Two new pro-Russian hacktivist groups target Ukraine, recruit insiders

Two new pro-Russian hacktivist groups have emerged in recent months to mount cyberattacks on Ukraine and its allies.

The groups, calling themselves IT Army of Russia and TwoNet, use the Telegram messaging app to coordinate operations, recruit insiders and collect information about targets in Ukraine, according to a new report by cybersecurity firm Intel 471.

Researchers said both groups appeared earlier this year and may be rebrands of previously known threat actors, though their exact links to past campaigns remain unclear.

Like other well-known Russian hacktivist groups — including NoName057(16), KillNet and XakNet Team — the new gangs are primarily carrying out distributed denial-of-service (DDoS) attacks, website defacements and data theft.

The IT Army of Russia first appeared in late March 2025 and communicates via the Duty-Free cybercrime forum and a Telegram channel with over 800 subscribers, Intel 471 said.

The group posts about alleged attacks on Ukrainian websites, leaks stolen data and recruits insiders working in Ukraine’s critical infrastructure. Many of its targets have been small Ukrainian businesses, the report said.

The group also operates a Telegram bot that encourages users to submit intelligence about Ukraine’s military or infrastructure and to suggest new targets for cyberattacks. It reportedly uses a tool called PanicBotnet, advertised on underground forums, to launch DDoS operations.

Most recently, the group posted on its channel what it claimed were leaked databases from several Ukrainian and Polish websites, including a Ukrainian real estate search platform, a makeup retailer, and Poland’s educational platform, Intel 471 said. 

The second group, TwoNet, surfaced in January 2025 and is believed to have around 40 members involved in hacking, software development and open-source intelligence gathering. The group’s preferred tactic is also DDoS incidents, and its Telegram channel has promoted attacks on government and infrastructure targets in Ukraine, Spain and the U.K., Intel 471 said. 

Researchers say the group has claimed partnerships with other pro-Russian actors. In January, TwoNet’s Telegram channel announced the death of one alleged member, nicknamed “Sakura,” reportedly killed during combat in Ukraine.

Since the start of the war, several Russian hacking groups have changed their tactics, tools and, in some cases, identities. KillNet, once known for its high-profile pro-Kremlin hacktivist campaigns, has recently resurfaced with a focus on cybercrime-for-hire operations, prioritizing profit and reputation over political messaging. 

Other groups, such as the Cyber Army of Russia Reborn — whose members were sanctioned by the United States last year — have largely disappeared from public view, while one of the most prolific hacktivist collectives, NoName057(16), continues its operations, targeting at least one or two entities each week.