The Russian hacker group Killnet, which declared "war" on 10 states supporting Ukraine and attacked the HIMARS manufacturer, Israeli government agencies, and US airports, has shifted its focus to Russian darknet drug trafficking sites.
As reported by Forbes, citing research on Killnet by the American cybersecurity company Hold Security, the leader of the group has stepped back from operations and is selling courses on how to use the darknet.
Here are the key findings from the investigation:
Over two years, Killnet carried out DDoS attacks on 14 US airports, American government websites, the resources of the HiMARS manufacturer Lockheed Martin, NATO sites, and more. In the summer of 2022, Killnet targeted sites in Germany, Italy, Romania, Norway, Lithuania, the US, and others. For example, a June barrage of DDoS attacks by Killnet on Lithuania affected 130 government and private websites for 10 days. The country's government launched a criminal investigation in response, as reported by Wired at the time.
As reported by Forbes, the founder of Hold Security, Alex Holden, stated that the hackers of the Killnet group, created in November 2021, have lost their significance. "The huge herd has stopped," he added.
Unlike state hackers like Sandworm, who attacked "Kyivstar," Killnet was a "volunteer" group composed of IT professionals loyal to the Russian government. Their tools typically involve large-scale DDoS attacks.
Killnet is one of the largest groups of volunteer hackers, or so-called hacktivists. The organization's Telegram channel had over 100,000 subscribers.
After Russia's invasion of Ukraine, Killnet's focus shifted to Ukraine and its supporters. "Usually, these were loud statements [with threats] and DDoS attacks," former deputy head of the State Special Communications Service Viktor Zhora told Forbes. Killnet activists also carried out defacements and claimed data theft.
Officially, no one sponsors the activities of hacktivists, Wired reported. "Among the members were many Russian IT professionals who were fired at the beginning of the invasion," Holden said. "They worked in European and American companies and knew their vulnerabilities."
Killnet was led by a thirty-year-old Russian using the pseudonym KillMilk. According to Hold Security, the pseudonym KillMilk corresponds to Nikolay Serafimov.
In an interview with the Russian media RT in October 2022, KillMilk talked about the support the group received from an illegal darknet platform for drug dealers called Solaris, which conducts transactions in cryptocurrency. "Thanks to their attention, Killnet remains fully operational," he said.
Serafimov is a former prisoner who was arrested in 2017 and served a sentence for drug trafficking, according to Hold Security's research.
Questions about Killnet's funding arose in the Russian authorities by mid-January 2023, Holden says. And by the end of last year, the group's activity significantly declined. "From February, it becomes unstable, and in May, the main composition of the group is disbanded," Forbes quotes Holden.
Moreover, in December 2023, Killnet's main Telegram channel was sold to another group - Deanon Club.
The amount of the deal was up to $50,000, the new owner, whose name was not disclosed, said in an interview with Gazeta.ru in January 2024.
In May 2023, the main composition of the Killnet group was disbanded. Serafimov stepped back from business, and some members also left the group. According to Hold Security, the leader joined the Beregini group. He also sells his darknet usage courses ranging from $290 to $28,900.
The remaining members of Killnet, after merging with Deanon Club, began to fight against drug trading platforms in the darknet, Holden reported. It is now evident that Killnet will soon completely distance itself from politics. This was the goal of the new owner of the community, as stated in an interview with Gazeta.ru.
