February 22 update: Killnet founder leaves Infinity Forum; Forum future unknown
Over the weekend the threat actor “Killmilk,” the creator of “Killnet,” a pro-Kremlin hacktivist and DDoS-for-hire group, announced that they would sell the “Infinity” forum, which was created in December 2022 as a platform for hacktivists, cybercriminals, and novice hackers. As of February 22, the community had more than 3,200 members. Killmilk claimed that the reason for the sale was that Killnet was “going dark” (likely meaning that it will establish a darknet presence), but that it would continue supporting Russia in its war against Ukraine.
The unexpected decision coincided with the recreation of Killnet’s Telegram-based forum (a collection of chat groups accessible under the same handle). The new design of Killnet’s Telegram forum is simpler than Infinity’s, but it still includes a marketplace section, a cryptocurrency exchange service and an escrow service, among others.
The reasons of Killmilk’s sudden exit from the Infinity forum are unknown. It is possible that the forum simply did not grow at a pace desired by its administrators and proved to be unprofitable or too tedious to maintain. It is also possible that it faced threats from rivals. Users of the forum have received the news with dismay and perplexity, with several expressing the view that they would not stay on Infinity if Killnet cut ties with it. Some have been exploring ways to remove traces of their activity completely from the forum.
What we know about Infinity
From its inception, Killnet has stated that one of its goals is to bring together pro-Kremlin hacktivists under its one roof, so to speak. Ever since the latter half of 2022, the first stage of this project gained momentum with the group integrating several smaller hacktivist groups. Now, the second stage seems to have begun with the creation of “Infinity”—a Killnet-run forum for hacktivists and run-of-the-mill cybercriminals alike.
Infinity is marketed as a platform for pro-Kremlin groups, many of which maintain an official presence on the forum, to exchange know-how and talk about politics—a topic usually frowned upon by top-tier forums that are trying to avoid the interest of foreign security services and instead keep the focus on money. Infinity began on Telegram and Originally and moved to the clearnet in late December.
As of this publishing, eight pro-Kremlin groups have official representations on the forum. This includes the eponymous “Infinity Hackers BY,” a self-described Belarusian group that partnered with Killnet to target the website of the IRS, and also “Deanon Club”, a group that collaborated with Killnet in its attacks on a darknet marketplace last year. These groups, which may have overlaps in their membership, have their own dedicated sections in Infinity where they share updates about their activities as well as addresses for financial donations.
Nonetheless, their Telegram updates and overall activity has remained far more frequent than their activity on Infinity. It is also notable that not all groups that forum administrators invited have joined the forum so far. NoName057(16), a DDoS group that operates its own Telegram-based discussion board for its followers, and XakNet, a group with alleged links to Russia’s military intelligence, which has a complicated relationship to Killnet, do not have an official presence on the forum.
New sources of income for Killnet and its partners
As with Killnet’s other projects, Infinity is as much about the money as it is about sharing ideas and ideology. Infinity has proved to be more than just a more organized version of Killnet’s Telegram chat group, additionally serving as an online market for cybercrime tools and stolen data, as well as a guarantor of deals. Seemingly, it has the ambition to become a conduit between hacktivists and cybercriminals—and ill-gotten money.
Unlike Telegram, which served as a tool for these groups to communicate and organize attacks, running a forum introduces several novel ways for Killnet and its partners to make money, beyond their traditional sources of income such as donations and DDoS-for-hire services.
Since the beginning of Russia’s 2022 invasion of Ukraine, the DDoS-for-hire-turned-pro-Kremlin hacktivist group Killnet has skillfully mixed financial and ideological goals. They have chased the news cycle with (DDoS) attacks in countries it sees as supportive of Ukraine while leveraging glowing coverage in Russian media to attract followers and raise its income.
Infinity has a “marketplace” section where users can buy and sell stolen data, network accesses, exploits, or services of various sorts, ranging from odd jobs to tasks requiring experienced hackers, such as carding or phishing. Notably, the forum does not seem to discourage members from selling data breached from Russian entities—such as malware logs or passports—which traditionally is frowned upon or downright forbidden on most Russian-speaking forums.
It may be the case that—at least until the forum reaches viability—administrators will decidedly welcome any engagement that is banned on rival platforms. However, it is also possible that the operators of Infinity are simply trying to highlight that they do not care about the unwritten rules of the Russian-speaking cyber underground.
To ensure deals struck on the forum are transparent, Infinity maintains an escrow service. Apart from this, the forum also makes money by selling “statuses” to verified vendors at various levels, similarly to how top-tier forums demand cryptocurrency deposits from members selling goods or services of significant value.
Mimicking top-tier forums, Infinity also partnered with a cryptocurrency mixing and laundering service, “Dark Swap”, which explicitly offers to exchange dirty cryptocurrency for tokens with an acceptable rate of cleanliness, for a commission of eight percent or more, depending on the difficulty of the task. This is more or less in line with the rates charged by mixers on top-tier forums and marketplaces. At this time, it is unclear how close the links between Dark Swap and Killnet—which had partnered with cryptocurrency exchanges earlier—actually are, but the steep commissions charged by the service may very well be another way for the forum to generate revenue for the group and its partners.
Wooing engagement—and a new generation of hackers
Any illicit forum is as much of a marketplace as it is a community. Therefore, Killnet and its partners will have to increase Infinity’s user engagement to realize any significant financial gains. Advertisement slots, for instance, have so far mostly remained blank on the forum, reflecting the fact that so far, genuine activity has remained relatively subdued, especially in comparison to top-tier platforms. Sudden bursts are mostly or entirely driven by administrators’ attempts to increase engagement, such as giveaways of monetizable malware logs containing access details to cryptocurrency wallets. Many of these threads have been posted by “Killmilk”, the founder of Killnet—and one of Infinity’s admins—who maintains a separate online presence.
Sections discussing news have also been getting more engagement. The forum offers several curated (and strongly pro-Kremlin) selection of news, in an apparent attempt to politicize cyber threat actors and provide Killnet’s followers with a daily diet of anti-Western and anti-Ukraine propaganda. A separate section on politics encourages users to write their own takes on the news, both real or imagined (such as, for instance, a “Satanist show” at the 2023 Grammy Awards). Killnet, of course, has grown its power using ideological arguments to justify attacks on rival darknet markets while also courting support from the Russian state, while denying any direct operative connection to the Russia authorities.
However, many of the threads currently posted on the forum are educational and aim to teach forum users the basics of various hacking techniques. DDoS—which has remained the technique of choice of most pro-Kremlin groups—is the most discussed TTP on the forum, with threat actors and botnet operators sharing scripts as well as advice.
Other threads instruct members about illegal tools such as stealer malware and OSINT techniques such as netstalking. This not only highlights Killnet’s ambitions to expand its capabilities, but also that most of Infinity’s users are not sophisticated cybercriminals or hacktivists—most of them simply being group sympathizers or individuals that have been swayed by the glamorous representation of Killnet in Russian media. Earlier this month, the forum even started a “hacking school,” inviting beginner or novice-level hackers to sign up which hundreds of users did. Instruction will however take place on Telegram, not the forum itself.
Keep a close eye on illicit communities with Flashpoint
The Infinity forum seems to be both a project to raise funds for Killnet and its allies, as well as a method to allow them to expand their capabilities and numbers by creating a channel between (beginner) hacktivists and financially motivated cybercriminals. While the forum’s success is far from guaranteed, organizations concerned that they may end up in the crosshairs of pro-Kremlin hacktivist groups should keep an eye on it to monitor the tools and the information shared by the members of these groups and their affiliates. Keeping a close eye on the forum and the cryptocurrency addresses and services advertised on it can also help authorities proactively enforce anti-money laundering regulations and sanctions regarding pro-Kremlin cyber threat actors. Sign up for a free trial today.