channels and forums where its operations and announcements were being promoted.

Mapping IndoHaxSec’s Online Presence

Following the initial findings from StealthMole’s monitoring modules, the investigation shifted toward identifying the online spaces where IndoHaxSec promotes its activities and communicates with its audience. Hacktivist groups often rely heavily on messaging platforms and social media to publicize attacks, share leaked data, and build alliances with other collectives. Tracing these channels therefore provides important insight into how such groups operate and how their narratives spread online.

Using StealthMole’s Telegram Tracker, several Telegram accounts operating under the IndoHaxSec name were identified. These accounts appear to represent different roles within the group and openly reference IndoHaxSec in their profile descriptions or usernames.

The following Telegram accounts were identified during the investigation:

• Telegram ID: 80********5
• Display Name: LEADER OF INDOHAXSEC TEAM
• Username: @K3******K

• Telegram ID: 67******50
• Display Name: INDOHAXSEC SERVICE
• Username: @IN******E**S******E

• Telegram ID: 79********29
• Display Name: INDOHAXSEC
• Username: @hm*****7

• Telegram ID: 7873654972
• Display Name: The_Owner_IndoHaxSec

• Telegram ID: 7230074565
• Display Name: ItaChi
• Username: @indo******9

Historical indexing within StealthMole also showed that the account associated with Telegram ID: 7929455429 previously used the username @Z_BL4CK_H before switching to @hmei7 on 2025-12-05. The earlier alias resembles the name of another Indonesian hacktivist group, Z BL4CK H4T, although the available data does not confirm a direct connection between the two.

In addition to individual accounts, several Telegram channels associated with the group were discovered. These channels appear to function as public communication hubs where IndoHaxSec posts announcements, shares defacement claims, and promotes leaked datasets.

The following Telegram channels were identified during the investigation:

• https://t.me/INDOHAXSEC
• https://t.me/indo*****
• https://t.me/Indohaxsec_Team
• https://t.me/Indo******

Posts within these channels frequently included attack claims, ideological messages, and links to datasets hosted on underground forums. For example, one post promoted a dataset titled “600,000 Federal Bank of India Database”, accompanied by a link directing users to a thread on DarkForums.

The Telegram channels also served as entry points to other platforms maintained by the group. Several posts encouraged followers to join additional communication channels operated by IndoHaxSec, including:

• X account: https://x.com/INDO******C
• WhatsApp channel: https://whatsapp.com/channel/0029**************0L

The presence of these cross-platform links suggests that IndoHaxSec attempts to maintain a distributed online presence rather than relying on a single communication platform. By directing followers across Telegram, X, and WhatsApp, the group appears to expand the reach of its messaging while ensuring that its announcements and propaganda can continue circulating even if individual channels are disrupted.

Mapping these accounts and channels provides an initial view of the group’s communication infrastructure. These spaces serve not only as places where IndoHaxSec announces operations but also as hubs where alliances, ideological messaging, and leaked data are publicly promoted.

Telegram Messaging, Narratives, and Alliances

With IndoHaxSec’s communication channels identified, the investigation then focused on the content shared within these spaces. Telegram channels associated with the group provide a clearer view of how IndoHaxSec frames its activities, promotes its operations, and interacts with other hacktivist collectives. Many of the posts observed during the investigation combined attack claims with political messaging, suggesting that the group uses Telegram not only to publicize incidents but also to reinforce its ideological positioning.

Several posts within the channel https://t.me/Indo****** referenced attacks and defacement activity. In one instance, the channel announced a defacement targeting the website:

• https://casino4live.com/

The message accompanying the claim included the text “LETS FUCKING GO!! STOP_JUDOL!”, followed by hashtags such as #INDOHAXSEC, #HAXCHIPPER, and #OPSIJJIN_SUPPORTIRAN. These posts illustrate how the group uses Telegram to publicly claim responsibility for website defacements while linking the activity to broader ideological narratives.

The same channel also contained a post referencing the previously identified South Korean dataset leak. The message advertised a dataset titled:

“514.4K THOUSANDS OF SOUTH KOREAN POPULATION AND TRADER DATA.”

Within the message, the group framed the breach as a response to alleged racism from South Koreans and suggested that the incident was intended as an initial warning. The post included the hashtag #Ops_KrRacist, indicating that the attack was presented as part of a broader campaign narrative.

Beyond individual attack claims, Telegram posts also revealed collaborations between IndoHaxSec and other hacktivist groups. On 7 March 2026, the channel https://t.me/Indo****** announced an alliance between IndoHaxSec and another hacktivist collective known as HaxChipper. The message stated that the two groups would work together under an operation referred to as “Operation SijjinCyber,” which was described as supporting Iran and Palestine while targeting Israel, the United States, and their allies.

Another collaboration appeared in the channel https://t.me/Indohaxsec_Team, where a post referenced a joint operation between IndoHaxSec and AZRAEL OF DEATH. The message described the activity as part of a “Pakistan Cyber Support Operation,” suggesting coordination between multiple hacktivist groups aligned around similar geopolitical narratives.

Additional posts referenced collaboration with CLOBELSECTEAM, further indicating that IndoHaxSec operates within a broader network of hacktivist actors rather than functioning in isolation. These alliance announcements demonstrate how Telegram channels are used not only to claim attacks but also to signal partnerships and reinforce a sense of collective action within the hacktivist ecosystem.

In several instances, the messaging also targeted specific countries or political actors. Posts included slogans such as “FUCK ISRAEL” and “FUCK TRUMP,” alongside lists of websites allegedly targeted during the same operation. In another message shared in the channel https://t.me/INDOHAXSEC, the group issued threats directed toward India, claiming that future attacks would target a wide range of sectors including government institutions, companies, and educational organizations.

Overall, these posts provide insight into how IndoHaxSec uses Telegram to frame its operations within a broader narrative of political or ideological conflict. The platform appears to function as the group’s primary space for announcing attacks, promoting alliances, and amplifying the narratives that accompany its activities.

Underground Forum Activity and Data Leak Distribution

In addition to its messaging presence on Telegram, IndoHaxSec also appears to use underground forums to distribute and promote leaked datasets. These forums often serve as marketplaces or public repositories where threat actors advertise stolen databases, share proof samples, or direct users to download links. Investigating these spaces provided further insight into how the group publicizes its alleged breaches and interacts with the broader cybercrime ecosystem.

One such example was identified on the forum DarkForums, where a thread titled “DATABASE 3.2K THOUSAND ISRAEL TIP INFORMATION DATABASE” was posted. The thread was attributed to a user operating under the name INDOHAXSEC, suggesting that the group itself was responsible for publishing or promoting the dataset.

The thread can be accessed through the following link:

• https://darkforums.***/Thread*********************DATABASE

From this post, the corresponding user profile associated with the thread was identified:

• https://darkforums.me/User-I**********C

The investigation also revealed a session identifier associated with the activity:

• 053d1*****************************************93047

The presence of this thread suggests that IndoHaxSec uses underground forums as a distribution channel for datasets it claims to have obtained. Such forums provide visibility among cybercrime communities while also allowing actors to promote their operations to a wider audience.

Another dataset advertisement linked to the group was discovered on the forum BreachStars. In this case, the post referenced a database described as “169,045 Database of the Israeli Traffic Department.” The post was attributed to a user named INDOHAXSECTEAM, which appears to be another variation of the group’s name used across platforms.

The associated user profile was identified at:

• https://breachstars.***/profile/INDOHAXSECTEAM

While the usernames differ slightly across platforms, the naming convention strongly reflects the IndoHaxSec branding observed throughout Telegram channels and other artifacts identified during the investigation.

Together, these forum posts illustrate how IndoHaxSec extends its activity beyond social messaging platforms. Telegram channels appear to be used to promote attacks and share announcements, while underground forums provide a space where datasets can be distributed or advertised to audiences already engaged in cybercrime communities. This combination of messaging platforms and forum activity reflects a common pattern among hacktivist groups seeking both publicity and recognition for their operations.

Conclusion

This investigation set out to better understand the online footprint of IndoHaxSec by tracing the group’s presence across multiple digital platforms. Through analysis of artifacts collected from StealthMole monitoring tools, Telegram channels, underground forums, and related communication platforms, the investigation reveals a hacktivist collective that maintains a distributed but visible online ecosystem.

IndoHaxSec’s activity appears to revolve around a combination of messaging, attack claims, and data leak promotion. Telegram channels serve as the central point where the group announces operations, shares ideological narratives, and promotes links to external platforms hosting datasets or forum threads. Underground forums such as DarkForums and BreachStars provide an additional layer where data attributed to the group is advertised and distributed.

The group’s messaging frequently references geopolitical issues, particularly those connected to the Israel–Palestine conflict, while also directing rhetoric toward other countries and political actors. Alliance announcements involving groups such as HaxChipper, AZRAEL OF DEATH, and CLOBELSECTEAM further suggest that IndoHaxSec operates within a broader ecosystem of loosely connected hacktivist collectives.

While the investigation uncovered a wide range of artifacts associated with the group, the nature of hacktivist activity makes it difficult to determine the precise scale or authenticity of every claim. Some attacks may be genuine compromises, while others may represent exaggeration, reposted leaks, or activity carried out by affiliated actors rather than a single coordinated organization.

Nevertheless, the collection of digital traces identified during this investigation provides a clearer picture of how IndoHaxSec maintains its online presence, promotes its operations, and positions itself within the evolving landscape of hacktivism.

Editorial Note

Investigations into hacktivist groups rarely produce a complete or definitive picture of the actors involved. Online identities shift, channels disappear or reappear under new names, and claims of responsibility may be exaggerated or shared between loosely connected participants. As a result, attribution in these environments often remains fluid.

The IndoHaxSec case illustrates how piecing together fragments from multiple sources, monitoring tools, messaging platforms, and underground forums, can help reveal patterns that might otherwise remain hidden. By navigating these fragmented digital spaces, platforms like StealthMole enable investigators to connect disparate signals and better understand how emerging hacktivist groups operate within the broader cyber threat landscape.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com

Inside RasCorp Group: Tracing a Ransomware Alliance within THE PERSEPHONE Network

Ransomware operations rarely function as isolated entities. In many cases, they emerge through loosely organized networks where individuals contribute different capabilities, ranging from malware development and infrastructure management to recruitment and operational coordination. Communication platforms such as Telegram have increasingly become central to these ecosystems, allowing actors to promote tools, recruit collaborators, and coordinate activities across dispersed communities.

During routine monitoring of Telegram discussions related to hacking and cybercrime, references to a group identifying itself as RasCorp Group, also described as the Ransomware Corporation Group, began to surface across several channels. Initial observations suggested that the group was actively promoting itself as a ransomware-focused operation while seeking individuals with expertise in malware development, networking, and infrastructure management.

At first glance, RasCorp appeared to operate primarily through Telegram-based communication channels where announcements, recruitment messages, and partnership statements were shared. However, further examination revealed that the group’s activities were not limited to a single channel or actor. Mentions of RasCorp appeared alongside references to other cyber groups and tooling developers, hinting at a broader network of collaborators operating within the same environment.

This raised important questions about the structure and capabilities of RasCorp: was the group simply promoting itself as a ransomware collective, or was it part of a larger ecosystem involving multiple actors and supporting tools? To answer this, the investigation focused on mapping the Telegram channels, identifying the key personas involved, and examining how RasCorp positioned itself within a wider network of cyber actors.

Incident Trigger and Initial Investigation

The investigation into RasCorp Group originated during the earlier analysis of THE PERSEPHONE platform, which revealed a collaborative environment involving multiple actors. While examining the structure of the Persephone website and the groups referenced within it, RasCorp Group appeared alongside VFVCT and ClayRat, suggesting that the platform was supported by more than one organization operating within the same ecosystem.

To better understand RasCorp’s role within this alliance, further analysis was conducted using StealthMole’s Telegram Tracker, which indexes conversations and activity across Telegram channels commonly used by cyber actors. Searching for references to “RasCorp” revealed several messages across different channels, including those already linked to VFVCT. These messages included recruitment announcements, partnership statements, and references to dedicated RasCorp communication channels.

One such announcement described a strategic alliance between three groups: CrackRat Zone Clay, RasCorp Group, and VFVCT (V For Vendetta Cyber Team). The message outlined the intended roles of each participant, presenting CrackRat Zone Clay as developers of multifunctional tools, RasCorp as responsible for business operations and coordination, and VFVCT as contributing operational and strategic capabilities.

The announcement also listed the Telegram channel associated with RasCorp:

• https://t.me/rascorp************n

Because this channel appeared to serve as a central communication hub for the group, it became the starting point for deeper investigation into RasCorp’s structure, the individuals involved in managing the channel, and the activities promoted within its ecosystem.

RasCorp Communication Channels and Recruitment Activity

Following the identification of the RasCorp Telegram channel, further examination focused on understanding how the group used the platform to promote its activities and interact with potential collaborators. The channel https://t.me/rascorp********n, titled RascorpBusinessGentlemen, appeared to function as the primary communication hub for the group.

The channel description referenced RasCorp Group and included a contact bot, @Rascor***t, indicating that the platform was intended to facilitate direct interaction with individuals interested in the group’s operations. Posts within the channel and related discussions revealed that RasCorp actively promoted recruitment efforts, inviting individuals with technical expertise to participate in ransomware-related activities.

One recruitment message circulated within associated Telegram discussions stated that the group was seeking members with skills in malware development, networking, infrastructure management, and scripting, particularly those experienced with ransomware operations. The message also directed interested individuals to contact specific Telegram accounts for further discussion. Among the listed contacts were @jd*****929, identified as a RasCorp administrator, and @clay*****es, described as a business lead associated with the group.

In addition to the RasCorp channel itself, the recruitment messages referenced other channels connected to the alliance, including CrackRat Zone Clay (https://t.me/cr********y) and the VFVCT backup channel. These references indicated that RasCorp operated within a network of interconnected Telegram channels rather than relying on a single communication point.

The recruitment messaging and channel structure suggested that RasCorp was attempting to position itself as an organized ransomware operation capable of attracting collaborators with specialized skills. By maintaining Telegram channels and automated contact mechanisms, the group appeared to be building a communication infrastructure designed to facilitate coordination and expansion of its activities within the broader cyber underground.

Identifying Key Personas within RasCorp

Further analysis of the RasCorp Telegram channel led to the identification of several accounts associated with the group’s operations. One of the most prominent personas was the Telegram user @jd********929, who appeared to play an administrative role within the RasCorp ecosystem.

Using StealthMole’s historical indexing capabilities, the account’s previous profile data was examined to understand its activity over time. Historical records showed that the account had changed its username and profile images multiple times, indicating periodic efforts to modify its online identity.

Earlier identifiers linked to the account included the username @so******01, observed in records from October 2025, where the profile image depicted a hooded figure commonly associated with hacker-themed imagery. In earlier records from January 2025, the account used the username @Va*****92, accompanied by a profile image showing a screenshot of a website defacement page.

The defacement image referenced a message attributed to Cyber Virus, displaying text indicating that a website had been encrypted by the attacker. While the context of the image could not be independently verified, its presence within the account’s historical profile suggested an association with hacking or defacement-related communities.

Additional examination of the account’s activity across Telegram revealed participation in several unrelated channels. In one community, the user discussed bringing experienced individuals into a ransomware team, further reinforcing the account’s apparent involvement in RasCorp’s recruitment efforts. In other channels, the account engaged in discussions about credential lists and online account combinations, including requests for Eneba account combos.

Overall, the account’s historical identity changes, hacking-themed imagery, and recruitment-related messaging suggested that @jd******929 was likely an active participant in RasCorp’s Telegram ecosystem, potentially contributing to the group’s efforts to recruit collaborators and promote ransomware-related activities.

Links to ClayRat Tooling

During the analysis of RasCorp’s Telegram ecosystem, additional connections emerged linking the group to an actor operating under the username @clay******s. This account had already been referenced in recruitment announcements associated with RasCorp and VFVCT, where it was described as a business lead involved in the alliance. To better understand this role, further investigation was conducted into the activity and historical identifiers associated with the account.

StealthMole’s historical indexing revealed that the account previously operated under the username @cr****t, recorded in January 2026, and displayed the name GhostDroid in earlier records. The earlier username appeared to reference RAT (Remote Access Trojan) tooling, which prompted further examination of the account’s activity across Telegram channels.

Monitoring the account’s activity showed that @clay**********s was particularly active in a community channel titled OFFICIAL YASHVIR GAMING CHAT. Within this channel, the user frequently shared images and discussions related to a tool referred to as G-700 RAT. Screenshots circulated by the user appeared to show an operator interface for the tool, including panels for managing clients and controlling various functions typically associated with remote access malware.

In addition to promoting the RAT tool, the user also posted messages announcing the launch of the G-700 RAT, indicating that the tool was being introduced or distributed within the community. Other messages attributed to the account referenced credential data, including offers to provide NowTV account logs, suggesting involvement in credential-sharing or data trading discussions commonly observed within underground communities.

The presence of the @clay**********s account within both RasCorp recruitment announcements and channels discussing RAT tooling highlighted the role of specialized tooling within the broader ecosystem. Rather than operating as an isolated developer, the account appeared to occupy a position where malware promotion, credential-related discussions, and collaboration with RasCorp and VFVCT intersected within the same Telegram environment.

Operational Structure and Alliance Dynamics

The artifacts identified during the investigation suggest that RasCorp Group does not operate in isolation but instead forms part of a broader collaborative structure involving multiple actors with complementary roles. Messages circulated across the Telegram channels referenced an operational alliance between RasCorp, VFVCT, and CrackRat Zone Clay, describing the partnership as a coordinated effort combining different capabilities within the cyber ecosystem.

According to the announcement observed during the investigation, each participant in the alliance appeared to contribute a distinct role. CrackRat Zone Clay was described as providing advanced multifunctional tools, while RasCorp Group was positioned as responsible for business operations and coordination. Meanwhile, VFVCT (V For Vendetta Cyber Team) was presented as contributing strategic and operational capabilities. This distribution of responsibilities suggested an attempt to structure the collaboration in a way that combined technical tooling, operational planning, and organizational coordination.

The presence of separate Telegram channels for each group, along with cross-references between them, reinforced the idea that these actors were operating within a shared ecosystem rather than as independent entities. Recruitment messages circulated within the network frequently directed interested individuals toward RasCorp contacts, while tooling-related announcements were associated with channels connected to CrackRat Zone Clay.

This structure indicates that the alliance was designed to integrate different functions of cyber operations, from tool development and recruitment to operational coordination. Within this arrangement, RasCorp appeared to position itself as a coordinating entity responsible for managing relationships and facilitating collaboration among participants within the broader network.

Conclusion

The activity surrounding RasCorp Group illustrates how ransomware-oriented operations can emerge within loosely structured online ecosystems rather than through a single centralized organization. The group’s presence across Telegram channels, recruitment announcements, and alliance messaging suggests an effort to position RasCorp as a coordinating entity capable of attracting collaborators with different technical capabilities. By presenting itself as responsible for the “business” and coordination aspects of operations, RasCorp appears to focus on building relationships and organizing participants rather than developing tools or conducting attacks independently.

At the same time, the connections identified with actors involved in malware tooling and credential trading highlight how such ecosystems often overlap with broader underground communities. Individuals active in hacking forums, gaming chats, and credential-sharing spaces can gradually transition into more organized cyber operations, bringing with them both tools and contacts from those environments. Within this context, RasCorp’s recruitment messaging and alliance formation may represent an attempt to formalize these relationships into a more structured ransomware-oriented collaboration.

Viewed in this light, RasCorp is less notable for a specific attack or dataset and more significant as an example of how cyber groups attempt to organize themselves in the early stages of operation. Monitoring these emerging networks, particularly those built around recruitment and partnerships, can provide valuable insight into how future ransomware or cybercrime campaigns may develop.

Editorial Note

Investigations into cyber actors operating across online communities rarely provide complete visibility into every aspect of their operations. Identities, infrastructure, and affiliations can change quickly, and participants may intentionally obscure their roles within collaborative networks. For this reason, attribution should be treated as an evolving assessment rather than a definitive conclusion. This case demonstrates how StealthMole’s monitoring capabilities can help trace connections between actors, communication channels, and tools across different layers of the cyber ecosystem, gradually revealing how such alliances take shape.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com

THE PERSEPHONE Ecosystem: Uncovering the Alliance Between VFVCT, RasCorp, and ClayRat

Collaboration between cyber threat actors is not uncommon. Groups with different capabilities often form temporary alliances, combining technical expertise, infrastructure, and operational reach to strengthen their campaigns. In many cases, these collaborations operate through shared platforms or coordinated communication channels, allowing participants to contribute specialized roles while presenting a unified presence to the outside world. Such arrangements can make attribution more complex, as multiple actors may be operating within the same ecosystem rather than as isolated groups.

In early 2026, traces of a platform called “THE PERSEPHONE” began appearing across online channels associated with hacking and data leak activities. At first glance, the platform appeared to function as a website hosting various datasets and announcements. However, the way the site presented itself suggested that it might represent more than a single actor’s operation. References within the platform pointed toward multiple groups and hinted at a broader collaborative structure behind the scenes.

This raised an important question: was THE PERSEPHONE simply another leak site, or was it part of a coordinated ecosystem involving several actors working together? To answer this, the investigation focused on mapping the infrastructure, communications, and identities connected to the platform. What initially appeared to be a straightforward leak portal gradually revealed signs of a more structured collaboration, where different groups appeared to contribute distinct roles within the same operational environment.

Incident Trigger and Initial Investigation

The investigation into THE PERSEPHONE began when StealthMole’s Leaked Monitoring tool indexed several newly posted datasets associated with the name on 5 March 2026. The indexed entries pointed to a publicly accessible website hosting multiple files and announcements under the same banner. The platform was located at:

• https://thepersephone.*****.org/?i=1

At first glance, the page appeared to function as a simple leak repository where datasets were organized and made available for download. Several entries were visible on the page, including files labeled “israel_citizen_database.csv”, “CANVA”, and “PORN WEBSITE LOGS.” The presence of multiple datasets suggested that the site was being used to publish and promote breach data in a structured manner.

A closer look at the website revealed that it introduced itself as a prototype platform named THE PERSEPHONE. In addition to listing leaked datasets, the site also contained introductory messages and operational guidelines, including statements outlining which types of organizations the operators claimed not to target. These elements resembled the structure commonly seen on leak portals used by cyber threat actors to showcase breaches and distribute stolen data.

Because the website appeared to be the central location where the datasets were being hosted, it became the starting point for further investigation. The domain https://thepersephone.******.org/ was subsequently analyzed using StealthMole’s tracking capabilities to determine whether the platform had been referenced elsewhere across underground forums or messaging channels.

This pivot quickly produced a relevant lead. A thread on BreachForums titled “1 million Netflix accounts have been leaked by the V for Vendetta cyber team” referenced the same domain and described it as “our website.” The thread was posted by the user VFVCT, who had joined the forum in March 2026. The mention of the Persephone domain within the forum post suggested that the leak platform might be connected to the group identifying itself as the V For Vendetta Cyber Team (VFVCT).

• https://breachforums.**/Thread-1-******V-for-Vendetta-cyber-team

The appearance of the same website in both the indexed leak listings and the BreachForums post raised the possibility that the platform was being actively promoted by the actors responsible for the leaks. This discovery prompted further investigation into the infrastructure and communication channels linked to the Persephone site in order to identify the groups operating behind it.

Tracing the Communication Infrastructure

Following the discovery of the Persephone website and its reference within the BreachForums thread, the investigation shifted toward identifying communication channels where the platform might be promoted or discussed by the actors themselves. The domain https://thepersephone.******.org/ was therefore queried through StealthMole’s Telegram Tracker, which indexes Telegram messages and channel content for investigative analysis.

This pivot revealed a private Telegram group titled Project_Vendetta, accessible through the invitation link:

• https://t.me/+fyA*********Bl

The group’s description referenced “V For Vendetta Cyber Team” and listed several contact points, including the Telegram bot @vfvct**** and the email addresses vfvct@****** and vfvct*****@*******.

The same description also pointed to another Telegram channel associated with the group:

• https://t.me/+tKk**********Y9

Monitoring activity within the Project_Vendetta group revealed messages where participants directly referenced the Persephone website. In one instance, the domain https://thepersephone.******.org/ was shared within the group chat, indicating that the platform was actively circulated among members of the channel. Additional messages contained discussions related to hacking activities, recruitment, and geopolitical commentary, suggesting that the group functioned as a coordination space for the actors involved.

The presence of the Persephone domain within this Telegram group strengthened the link between the leak platform and VFVCT, indicating that the website was not operating in isolation but was instead connected to a broader communication infrastructure maintained by the group. The discovery of these channels provided a new direction for the investigation, allowing further analysis of how the actors organized their activities and interacted with collaborators across the Telegram ecosystem.

Expanding the Telegram Network

Further examination of the Telegram infrastructure linked to VFVCT revealed another channel associated with the group. The channel presented itself as a backup channel for the V For Vendetta Cyber Team. The channel description reiterated the same contact information observed earlier, reinforcing its connection to the same operational ecosystem.

• https://t.me/+tKk***********Y9

Activity within the channel provided additional insight into how the group communicated announcements and coordinated activities. Several posts referenced ongoing operations, recruitment efforts, and upcoming data releases. In one message, the operators announced the existence of a dedicated database-sharing channel, stating that datasets would be distributed through:

• https://t.me/DbShare************a

The same message indicated that a VFVCT database release was planned for the end of Ramadan, suggesting that the group used Telegram not only for communication but also for scheduling and promoting future leak activities.

Other posts contained statements outlining the group’s adversarial stance toward several governments. One message described a campaign targeting South Korea, India, and Indonesia, claiming possession of large datasets associated with each country. While the claims themselves could not be independently verified at the time of investigation, the language and messaging style were consistent with the rhetoric often used by hacktivist-oriented groups attempting to frame their operations as politically motivated campaigns.

The presence of these announcements and operational messages demonstrated that the Telegram channels served as a primary communication layer for the actors behind the Persephone platform. Rather than being limited to leak announcements, the channels functioned as a space for recruitment, messaging, and coordination, providing further visibility into the ecosystem surrounding the platform.

Identifying Additional Infrastructure and Contact Channels

Continued monitoring of messages within the VFVCT Telegram channels revealed further references to infrastructure and contact methods used by the group. Several posts shared links and identifiers that appeared to support the group’s operations beyond Telegram itself.

One such reference pointed to a GitHub Pages site:

• https://******.github.**/******/

In a message shared within the channel, this site was described by the actors as part of their DLS (data leak site) or ransomware-related infrastructure. While the domain is hosted through GitHub’s static website service, the link was circulated by the actors themselves as an operational resource connected to their activities.

Additional references surfaced during the monitoring of the channel’s historical messages. Some posts promoted collaboration opportunities and invited individuals with technical expertise to participate in ransomware operations. In one instance, a message encouraged interested participants to contact the group through vfvct@******.** regarding potential ransomware partnerships. These posts suggested that the actors were actively seeking individuals with skills in malware development, networking, or infrastructure management.

The Telegram channels also contained branding elements used by the group. Among them was a logo associated with the V For Vendetta Cyber Team, featuring imagery consistent with hacktivist-style symbolism. Such visual elements are commonly used by cyber groups to establish recognizable identities across multiple platforms.

Understanding the Role of THE PERSEPHONE Platform

While the Telegram channels clearly demonstrated the involvement of VFVCT, an important question remained: what exactly was the role of THE PERSEPHONE itself? To better understand the platform, the investigation returned to the website:

• https://thepersephone.******.org/

A closer examination of the site revealed that it was not presented as the project of a single group. Instead, the landing page prominently displayed references to three separate actors: VFVCT, RasCorp Group, and ClayRat. The page introduced THE PERSEPHONE as a shared platform associated with these groups and described their cooperation under the banner of “United Cyber Operations.”

This presentation suggested that THE PERSEPHONE functioned as a collaborative leak platform rather than the independent operation of one threat actor. The site included several sections containing introductory messages, operational rules, and lists of datasets attributed to different actors participating in the ecosystem. In this structure, the platform appeared to act as a centralized location where breaches and announcements could be published collectively.

Among the entries visible on the site were datasets such as “israel_citizen_database.csv”, alongside other leak announcements attributed to actors connected with the ecosystem. Each entry included brief descriptions and timestamps indicating when the data had been published. The presence of multiple datasets under a single platform reinforced the idea that the site was intended to aggregate leaks from the participating groups.

Identifying the Administrator Behind the VFVCT Channels

As the investigation progressed through the Telegram infrastructure linked to VFVCT, attention turned toward identifying the individuals responsible for managing the channels and coordinating communication within the ecosystem. Monitoring activity within the Project_Vendetta group and related channels revealed repeated references to a Telegram account operating under the username @D*********a.

The account, displayed under the name “Diablo Gato,” appeared to play an administrative role within the VFVCT communication network. Messages circulated within the channels often directed potential collaborators or interested participants to contact this account, suggesting that it functioned as one of the primary points of contact for the group.

To better understand the history of this account, StealthMole’s historical indexing feature was used to review earlier records associated with the profile. The historical data showed that the account had undergone multiple changes in both username and profile images, indicating attempts to periodically modify its online identity. Among the earlier identifiers linked to the account was the username Elisha24, which appeared in archived records dating back to October 2024.

Further examination of the account’s activity across Telegram revealed that it was present in multiple channels related to hacking communities and cyber discussions. In at least one of these channels, RipperSec Chat, the account claimed to be located in Malaysia and communicated using the Malay language in certain exchanges. While such claims cannot be independently verified, they provide contextual clues regarding the persona behind the account.

The account’s presence across several Telegram communities, combined with its role as a contact point within VFVCT channels, suggested that @D********a was likely involved in coordinating aspects of the group’s activities or managing communications within the broader ecosystem surrounding THE PERSEPHONE platform.

Additional Communication Channels and Operational Artifacts

Further monitoring of the VFVCT Telegram channels uncovered additional artifacts that appeared to be associated with the group’s broader communication and operational infrastructure. Among the identifiers shared within the channels was a TOX ID, a decentralized messaging protocol often used by threat actors seeking anonymous peer-to-peer communication. The identifier observed during the investigation was:

• 3574*****************************************************48

The presence of this identifier indicated that the actors maintained communication options beyond Telegram, potentially enabling direct contact with collaborators through encrypted channels that do not require centralized services.

Another artifact identified during the investigation was a Session messenger ID:

• 0558************************************************57e

Session is an encrypted messaging platform that routes communication through decentralized networks, providing an additional layer of anonymity. Its use is frequently observed among cyber actors who seek to avoid reliance on mainstream communication platforms.

In addition to these messaging identifiers, references were also found to a separate website:

• https://d********s.w******.net

The domain appeared to be hosted through a free web hosting provider, suggesting that it may have been used as a temporary or experimental resource by the actors. Such disposable infrastructure is commonly employed by cyber groups to host content, test tools, or distribute materials without maintaining long-term infrastructure.

Taken together, these artifacts indicated that the ecosystem surrounding THE PERSEPHONE extended beyond the visible leak platform and Telegram channels. Instead, the actors appeared to maintain a layered communication environment, incorporating multiple messaging protocols and externally hosted resources to support coordination and outreach within their network.

Conclusion

The investigation into THE PERSEPHONE began with the discovery of a leak website hosting multiple datasets under a single platform. What initially appeared to be a standalone leak portal gradually revealed a more complex structure as additional artifacts were identified across Telegram channels, underground discussions, and supporting infrastructure. Rather than representing the operation of a single group, the evidence indicated that THE PERSEPHONE functioned as a shared platform within a broader collaborative ecosystem.

Analysis of the website content and associated communications showed that VFVCT, RasCorp, and ClayRat were all referenced within the same operational environment. The platform appeared to serve as a central location where datasets and announcements could be published collectively, while Telegram channels, particularly the ones belonging to VFVCT, provided the communication layer used for recruitment, coordination, and promotion of activities.

Further investigation into the communication infrastructure revealed multiple identifiers connected to the ecosystem, including Telegram channels, bot accounts, messaging identifiers, and externally hosted resources. These artifacts illustrated how the actors maintained a distributed communication environment, relying on several platforms to coordinate activities and engage with potential collaborators.

Overall, the findings suggest that THE PERSEPHONE operates less as an independent threat actor and more as a collaborative hub, bringing together multiple groups that contribute different capabilities to the broader operation. By examining the infrastructure, communication channels, and identities surrounding the platform, the investigation provides insight into how such alliances can function within the cyber threat landscape and how shared platforms can enable coordinated activity among otherwise separate actors.

Editorial Note

Investigations involving cyber actors operating across multiple platforms rarely provide complete visibility into every aspect of an operation. Online identities, infrastructure, and affiliations can change quickly, and actors often obscure their roles within collaborative environments. As a result, attribution should be approached cautiously and treated as an evolving assessment rather than a final conclusion.

This case highlights how StealthMole’s monitoring capabilities can connect seemingly separate indicators, allowing analysts to trace relationships across different layers of an ecosystem and better understand how coordinated cyber operations take shape.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com