The world of pro-Kremlin hacktivists may be shaken up by the latest move of Killmilk, the founder and de facto leader of the Killnet group who announced on April 15 that he had to “make a difficult decision” and reveal the real-life identity of “Raty”, the head of Anonymous Russia, a group that initially conducted distributed denial of service (DDoS) attacks in Ukraine, and later joined several Killnet campaigns, becoming an associated group more tightly integrated with Killnet’s command structure. Killmilk shared what looks like a photo of a passport with some details blurred out.
The Killnet founder claimed that Raty’s real name was Arseni Yeliseyeu, an eighteen-year-old Belarusian citizen, who was arrested by the Belarusian police (around April 15 or 16) because a Belarusian operative (whose Telegram handle Killmilk also shared) was present in the group.
Killmilk then announced that he would “appoint” a new head for Anonymous Russia, a threat actor with the alias “Radis.” Anonymous Russia’s Telegram group was quickly wiped. Now it only displays a message telling readers that the channel was “liquidated” in order to deny access to “the [security] services”.
Anonymous Russia’s New Telegram channel
On Anonymous Russia’s new Telegram channel, the administrators announced two things:
- They declared a “war on CIA rats”—an expression that, in their reading, means pro-Ukrainian hacktivist groups such as the “IT Army of Ukraine”, a group of pro-Ukrainian hacktivists formed shortly after Russia’s 2022 invasion, which is specifically named in one of the channel’s messages. The mention of this trope, lifted from Russian propaganda, is likely meant to confirm the new group’s pro-Kremlin credentials.
- The group also announced that it would transform itself into a DDoS-for-hire group that “anyone can purchase.” However, it also specified that the project would “be aimed at dark-web too”. This latter announcement suggests that Anonymous Russia will perform DDoS attacks against darknet markets similarly to Killnet.
There are still several open questions around the alleged arrest. The fact that Killnet was quick not only to dox “Raty”, but also to dismiss its former comrade as “not careful [enough]” could suggest that there were misunderstandings between Raty and Killnet, potentially about the direction that Killnet has taken and required its associated groups also to take.
Apart from the above, several hacktivist groups associated with Killnet called for the release of Raty and announced attacks on Belarusian government networks to this effect. These groups include Phoenix, a former Killnet subordinate that had recently announced the creation of its own alliance of hacktivists, as well as Anonymous Sudan and Kvazar DDoS.
Independence from Killnet
The developing story highlights the twists and turns of pro-Kremlin hacktivism over the past, approximately six months since Killnet first attempted to collect all major and minor groups under its own umbrella. This endeavor has remained relatively unsuccessful. While several groups joined Killnet as official partners, many other groups (such as NoName057(16), which is practicing a kind of crowdsourced DDoS), have preserved their independence. In the past months several smaller groups, including Phoenix, announced the creation of their own alliances or business ventures, suggesting that the market of cybercrime services under the guise of hacktivism is getting crowded too. Now it appears not that not only have Killnet’s associates preserved a degree of operational independence, but it is also possible that some of them had issues with Killnet’s leadership or plans.
For the money
As Flashpoint reported several times in the past, while Killnet has put the emphasis on their ideologically motivated hacktivism in the past year, the group has remained primarily financially motivated and used the publicity provided by its large Telegram following and media interviews and reports to advertise and monetize its capabilities and projects.
In late 2022 and early 2023 Killnet and its partners, Deanon Club conducted DDoS attacks against several (narcotics-focused) darknet markets and in February the two groups set up “Black Listing”, a DDoS-for-hire extortion group that targeted darknet markets. Black Listing appears to be a simple DDoS-as-a-service provider.
The “Private Military Hacking Company Black Skills,” which Killnet created in March is set up to look like the online counterpart of Russian mercenaries in the style of the notorious Wagner Group. But the main purpose of both groups is to generate income from attacks ordered by customers on specific targets. It appears that this is also the direction that Anonymous Russia is taking.
Stay ahead of threat actors with Flashpoint
An organization’s security capabilities are only as good as the threat and vulnerability intelligence informing their defenses. Sign up for a free trial to gain visibility into the illicit markets and communities where credentials are being sold, and better protect your assets, infrastructure, and people.