Russian hacker group Killnet returns with new identity

The Russian hacker group Killnet, once known for its noisy pro-Kremlin cyberattacks, has reappeared after months of silence — but not as the group it once was.

Earlier this month, Killnet claimed it had hacked Ukraine’s drone-tracking system, providing geolocation data that allegedly helped Russian forces destroy several radar stations. The claim, alongside unverified footage and maps, was heavily promoted by Russian media but remains unconfirmed by independent analysts.

The timing of Killnet’s comeback is notable — it aligned with Russia's Victory Day, which commemorates the Soviet Union’s defeat of Nazi Germany in World War II. This date is frequently used in Russian propaganda and disinformation campaigns.

At this moment, it’s unclear if the resurgence is directly tied to a specific anti-Ukraine operation or a broader restart of Killnet's activities, according to analysts at cybersecurity firm Flashpoint.

However, significant coverage of the recent Killnet activity in the Russian media may suggest that it is another example of a Russian information operation amid the ongoing negotiation attempts between the U.S., Russia and Ukraine, researchers said.

Some cyber experts suggest that Killnet’s reappearance likely represents a calculated attempt to reestablish relevance under a new identity.

“While the group continues to reference hacktivism in its branding, its operational model increasingly mirrors that of a for-hire cybercrime service, seeking reputation and revenue rather than ideological impact,” said analysts at blockchain intelligence company TRM Labs.

Collapse and leadership transition

Killnet vanished from public view in late 2023 after its founder, KillMilk, was unmasked by Russian media as a 30-year-old Russian man with alleged ties to the drug trade and a taste for luxury cars, according to Pascal Geenens, director of threat intelligence at the cybersecurity firm Radware.

Following the exposé, control of the group was transferred to a new owner — the anti-drug trafficking collective Deanon Club — whose administrator, known as BTC, reportedly purchased Killnet assets for between $10,000 and $50,000.

The acquisition sparked internal dissent, leading to the departure of Killnet’s original administrators and technical operators and leaving the group with a leadership vacuum and diminished operational capacity during key geopolitical events, TRM Labs told Recorded Future News.

The group’s disappearance may also be part of a broader strategy commonly employed by other hacker collectives, according to Rik Ferguson, vice president of security intelligence at cybersecurity firm Forescout.

“Killnet is representative of a trend that is popular among both hacktivists and cybercriminals: rebranding, splintering into smaller groups, then reactivating older identities and abandoning them again whenever needed,” Ferguson said.

“They could have easily formed a new group with a new identity. Still, they will now capitalize on the Killnet brand for attention for a while until it again becomes more convenient to use another identity,” he added.

Shift from ideology to profit

From its inception, Killnet gained notoriety for launching unsophisticated, low-cost distributed denial-of-service (DDoS) attacks — tactics so basic that founder KillMilk was reportedly mocked by fellow pro-Russian groups for relying on borrowed botnets, according to Geenens.

But under the leadership of BTC, the group charted a new course. According to researchers at TRM Labs, Killnet pivoted from patriotic hacktivism to profit-driven cybercrime, focusing on exposing darknet drug dealers, offering hack-for-hire services and carrying out selective, high-impact attacks to build credibility on criminal forums.

This commercial turn alienated members loyal to the group’s original pro-Kremlin mission. In response, several offshoots — including KillNet 2.0 and Just Evil — emerged to continue politically motivated attacks in support of Russian cyber interests.

Though BTC maintains Killnet’s hacktivist branding, TRM Labs analysts say the group now functions more like a cyber mercenary outfit, with a broadened scope of targets driven by financial incentives rather than ideology.

Operational fragmentation

Killnet has long operated as a fluid, decentralized collective, with various subgroups frequently going dark, rebranding, merging or breaking off to act independently, according to analysts at Flashpoint.

Following the public exposure of founder KillMilk’s identity, he may have stepped aside, allowing others to carry on the Killnet name — or, as Geenens suggests, unrelated actors may have adopted the recognizable brand to gain instant notoriety.

While the precise relationship between Killnet’s factions and offshoots remains unclear — along with their motivations and evolving tactics — one thing is certain: “The story of Killnet hasn’t ended. It has just splintered,” Ferguson told Recorded Future News.