At first glance, the names DragonForce and DragonForce Malaysia (DFM) might seem like two heads of the same cyber beast, an assumption that many, including media outlets, have made. However, a deeper dive into Telegram channels, leaked crypto addresses, social media footprints, and dark web chatter reveals a different reality.
While the global “DragonForce” name is often tied to ransomware and financially motivated attacks, DragonForce Malaysia publicly distances itself from such operations, claiming ideological motives over monetary gain. Yet, this investigation uncovers a complex network of overlapping handles, possible collaborations with other hacktivist collectives, and traces leading from Facebook pages to Zone-H defacements, underground radio streams, and Discord threads.
What starts as a case of mistaken identity soon unfolds into a web of affiliations, denials, and digital fingerprints, some pointing toward ideological activism, others toward more opportunistic ventures.
The confusion between DragonForce and DragonForce Malaysia (DFM) reached a peak in mid-2024 when several international reports linked a string of ransomware incidents to the Malaysian group. In response, DFM issued an official statement via their Telegram channel (t.me/dr********o), strongly denying any involvement with “DragonForce Ransomware” and emphasizing the ideological nature of their activities.
In their statement, DFM stressed that their objectives stand in direct contrast to those of financially motivated ransomware actors. They described themselves as self-funded, not sponsored by any entity, and firmly against “dishonorable and irresponsible” attacks. Their message framed their campaigns as a fight against oppression, not a pursuit of personal gain, warning followers to be wary of “false flags” designed to discredit the group.
This public clarification, however, did not erase the overlapping digital traces between DFM-branded assets and online activity involving known hacktivist collaborators and infrastructure commonly used in cybercrime operations. From Telegram handles with shifting aliases to cross-posted media on Facebook, Zone-H, and Discord, the group’s online presence continues to straddle the blurry line between ideological activism and operations with broader cyber threat implications.
The trail began with what looked like a routine follow-up on another DragonForce investigation. At first glance, the branding and rhetoric seemed identical, suggesting that “DragonForce Malaysia” was simply a local extension of the broader DragonForce hacktivist brand. But as the digging began, subtle differences emerged - differences that would soon confirm we were dealing with a separate entity altogether.
Using StealthMole’s Dark Web Tracker on a DragonForce related search, a new domain surfaced: dr*******.**. The domain was tied to an Eid poster carrying the DragonForce Malaysia name, complete with the group’s insignia and a list of their social media platforms. This was more than just a random domain hit - the poster itself anchored the domain to DFM’s identity, offering the first tangible link between their public-facing propaganda and a controlled digital asset.
The social links displayed on the poster opened the first doors into their network. Each link was a potential pivot: some active, some dormant, others already suspended. This moment, the identification of the domain and its accompanying propaganda, became the true starting point of the investigation into DragonForce Malaysia.
With dr*****.** confirmed as part of DFM’s ecosystem, the next step was to examine what the domain could reveal when put through StealthMole’s tracking tools. The results were immediate and substantial.
A scan tied to the domain surfaced 59 email addresses, with dr**************g@gmail.com standing out as the most likely operational account, its naming and context suggesting direct group usage rather than an impersonator. Alongside the emails were 4 Bitcoin wallets and 23 Ethereum addresses, providing potential financial markers for tracking incoming or outgoing funds. While the group’s stated position is that they are self-funded and ideologically driven, the existence of multiple cryptocurrency wallets remains a relevant detail for future attribution and transaction monitoring.