Monitoring deep, dark and surface web to detect exposure of your sensitive data, secret projects and initiatives, privileged users, critical systems, IT infrastructure, and more.
Monitoring and alerting of third party data breaches impacting your employees’ emails, usernames, and personally identifiable information.
Assess the risk footprint and security posture of key business relationships to get a handle on external risk introduced through your extended attack surface.

Sign Up for Updates

Digital risk monitoring of key personnel with telemetry and risk metrics. VIPRecon provides broad coverage of social media, deep and dark web, as well as physical threat assessments.
Our Ransomware Response Readiness Assessment, Playbook and Table Top Exercise gives your organization the best chance to survive and recover.
Gain visibility of your digital footprint by reaching into the most active areas of the cyber underground.
Fully managed and tailored Threat Intelligence services that becomes an extension of your current security processes and provides real-time visibility on new threats.
Providing research and investigations into known threats, to save security teams time and stress during a cyber emergency.

Sign Up for Updates

GroupSense offers a comprehensive package of services for assessing and responding to ransomware attacks, including negotiations with threat actors.
Actively researching and monitoring threats from vendors or third-party companies that can affect organizational security.
Monitoring for threats to elections, VIPs, and more on social media to proactively prevent or mitigate digital risk.
Focusing on the threats and risks that matter to your security processes and providing intelligence and insights to prevent or mitigate digital risk.
Taking the next step in security services, by proactively taking down phishing sites or anonymously interacting with threat actors to provide better intelligence.
Active monitoring of your brand's digital assets to protect its reputation and stop further brand abuse from targeting unsuspecting victims.

Sign Up for Updates

Combining your cyber and fraud programs to effectively fight threat actors continually scamming or threatening assets within an organization.
Executives are prime targets for fraudulent activities, but with a proactive approach, any attacks or threats can be neutralized before causing any damage.
Governments, political parties and candidates must all act now to activate cyber threat intelligence services to harden their information security and get ahead of inevitable cyber threats to the election process.
5 min read

Killnet Founder Leaves Hactivist Group

Jul 29, 2022 9:00:00 AM

Pro-Russian hacktivist group Killnet has kept very busy since Russia invaded Ukraine. After declaring war against organizations in Ukraine-allied countries, Killnet carried out attacks in Lithuania, Norway, and Italy, to name a few. These attacks have left many wondering if their organizations will be next.

During the week of July 18, GroupSense analysts noted an announcement from Killnet. The group claimed that they would attack Lockheed Martin, a US defense contractor, with a new cyber tool. This attack would be different than most others that Killnet carries out: they will not be using a DDoS (distributed denial of service) attack. GroupSense analysts believe that Killnet continue shifting away from DDoS attacks, and instead carry out hack-and-release attacks. GroupSense analysts provided screenshots and translations from hacking forums with evidence supporting the move from DDoS to hack-and-release.

On July 12, a Killnet affiliate group called Zarya Squad posted six files to Telegram they claim to have stolen from the State Archival Service of Ukraine.

message with files

Figure 1: Zarya Squad post leaking files supposedly from State Archival Service of Ukraine. Source: t[.]me/ddos_channel_rus/371

Translation of material from Figure 1:

Let's give you a little treat.
Here is some of the data we pulled from the archive (

Several days later on July 16, Zarya Squad claimed to have gained control over several Ukrainian government networks, including the statistics department. The group claimed that the statistics department lies about Ukrainian military losses and the health of the economy.

Zarya squad messages
Figure 2: Zarya Squad post claiming to have control over Ukrainian government networks. Source: t[.]me/ddos_channel_rus/371

Translation of material from Figure 2:

The operator was hacked and gained control over Ukraine's state apparatus control systems.
Among these is the statistics department, responsible for reducing the statistics of Ukrainian army losses and overstating the stability of the country.

Publicly claiming to have carried out hacks and stealing data represents a significant and concerning departure from previous Killnet operations. So far, the group appears to only be taking credit for hacks against Ukrainian targets, but that ended with the threat against Lockheed Martin.

Organizational Change

On July 27, GroupSense analysts observed a surprising new message from Killnet. The founder of Killnet, known as KillMilk, will leave the gang to conduct his final attack on Lockheed Martin. Killnet claims that KillMilk has been preparing for this final stand for a long while. In their main Telegram channel, Killnet shared a new channel that belongs to founder KillMilk. In KillMilk’s new channel, GroupSense analysts observed the following message:

Killnet message

Figure 3: Telegram announcement.

Translation of material from Figure 3:

“😕 Founder of Killnet hacktivist movement, Legion - cyber special forces, Cyber Army of Russia alias "KillMilk" leaves our group by his own convictions! (Don't be fooled by any other news from the Fraudsters, if KillMilk wants to come back, we will certainly notify everyone via our official channel @killnet_reservs)

⚡️ His words dedicated to all KILLNET members:
""I created you to Defend our Homeland, I showed you how fragile Europe and its mentality is, now your way out - don't fail ! ""

<<KillMilk won't just go away, he will conduct his final attack on Lockheed Martin for which he has been preparing for a very long time...>>

⚡️Killnet remains in defense of the Russian Federation and continues to operate 24/7.

⚡️⚡️KillMilk didn't just establish us and give a decent fight to Europe and America. He gave millions of young people in Russia and the CIS an opportunity, ideas and a place to fulfill themselves!!!

☝️On behalf of our Hack movement Killnet and all our supporters in the online space. All of our supporting Hack communities and web resources - Let's support this post with tens of thousands of reposts and hearts! He deserves it....”

The message from Killnet shows a strong commitment to defending Russia against its adversaries abroad, sharing an anti-European sentiment and a call to action for other hactivists to continue on in the name of the homeland.

On July 28, KillMilk posted the following message:

Killnet announces new leader

Figure 4: KillMilk's message.

Translation of material from Figure 4:

“What I would do for my country now would be dangerous enough for my team. So I made the decision to withdraw from Killnet for their own safety. But that doesn't mean I'm leaving them without my help. Nothing changes, folks! Killnet is in full swing to win!

Didn't someone say, "One man standing alone in the field"? 😈”

In the past few years, GroupSense analysts have observed many high-profile members of organized cybercrime groups leaving larger groups to avoid law enforcement scrutiny or due to in-fighting within the gangs. Most recently, we have seen the Conti ransomware group splinter into smaller cells to avoid notoriety and law enforcement. As scrutiny over cyber attacks increases throughout Russia’s prolonged invasion of Ukraine, GroupSense analysts expect this trend to continue.

The Future of KillMilk
Since KillMilk stepped down, Killnet elected a new leader, a threat actor known as BlackSide. There is no evidence to tell us what KillMilk will do next, but GroupSense analysts believe that the actor’s strong commitment to hacktivism and to Russia will compel him to continue working with other hacktivist groups. GroupSense will continue to monitor the situation for new information.

image (3)

Figure 5: Killnet announces new leader.

Translation of material in Figure 5:
🔥KillMilk blesses the hacker "BlackSide" and gives him the title of Killnet control!

🇺Hacker BlackSide "BlackSide"
Specification: Ransomware, crypto phishing "USA/EC", Brilliant robber of European crypto exchanges, Owner of DarkNet hack forum in the "onion" zone - forum information is hidden.

😈Welcome "BlackSide" and wish you success!

Topics: News Blog

Written by Editorial Team