Spotlight on KillNet: The Cybercriminal Group Raising Funds for Russia’s War in Ukraine

KillNet is a pro-Russian cybercriminal group operating since 2021. Initially, KillNet promoted itself as a MaaS (Malware-as-a-Service) group offering Denial of Service (DDoS) attacks services, which target websites by overloading them with requests. Although such attacks don’t affect the confidentiality or integrity of the data, they pose a significant threat to victims' day-to-day operations and often result in financial and reputational losses.

Following Russia’s invasion of Ukraine in February 2022, KillNet’s scope broadened in two key ways. KillNet began to use crypto to raise funds for the Russian war effort. It also began targeting government entities and critical infrastructure in countries opposing the invasion, through DDoS attacks against Lithuania, Poland, Japan, Norway, the Czech Republic, Moldova, and the US, among others.  

The US Cybersecurity & Infrastructure Security Agency (CISA) describes KillNet as a “significant threat to US critical infrastructure.” TRM also found on-chain evidence that KillNet has interacted with Bitzlato – the cryptocurrency exchange that the U.S. Department of Justice and the U.S. Treasury Department charged with money laundering in January for facilitating Russian illicit finance.

Here are the five key things to know about KillNet:

1. KillNet solicits crypto donations on Telegram 

KillNet has a large presence on Telegram - with nearly 100,000 followers as of January 2023 - which it uses to solicit cryptocurrency donations for Russian forces fighting in Ukraine. Crypto wallets attributed to KillNet – where donors were directed to send funds in support of Russia – have amassed more than 280,000 USD since the invasion of Ukraine in February 2022.        

KillNet solicits donations in various cryptocurrencies including BTC, Monero, USDT, and Ethereum. Further investigation identified that KillNet has converted cryptocurrency into nearly $35,000 of USD through exchanges located in Eastern Europe that are known for having weak Know-Your-Customer (KYC) requirements. 

‍2. KillNet claims to use donations to supply Russian troops fighting in Ukraine with equipment

KillNet vocally supports Russia’s military operations in Ukraine and claims to supply troops with equipment. For example, in October 2022 Killnet published photos that appear to show Russian special forces using rangefinder binoculars donated by the group and labeling ammunition with “KillNet” to show their appreciation. 

3. KillNet has links to a notable pro-Russian darknet market

KillNet has partnered with Solaris –  a darknet market (DNM) that has also voiced support for the Russian government after arriving on the scene in early May 2022 merely a month after the downfall of Hydra Market. Solaris had grown into one of the largest Russian-speaking darknet marketplaces but was weakened significantly following a purported attack from a rival DNM.

While the exact nature of the relationship between KillNet and Solaris is unclear, TRM found that nearly $50,000 USD was sent directly to KillNet from an address associated with Solaris in October 2022. 

Meanwhile, KillNet has claimed to conduct cyberattacks against a known Solaris rival. On August 19, 2022, KillNet stated on Telegram that it attacked RuTor, a forum that provides support to Solaris competitor OMG!OMG! Market. According to the message, RuTor then paid $15,000 USD to KillNet to stop the DDoS attack. On-chain analysis by TRM corroborates these claims.

Additionally, in a Telegram post published on October 14, 2022 by KillMilk – a KillNet group member operating under that alias – the group receives extensive support from Solaris. 

‍

4. KillNet Has sworn allegiance to the Russian government

KillNet rhetoric is replete with calls to violence against Ukraine and support for Russia’s ongoing war. On September 22, 2022, KillMilk – the KillNet member – confirmed the group’s support of  the Russian government. KillMilk told Russian podcast “ZakonnyVopros” (Rus. Законный вопрос): 

“We joined Russia’s mission after the start of the special military operation.* Everything we have done since day one is just to help our country. Perhaps this is the only thing that makes us different from everyone else. Although we are considered criminals in other countries, we are heroes for our country as we stand with Russia.” *Editor’s note: Many Russian state supporters avoid referring to the invasion of Ukraine and use the term “special military operation” instead. 

However, KillNet denies being funded by the Russian government.

5. KillNet claims attacks that targeted U.S. national security

In addition to its support for the Russian military and DNM affiliations, KillNet also appears to be behind cyberattacks on the US and its allies. In October 2022 alone, KillNet claimed responsibility for the following attacks on US entities:

• October 3, 2022: The National Geospatial-Intelligence Agency (NGA), a combat support agency within the United States Department of Defense specializing in the collection, analysis, and distribution of geospatial intelligence in support of national security.
• October 5, 2022: State government websites in Alabama, Alaska, Connecticut, Delaware, Florida, Hawaii, Idaho, Indiana, Kansas, Colorado, Kentucky, and Mississippi.
• October 10, 2022: Multiple US airports including Los Angeles International (LAX), Chicago’s O’Hare (ORD), and Atlanta’s Hartsfield-Jackson International (ATL) airport.

On October 11, 2022, the group suggested its next victims might be marine terminals and logistic facilities, the healthcare sector, public transportation, exchanges, online trading systems, and others.

‍What's next for KillNet and similar groups?

The Russian invasion of Ukraine caused a significant shift in the cybercriminal ecosystem. Multiple pro-Russian groups such as KillNet increasingly adopted Telegram, including for fundraising via cryptocurrencies to support the war effort. 

As the war in Ukraine drags on, groups such as KillNet may significantly increase in number and become more aggressive. Identifying the crypto assets and services  involved in supporting such activity is critical to assessing and mitigating the threat.