Killnet, Killmilk
Killnet leader Killmilk posted this image on December 29, 2022, with a message supporting Russia's invasion of Ukraine. Image: Killnet / Telegram

Killnet as a private military hacking company? For now, it's probably just a dream

The pro-Moscow hacking group Killnet dropped a promo video in June for an upcoming short film that promised to delve into the world of Russian hacktivists. In the clip, a person behind the scenes violently smashes a radio and laptop with a hammer, interrupting a somber piano tune and the sounds of a news report.

"You want peace? Kill first,” the person says. It’s a predictable message for the group, which has become a high-profile example of how hackers with political or social motivations can grab attention during times of conflict.

Founded in October 2021, Killnet is known among the hacker community more for its provocative content than sophisticated attacks. The group initially offered for-hire distributed denial-of-service attacks, but gained global attention during the war in Ukraine when it claimed responsibility for cyberattacks targeting healthcare institutions in Western countries, dark web markets, and websites of U.S. and European government agencies.

Some of the cyberattacks were successful, but researchers said that many of those claimed by Killnet either never happened or were carried out by different hacking groups. Killnet’s reputation grew enough, however, that last year the U.S. Cybersecurity and Infrastructure Security Agency included the group in the list of cybercrime groups that pose a threat to critical infrastructure.

Despite its uneven record, researchers are interested in Killnet as a phenomenon that could shake up Russia’s community of underground hackers. It’s a crowdsourced collective with an enigmatic leader who garners support from other self-proclaimed hacktivists. When the group posts one of its threatening announcements on Telegram, observers in the West pay close attention.

Recently, Killnet's purported founder, known only as Killmilk, announced the group’s most ambitious goal yet: to transform the collective into a private military hacking company that will engage in cybercrime on behalf of the Russian state.

To achieve this, Killmilk plans to restructure Killnet, recruit more skilled hackers and provide training to potential members through what it calls “The Dark School” initiative. The school will reportedly offer courses in four languages: Russian, English, Spanish and Hindi. Members of the Russian armed forces will be offered an opportunity to enroll in the school for free.

How it might affect Killnet's strategy and its impact remains unclear. But the new plans have drawn attention.

"Killnet aims to unite hacktivist groups under the same political umbrella to strengthen their mutual interests and build partnerships," said Sonya Bandouil, intelligence analyst at cybersecurity company Flashpoint.

Hacktivists or state-controlled?

Killnet claims to act independently of the Russian government. Killmilk said the hackers have repeatedly asked the Kremlin for support, but he told Russian media in August that the group has no ties to the government.

And there’s no real evidence that it is a government-controlled threat actor like the operations known to researchers as Sandworm or Fancy Bear, said Pascal Geenens, director of cyberthreat intelligence at cybersecurity company Radware. According to Geenens, there is a possibility, however, that Killnet has collaborated with Russia's infamous private military company, Wagner Group.

killnet_black_skills.jpg Killnet announced the launch of the Black Skills initiative on March 14.

In March, Killmilk announced the creation of Black Skills, a private military hacking company modeled after the Wagner Group. Within this project, Killnet will be seeking money from private and state entities to fund their efforts, according to Bandouil. There’s currently no evidence for the existence of Black Skills other than the initial announcement.

During an armed rebellion earlier in June led by Wagner's leader Yevgeny Prigozhin against the Kremlin, Killnet did not engage in any cyber activities. In a Telegram post, Killnet claimed that Killmilk had joined Wagner in Moscow, but like other claims made by the group, this one was not able to be verified.

It's not clear how the revolt led by Wagner will affect Killnet and Black Skills, according to Geenens. In a Telegram post, Killnet expressed support for Prigozhin's statements while condemning the attempted revolution.

"We are against Russians killing Russians," the message said.

Attacks and targets

Killnet uses relatively simple DDoS attacks against its targets, which flood victim websites with junk traffic to make them unreachable. While these attacks may not inflict significant damage to the infrastructure, they can disrupt websites and operations for hours or even days, according to Bandouil.

Killnet wants to change the perception that the group’s potential is limited to DDoS attacks. With the launch of Black Skills, they hope to bring more funds to the group and hire skilled hackers to carry out more destructive attacks, Geenens said.

Killnet claims to remain focused on carrying out anti-Western attacks, but it appears to be selective with its targets. The group has not attempted attacks in Ukraine lately, according to Geenens, possibly because it wants to avoid any disruption to the activities of government-controlled hackers who specifically target Ukrainian infrastructure.

The gang also considers NATO a great threat, according to Bandouil. Government agencies in the U.S. and Europe are also targets because of the sanctions they have placed on Russian businesses and certain individuals, she added.

Killnet often collaborates with other hacker gangs to conduct its operations. Earlier in June, hackers from Killnet, Anonymous Sudan and REvil unveiled plans to attack U.S. and European banking systems. To date, there is no evidence indicating that the attacks had any significant impact beyond the temporary disruption of the European Investment Bank's website.

Incidents like that one are useful for Killnet’s reputation even if the results are hard to measure. Killnet's claims still generate media interest, causing problems for businesses, Geenens said.

The gang has other ways of getting attention, too. Sometimes it falsely takes credit for operations conducted by other groups, according to Geenens. On Telegram, the group frequently claims a long list of DDoS attacks that have been linked to other pro-Russian hacker groups like NoName057(16).

And some attacks may not have ever happened, such as when JPMorgan Chase denied that its service was disrupted after Killnet posted a message about the alleged incident.

Pumping up the brand

Unlike many hacking groups that prefer to operate covertly, Killnet is highly vocal about its plans. Killmilk frequently talks to bloggers and media to increase the group's visibility and attract both followers and potential customers, according to Bandouil.

Killmilk has also devised alternative methods to generate funds and promote the group’s brand.

killmilk_logo.jpg Killmilk's personal logo.

Last year, he launched the Infinity forum on the dark web to collaborate with other hacker groups and to sell cybercrime tools and stolen data. The Black Skills project also has a financial motivation — Killmilk wants to move from “altruistic” attacks to paid orders from private and public entities.

Killnet also uses art and entertainment to promote its brand. Russian rapper Kazhe Oboyma supported the group by releasing a song called "KillnetFlow," while Moscow-based jewelry manufacturer HooliganZ pledged to donate half of all proceeds from sales of Killnet-branded merchandise back to the group.

Killmilk also wants to increase his power over other hacker groups. Earlier this year, he announced that the hacker group Anonymous Sudan became part of Killnet.

While some researchers speculate that Anonymous Sudan is a Russian false-flag operation, Geenens disagrees, pointing out that their time zone is Sudan and their Arabic proficiency is impeccable. Moreover, Anonymous Sudan predominantly targets countries whose policies are detrimental to Sudan rather than Russia. Geenens suggests that Anonymous Sudan likely uses Killnet's brand for recruitment and promotion.

Other groups follow Killmilk because “he can make the most noise and make the right statement,” said Geenens. “People also see him in the media a lot and want to follow him.”

Although the idea to turn Killnet into a private military hacking company is “way over his head,” according to Geenens, Killmilk is likely to pursue this plan as long as it attracts people and he can sell projects related to it.

“He’s a villain who wants to create a new world,” Geenens said.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.