From the Darkweb to Discord: Mapping the DragonForce Malaysia (DFM) Network

At first glance, the names DragonForce and DragonForce Malaysia (DFM) might seem like two heads of the same cyber beast, an assumption that many, including media outlets, have made. However, a deeper dive into Telegram channels, leaked crypto addresses, social media footprints, and dark web chatter reveals a different reality.

While the global “DragonForce” name is often tied to ransomware and financially motivated attacks, DragonForce Malaysia publicly distances itself from such operations, claiming ideological motives over monetary gain. Yet, this investigation uncovers a complex network of overlapping handles, possible collaborations with other hacktivist collectives, and traces leading from Facebook pages to Zone-H defacements, underground radio streams, and Discord threads.

What starts as a case of mistaken identity soon unfolds into a web of affiliations, denials, and digital fingerprints, some pointing toward ideological activism, others toward more opportunistic ventures.

Background

The confusion between DragonForce and DragonForce Malaysia (DFM) reached a peak in mid-2024 when several international reports linked a string of ransomware incidents to the Malaysian group. In response, DFM issued an official statement via their Telegram channel (t.me/dr********o), strongly denying any involvement with “DragonForce Ransomware” and emphasizing the ideological nature of their activities.

In their statement, DFM stressed that their objectives stand in direct contrast to those of financially motivated ransomware actors. They described themselves as self-funded, not sponsored by any entity, and firmly against “dishonorable and irresponsible” attacks. Their message framed their campaigns as a fight against oppression, not a pursuit of personal gain, warning followers to be wary of “false flags” designed to discredit the group.

This public clarification, however, did not erase the overlapping digital traces between DFM-branded assets and online activity involving known hacktivist collaborators and infrastructure commonly used in cybercrime operations. From Telegram handles with shifting aliases to cross-posted media on Facebook, Zone-H, and Discord, the group’s online presence continues to straddle the blurry line between ideological activism and operations with broader cyber threat implications.

A Familiar Name, A Different Beast

The trail began with what looked like a routine follow-up on another DragonForce investigation. At first glance, the branding and rhetoric seemed identical, suggesting that “DragonForce Malaysia” was simply a local extension of the broader DragonForce hacktivist brand. But as the digging began, subtle differences emerged - differences that would soon confirm we were dealing with a separate entity altogether.

Using StealthMole’s Dark Web Tracker on a DragonForce related search, a new domain surfaced: dr*******.**. The domain was tied to an Eid poster carrying the DragonForce Malaysia name, complete with the group’s insignia and a list of their social media platforms. This was more than just a random domain hit - the poster itself anchored the domain to DFM’s identity, offering the first tangible link between their public-facing propaganda and a controlled digital asset.

The social links displayed on the poster opened the first doors into their network. Each link was a potential pivot: some active, some dormant, others already suspended. This moment, the identification of the domain and its accompanying propaganda, became the true starting point of the investigation into DragonForce Malaysia.

From a Poster to a Network

With dr*****.** confirmed as part of DFM’s ecosystem, the next step was to examine what the domain could reveal when put through StealthMole’s tracking tools. The results were immediate and substantial.

A scan tied to the domain surfaced 59 email addresses, with dr**************g@gmail.com standing out as the most likely operational account, its naming and context suggesting direct group usage rather than an impersonator. Alongside the emails were 4 Bitcoin wallets and 23 Ethereum addresses, providing potential financial markers for tracking incoming or outgoing funds. While the group’s stated position is that they are self-funded and ideologically driven, the existence of multiple cryptocurrency wallets remains a relevant detail for future attribution and transaction monitoring.

The same analysis also uncovered a mixed picture of their social media presence. Some accounts such as twitter.com/id_b******t and twitter.com/l*******t were still active, while others, including @dr******o and @dr******o, had already been suspended. On Facebook, the investigation found both a public-facing page (fb.me/dr*******o) and a private account (fb.me/dr*****.**), as well as a Session ID linked to the domain:

• 0541******************************************8

At this stage, DFM’s network appeared broad and highly distributed, spanning multiple platforms, redundant accounts, and a variety of crypto assets. What began as a single propaganda poster had already unfolded into a complex web of contact points and operational leads.

Telegram: The Heart of the Web

Pivoting from the dr*****.** domain into Telegram uncovered one of DFM’s most active and revealing spaces. StealthMole’s tracker linked the domain to an extensive network of 131 Telegram channels. These ranged from broad propaganda outlets to niche operational groups, suggesting a deliberate segmentation of their audience and content streams.

The mapping also revealed embedded GPS coordinates within the domain’s Telegram data, a rare but valuable artifact. While it remains unclear if the coordinates correspond to a meaningful operational location or were intentionally planted as a diversion, their presence underlines the potential for geospatial tracking in future investigations.

Within this ecosystem, the group’s own channels became a tool for internal damage control. A post on the official t.me/dr******o warned followers about scammers misusing the DragonForce Malaysia name, an issue already hinted at group’s Facebook channel. This warning aligned with another discovery from their associated radio.dr*****.** site, which linked to a forum thread (/threads/****s-s*****r-me********n-***a-dragonforce-malaysia.14484/) explicitly naming and denouncing impostors.

DFM’s Telegram content also revealed the group’s shifting focus and longevity. On Instagram, one of the social platforms linked from Telegram, their earliest archived post dates back to October 2021, while the most recent, from just five weeks prior to this investigation, warned about a “Modus Operandi Baru: AI Scam.” The post urged followers to remain alert as scammers adopt AI-generated personas to impersonate well-known figures or authorities.

By this stage, the pattern was becoming clear: DFM invests heavily in controlling its narrative within its follower base. Telegram is not just a platform for public campaigns, but also a space for managing brand trust, addressing impersonation, and reinforcing their ideological stance.

Following the Threads: Cross-Platform Traces

From Telegram, the investigation took a turn into cross-platform territory, where scattered leads began to connect through usernames, IP data, and hidden service endpoints.

A notable find emerged from a Telegram channel (t.me/b********a), where a Facebook profile screenshot was shared and flagged as fake. The profile carried the alias “B*****a,” a name tied to other hacktivist activity, including the “B***** S*****t” ransomware-linked persona. While the poster claimed the account was an impersonator, its circulation within DFM-linked spaces suggested the group considered it relevant enough to monitor.

Pivoting on the fake profile uncovered an IP resolution to 1**.**0.***.*5, registered to Facebook infrastructure in South Korea. While this matched legitimate platform hosting, StealthMole queries linked the IP to three exposed .onion server-status pages. Although it remains possible these overlaps are coincidental or due to shared infrastructure, the presence of Tor hidden services tied to the same IP range is unusual and merits further monitoring for potential exploitation or operational crossover.

Meanwhile, tracking the group’s domain further disclosed 4 BTC and 28 Ethereum addresses, further cementing these as confirmed components of DFM’s operational footprint. These assets are now part of the broader indicator set for monitoring potential financial activity tied to the group.

Bitcoin (4 addresses)

1. bc1**************************************j
2. bc1**************************************z
3. 3P***************************************Q
4. 1****************************************c

Ethereum (28 addresses)

1. 0xc**************************************0
2. 0x3**************************************a
3. 0x3**************************************e
4. 0x3**************************************d
5. 0x3**************************************2
6. 0x3**************************************0
7. 0x3**************************************2
8. 0x***************************************3
9. 0x3**************************************8
10. 0x3**************************************0
11. 0x***************************************c
12. 0x3**************************************d
13. 0x3**************************************c
14. 0x3**************************************8
15. 0x3**************************************c
16. 0x3**************************************1
17. 0x3**************************************5
18. 0x3c*************************************f
19. 0x3**************************************8
20. 0x4**************************************b
21. 0x3c************************************79
22. 0x3**************************************f
23. 0x3**************************************3
24. 0x3**************************************1
25. 0x3**************************************3
26. 0x3**************************************5
27. 0x3**************************************2
28. 0x4b*************************************b

Other digital pivots expanded into unexpected areas such as the discovery of an e-sports channel linked to the DFM name. While its direct connection to core hacktivist operations is unconfirmed, it illustrates the brand’s reach into non-traditional spaces, potentially for recruitment or reputation-building.

The cross-platform picture now revealed DFM as an actor whose online presence isn’t confined to one ecosystem. Instead, it spreads across Telegram, Facebook, hidden services, and cryptocurrency networks, each platform offering a different piece of the operational puzzle.

Allies, Identities, and Shifting Fronts

While mapping the broader DragonForce Malaysia (DFM) network, one Telegram profile stood out for its repeated appearance in multiple contexts — ID 1*********1, known under different aliases over time. In the latest snapshot dated 2024-02-05, the account displayed the name "MR.D #Tor************y🧅🐧👨‍💻" with the last name field set to «🕉️ में एक अघोरी शिव भक्त हूं🔱» (translation: “I am a devotee of Aghori Shiva”), and the username @Dr*************a_T********on.

Earlier captures linked the same account to other handles, including @C**********5 and the name "DI******R //_->#*H Ş*****W LÎÑÜX", at times paired with the Malaysian phone number +60 1**********2. The shifting identities, from overtly DFM-branded usernames to more generic hacker-themed monikers, suggest either deliberate obfuscation or multi-affiliation activity.

The iconography used across these identities often merges imagery from multiple hacktivist collectives. In one profile picture, the face is overlaid with emblems of both DragonForce Malaysia and Hacktivist of Garuda, framed with the text “OPS BADAI,” a likely reference to a coordinated campaign. This blending of brands complicates attribution, as it visually aligns the account with both regional and cross-national hacktivist entities.

While it remains unclear whether this individual is a core member of DFM or an opportunistic actor leveraging their name for influence, their presence connects to other datasets in this investigation including prior Facebook-linked material, Zone-H defacement archives, and Discord activity, placing them within the broader operational orbit of actors sympathetic to DFM’s campaigns.

From Facebook to the Web of Links

The pivot to the Facebook ecosystem began with the active profile fb.me/dr*************o, which prominently displayed pro-hacktivist content aligned with DragonForce Malaysia’s branding. Among its shared materials was a Zone-H archive link documenting website defacements credited to DFM Tools and an individual alias “P*** M****m,” a handle that, at the time, appeared only sporadically elsewhere.

The investigation later uncovered a screenshot that provided a far stronger link between P*** M****m and DFM’s operational capabilities. The image displayed a locally run Python-based denial-of-service tool titled CyberTroopers, branded with the dr*****.** name and carrying explicit author credit to P*** M****m. The tool description referenced TCP/UDP flooding with an HTTP flood option and was tagged under #OpsPETIR CyberTroopers, a campaign identifier that may represent a coordinated operation. The screen also listed links to dr*****.**, a GitHub repository under the P***-M***m name, and the Telegram handle @dr******o, embedding the tool squarely within DFM’s infrastructure and branding.

This technical artifact aligns directly with a formal DFM operational directive dated 11 April 2023, which announced the rebranding of the group’s annual Ramadan/Syawal cyber campaign from #OpsBedil to #OpsPETIR. Addressed to “Muslim Cyber Fighters Worldwide” and other sympathizers, the circular outlined the coordination of human resources, media centers, and cyber tools to support Palestinian and Muslim causes. The language and framing positioned the operation as both an ideological mission and a structured cyber offensive, with #OpsPETIR replacing the #OpsBedil label first used in 2021.

Further scrutiny of the same profile led to the discovery of a radio streaming website linked to the group, where campaign slogans were mixed with curated playlists. While the musical content may appear innocuous, the site doubled as a subtle recruitment and morale-building platform, embedding the group’s cultural identity alongside its political messaging.

The most significant find, however, was a Discord thread connected to the Facebook account. This channel acted as a cross-border coordination point, where usernames, memes, and campaign announcements overlapped with identifiers seen in Telegram and Zone-H. The interplay between these platforms, Facebook for visibility, Zone-H for credibility in the defacement scene, niche sites for culture-building, and Discord for operational chatter, reflects a multi-layered engagement strategy designed to maintain community cohesion while expanding influence.

This interconnected web of assets reinforced the recurring theme of DFM’s digital presence: blending overt activism with infrastructure, platforms, and aliases that regularly surface in more operational or cybercrime-adjacent environments.

Attribution Assessment

Attributing activity to DragonForce Malaysia (DFM) presents inherent challenges due to their multi-alias, cross-platform operational style and the deliberate blending of identities with other hacktivist brands. Public statements from DFM portray a self-funded ideological collective, yet their network contains indicators that intersect with cybercrime-adjacent infrastructure, creating an attribution landscape clouded by both intentional and opportunistic overlaps.

The repeated appearance of certain Telegram IDs, notably those shifting between overt DFM branding and more generic hacker-themed monikers, hints at multi-affiliation behavior. Some of these aliases have been visually and contextually linked to campaigns under the Hacktivist of Garuda banner, specifically OPS BADAI, suggesting that members or affiliates operate across ideological and regional boundaries.

Cross-platform linkages reinforce this blurred picture. Handles tied to DFM appear in Zone-H defacement archives, niche Discord threads, and Facebook pages alongside actors known to engage in opportunistic disruption. The case of the “B*****a” profile, while flagged internally by DFM as fake, shows how impersonation, brand hijacking, and genuine collaboration often coexist in the same ecosystem, complicating efforts to cleanly separate allies from adversaries.

The cryptocurrency infrastructure tied to dr*****.** — 4 BTC and 28 ETH wallets — provides the clearest set of persistent, attributable indicators. Unlike usernames or avatars, wallet addresses cannot be rebranded without abandoning any stored value, making them stable identifiers for long-term monitoring.

While no conclusive evidence links DFM to ransomware operations under the broader “DragonForce” name, their operational overlap with other hacktivist collectives and shared digital infrastructure suggests an adaptable, networked entity capable of both ideological campaigns and potentially opportunistic cyber activity. This reality makes DFM less a fixed group and more a hub within a shifting coalition, where attribution must be treated as fluid and conditional on the specific campaign being examined.

Conclusion

What began as a straightforward attempt to verify the relationship between DragonForce and DragonForce Malaysiaunfolded into a layered investigation spanning Telegram channels, social media accounts, cryptocurrency trails, and niche online communities. While DFM’s public narrative emphasizes ideological motives and denounces financially driven cybercrime, the group’s digital footprint tells a more complex story: one of overlapping identities, cross-collective affiliations, and infrastructure that exists at the intersection of hacktivism and cybercrime-adjacent ecosystems.

The evidence collected, from the dr*****.** domain’s crypto wallets and Session ID, to multi-platform handles pivoting between distinct hacktivist brands, shows that DFM is not an isolated entity. Rather, it operates as a node in a broader, fluid network where branding, alliances, and operational tools are shared, repurposed, and sometimes weaponized by actors with varying agendas.

This fluidity makes traditional attribution difficult, and perhaps intentionally so. Whether by design or by the nature of decentralized hacktivist culture, DFM exists in an ecosystem where ideological activism, opportunistic disruption, and brand hijacking frequently overlap. The group’s active efforts to manage its reputation, warning followers of impersonators and distancing itself from ransomware, suggest a keen awareness of the risks of misattribution, even as some of its own networks intersect with higher-risk actors.

In the end, the picture that emerges is not of a single, neatly defined adversary, but of a dynamic collective embedded in a web of alliances and shared infrastructure. Monitoring DFM will require treating them not as a fixed target, but as part of a shifting coalition whose operational reach extends beyond the boundaries of their stated ideology and possibly beyond their direct control.

Editorial Note

Attribution in the DragonForce Malaysia case is inherently complex. The group positions itself as an ideologically driven hacktivist collective, distancing from financially motivated cybercrime, yet its infrastructure and online footprint overlap with actors whose motives and tactics do not align with that narrative. The result is an ecosystem where genuine activism, opportunism, and impersonation coexist, making any definitive attribution a matter of mapping relationships rather than drawing hard boundaries.

This investigation leveraged StealthMole’s ability to correlate dark web, social media, and anonymized infrastructure data to follow a trail from a single propaganda poster to cryptocurrency wallets, defacement archives, hidden service endpoints, and cross-platform identities. In a landscape where hacktivist symbols can be adopted by multiple actors for divergent ends, such multi-layered visibility is critical for exposing the shifting networks that operate under a single banner.

To access the unmasked report or full details, please reach out to us separately.
Contact us: support@stealthmole.com