it-army-of-ukraine

IT Army of Ukraine

also known as: @itarmyofukraine2022 (Telegram) IT ARMY of Ukraine F6: most active group targeting Russia

The world's first government-crowdsourced cyber army — established by Ukraine's Minister of Digital Transformation Mykhailo Fedorov days after Russia's February 2022 invasion. Targets are listed on Telegram; volunteers worldwide contribute computing power and run provided DDoS tools. Russian cybersecurity firm F6 identified the IT Army as the most active hacking group targeting Russian digital infrastructure, with DDoS attacks increasing by at least 50% in 2024. In June 2024, the group claimed the largest DDoS attack in history against Russia's banking sector, disabling the Mir national payment system. The operation maintains 70,000 servers across 171 countries and shows no sign of scaling back as long as the war continues.

attributed origin Ukraine (government-coordinated)

founding sponsor Mykhailo Fedorov, Ministry of Digital Transformation

established February 26, 2022

primary motivation Wartime hacktivism — disrupt Russian digital infrastructure

primary method Coordinated DDoS campaigns (Layer 3, 4, 7)

peak membership 300,000+ Telegram subscribers (Mar 2022)

infrastructure 70,000 servers / 171 countries (claimed, 2025)

primary targets Russia: banking, energy, telecom, state services

targets listed 662+ Russian targets documented (cumulative)

Overview

The IT Army of Ukraine was publicly established on February 26, 2022 — two days after Russia launched its full-scale invasion — when Mykhailo Fedorov, Ukraine's Vice Prime Minister and Minister of Digital Transformation, issued a Telegram call for global IT specialists and hackers to join cyber operations against Russian targets. Within days the channel had accumulated 300,000 members, including committed IT professionals, amateur volunteers, interested observers, and foreign nationals from dozens of countries. The first confirmed attack occurred 13 minutes after the first target list was posted: Russia's Gosuslugi government services portal was taken offline within one minute of volunteers coordinating.

The IT Army represents a genuinely novel model in the history of cyber conflict: a government-directed but structurally decentralized volunteer force operating at the nexus of state strategy and crowdsourced participation. Fedorov and Ukrainian government officials have publicly maintained that the Ministry does not control or issue assignments to the IT Army, while simultaneously acknowledging it as a partner and publicly praising its operations. This deliberate ambiguity serves multiple purposes — it provides political and legal cover for the Ukrainian state, protects volunteers' legal standing under international humanitarian law, and allows the operation to attract foreign volunteers who might be deterred by direct government employment. By June 2022, analysts assessed the IT Army had bifurcated into a public-facing volunteer mobilization component and a private in-house team of Ukrainian defense and intelligence personnel conducting more sophisticated operations that were not publicly announced on the Telegram channel.

The operation is coordinated through the @itarmyofukraine2022 Telegram channel, which posts target lists — Russian and Belarusian organizations listed by IP address, domain, and port — for volunteers to attack using the group's suite of provided DDoS tools. Volunteers run these tools on their own hardware, effectively contributing their computing power and bandwidth to a distributed attack botnet. A Telegram bot assigns each volunteer an anonymous ID, enabling a gamified public leaderboard tracking contribution — top contributors in 2024 ran infrastructures of nearly 350 hosts continuously running provided attack tools. This competitive dynamic, combined with the moral framing of the operation as digital resistance to invasion, has maintained volunteer engagement far longer than historical hacktivist campaigns typically sustain.

Russian cybersecurity firm F6 identified the IT Army as the single most active hacking group targeting Russian digital infrastructure as of 2024–2025, with DDoS attack volume against Russian targets surging by at least 50% in 2024 compared to 2023. The group's own spokesperson, who goes by "Ted," stated the operation hit 34 financial organizations and 37 other strategic targets, conducting 94 operations in one documented campaign window. Ukraine's military intelligence service (HUR) officially honored a group of civilian cyber activists for the first time in March 2025 — reflecting increasing formal state recognition of the role volunteer cyber operations play in the broader conflict.

Target Profile

IT Army targets are selected to maximize disruption to Russian economic, governmental, and informational systems, with tactical targeting sometimes aligned to events on the physical battlefield. The operation does not discriminate between military and civilian infrastructure — a point of significant legal and ethical debate.

Banking and Financial Infrastructure: The highest-priority target category. Russian banks including Sberbank (Russia's largest, holding nearly one-third of national banking assets), VTB, Gazprombank, and dozens of others have been targeted across multiple campaigns. The June 2024 campaign disabled the Mir national payment system and halted transactions across multiple payment providers. Sberbank's deputy CEO characterized a July 2024 attack as the most powerful DDoS in the bank's history.
Telecommunications and ISPs: Regional telecom operators — particularly in border regions of Kursk and Belgorod close to the frontline — are frequently targeted. The March 2025 attack on Moscow ISP Lovit disrupted internet services for 200,000 residents and businesses across 84 residential complexes in Moscow and St. Petersburg. F6 analyst Elena Shamshina noted that regional telcos are often easier targets due to weaker cybersecurity defenses than major Moscow operators.
Government Digital Services: Russia's Gosuslugi portal (the official internet gateway for government services, accessed by millions of Russian citizens), the Kremlin website, and other state digital services are targeted to disrupt citizen access to government functions and generate psychological pressure.
Energy Sector: Attacks on the Russian energy industry increased tenfold in 2024 compared to 2023, per Russian media reporting. Gazprom and energy sector web infrastructure have been recurring targets. Some attacks reportedly coordinated with Ukrainian drone strikes by targeting CCTV networks that provide Russian surveillance coverage.
Media and Information Infrastructure: In March 2025, the IT Army claimed responsibility for taking nearly 50 media websites offline in Kursk — timed to coincide with Ukraine's cross-border military incursion into the Kursk region. Media targeting serves both psychological and informational objectives.
High-Profile Economic Events: The St. Petersburg International Economic Forum in June 2024 experienced a significant surge in DDoS attacks, with Russian media reporting the number of attacks on forum portals more than doubled compared to 2023.
Transportation: The IT Army has targeted Russia's Leonardo airline booking system, disrupting operations at major airports. Ukraine's own civilian airports ceased operations during Russian strikes — Fedorov publicly linked the retaliation: "If Ukrainian airports cannot operate because of the war, why should Russian ones?"

Tactics, Techniques & Procedures

The IT Army's TTPs are defined by scale and coordination rather than technical sophistication. The operation is intentionally designed for accessibility — enabling participation by volunteers with no technical background — while maintaining effectiveness through sheer volume.

technique	description
Telegram-Coordinated Target Distribution	Target lists — including IP addresses, domains, and port numbers — are posted to the @itarmyofukraine2022 Telegram channel. Targets refresh regularly; volunteers run provided tools that automatically pull the current target list and rotate through attacks. The channel refreshes target information every 15 minutes on its associated website. As of cumulative operations, 662+ Russian targets have been publicly listed.
Crowdsourced Volunteer Botnet	Volunteers worldwide contribute their own computing power, running provided DDoS tools on personal computers, servers, and cloud infrastructure. This creates a distributed "volunteer botnet" whose traffic originates from diverse global IP space — making source-based blocking difficult and giving attacks the appearance of traffic from legitimate user geographies. Top contributors run infrastructures of up to 350 hosts in continuous operation. The operation claims 70,000 servers across 171 countries as of 2025.
Multi-Layer DDoS (HTTP / HTTPS / UDP)	Attacks target multiple protocol layers simultaneously. Layer 7 (application-layer) attacks mimic legitimate HTTP/HTTPS traffic, which is harder to filter without impacting legitimate users. Layer 3/4 (network/transport) UDP floods overwhelm bandwidth and connection-state infrastructure. Tools are configured to automatically cycle between attack methods, keeping defenders continuously adapting rather than allowing static filtering rules to become effective.
Automated Proxy Rotation and VPN Evasion	The primary DDoS tools (MHDDOS in particular) automatically download and rotate working proxies, changing source IPs continuously. This prevents blocklists from being effective against known attacker IPs. DB1000NX100 establishes multiple parallel VPN connections, each running a separate attack agent, with IP addresses changing every 15 minutes. This geographic and IP diversity is the operation's core technical evasion mechanism.
Gamified Leaderboard Competition	A Telegram bot assigns each volunteer an anonymous ID and tracks individual attack traffic contribution. A public leaderboard displays top contributors, creating competitive incentives for sustained participation. This gamification mechanism is credited with maintaining volunteer engagement beyond the initial surge of interest in early 2022. Volunteers can schedule attack windows to contribute during times convenient to their time zone.
Event-Coordinated Attack Timing	Attack campaigns are timed to coincide with significant events — Russian economic forums, military escalations, infrastructure attacks on Ukraine — to maximize psychological impact and political messaging. The Kharkiv border offensive in May 2024 prompted an IT Army announcement: "We are currently working on important targets related to events at our border in the Kharkiv region." Some attacks reportedly coordinate with Ukrainian drone strikes to blind CCTV surveillance infrastructure.
Tool-Assisted Low-Barrier Recruitment	The IT Army Kit is explicitly described as "a simple and effective tool for cyber resistance against Russian aggression" — downloadable by volunteers with no technical experience. Installation instructions are documented in 11 languages including Korean and Portuguese. Support is available via a dedicated Telegram chat. The low barrier to entry enables participation by non-technical volunteers and is responsible for the operation's scale.

Known Campaigns

Major confirmed or claimed operations across the IT Army's operational history. Given the decentralized and self-reporting nature of the operation, attribution confidence varies; targets taken offline are documented through downtime monitoring and Russian government acknowledgment.

Launch — Gosuslugi, Kremlin, Major Banks (Initial Wave) Feb 2022

On February 26, 2022 — the day the IT Army was established — the first target list was posted to Telegram. Within 13 minutes of posting, volunteers took Gosuslugi (Russia's primary digital government services portal) offline. In the following days, Sberbank, Russia's largest bank controlling nearly one-third of national banking assets, and the Moscow Exchange were taken offline. Belarusian websites were targeted the following day given Belarus's support for the Russian invasion. The initial wave demonstrated the viability of the crowdsourced model and generated significant media attention that drove early subscriber growth to 300,000.

Gazprom Hack and Defacement Mar 2022

In early March 2022, a hack and defacement of Gazprom, Russia's state-owned energy company, was attributed to the IT Army — one of the most significant non-DDoS operations linked to the group. This operation, alongside several others documented by Stefan Soesanto in CSIS research, indicated that the public-facing Telegram channel was being supplemented by more sophisticated operations not publicly announced, showing at minimum some coordination with Ukrainian intelligence services.

Leonardo Airline Booking System 2022–2023

Ukraine's Minister of Digital Transformation Fedorov publicly credited the IT Army with a significant DDoS attack on Russia's Leonardo airline booking system, leading to disruptions at Russia's major airports. Fedorov framed the attack explicitly as retaliation: "If Ukrainian airports cannot operate because of the war, why should Russian ones?" The acknowledgment was one of the most direct statements of government awareness and endorsement of a specific IT Army operation.

June 2024 Banking Sector Campaign — Claimed Largest DDoS in History Jun 2024

On June 20, 2024, the IT Army executed a large-scale coordinated DDoS campaign against Russia's banking infrastructure during the St. Petersburg International Economic Forum. The attack targeted VTB, Gazprombank, Sberbank, and other financial institutions, disabling the Mir national payment system and halting transactions across multiple payment providers. The group claimed this as the largest DDoS attack ever recorded. Russia's Sberbank confirmed the attack, with its deputy CEO characterizing a related July 2024 attack as the most powerful DDoS in the bank's history. The forum itself simultaneously experienced a doubling of DDoS attacks on its online portals compared to 2023.

Kursk Border Region Media Offensive Mar 2025

In March 2025, the IT Army claimed responsibility for taking nearly 50 media websites offline in Kursk, a Russian city in the western border region. The timing coincided with Ukraine's August 2024 cross-border incursion into the Kursk region, with the cyber campaign framed as supporting the military operation by degrading the informational environment in the contested area. F6 researcher Elena Shamshina noted that regional companies in border areas are frequently targeted because they lack proper cybersecurity defenses — generating significant public disruption for comparatively less effort than attacking major Moscow infrastructure.

Lovit ISP Attack — Moscow / St. Petersburg Mar 2025

The IT Army claimed responsibility for an attack on Lovit, a Moscow-based internet service provider, that disrupted internet services for 200,000 residents and businesses across 84 residential complexes in Moscow and St. Petersburg. The group claimed the attack contributed to a $350 million drop in the company's stock value. The attack was notable for its scope of civilian impact — deliberately targeting infrastructure serving residential communities, not just government or commercial entities — which generated both significant public attention in Russia and continued the debate over the IT Army's targeting of civilian infrastructure.

Tools & Infrastructure

The IT Army operates a suite of open-source and custom DDoS tools distributed to volunteers. All primary tools are hosted on GitHub repositories (though in violation of GitHub's terms of service) and are actively maintained. The operation explicitly assures volunteers that the tools contain no malware.

MHDDOS (mhddos_proxy): The primary and most widely used IT Army DDoS tool. Supports Layer 7 HTTP/HTTPS flood attacks using automatically rotated proxies — no VPN required, as it downloads and cycles through working proxy lists automatically. Simultaneously attacks multiple targets with load balancing and automatically switches between attack methods. Supports running multiple copies for higher-bandwidth contributors. Documented instructions in multiple languages. The official repository is maintained by the mhddos_proxy developer.
DB1000N (Death by 1000 Needles): A Go-based distributed load generation tool written in response to the February 24, 2022 invasion. Described by its author as "a simple distributed load generation tool." The X100 variant (db1000nX100) establishes multiple parallel VPN connections simultaneously, each running a separate attack agent. IP addresses rotate every 15 minutes via VPN reconnection. Particularly effective for sustained campaigns.
Distress: A third DDoS tool in the IT Army suite, functionally similar to MHDDOS and DB1000N with automatic proxy rotation and multi-target support. Has its own official support chat. Used alongside the other tools through the IT Army Kit installer.
IT Army Kit (UKITA): A Windows installer that automates deployment of the DDoS tools. Handles automatic installation of DB1000N, Distress, and MHDDOS for the appropriate system architecture. Creates system services for each tool to ensure they restart automatically on machine reboot. Provides a unified interface for monitoring attack status and adjusting load parameters. Reduces the technical barrier for Windows-based volunteers to near zero.
UAshield: Self-described as a "Voluntary Ukraine security platform to protect us from Russian forces in the Internet." An additional DDoS participation tool supporting all attack types used by the IT Army including HTTP, HTTPS, and UDP.
Telegram Bot (Anonymous Volunteer Tracking): A Telegram bot assigns each volunteer an anonymous ID for tracking individual attack contribution and displaying on the public leaderboard. Enables the gamified competition model while maintaining volunteer anonymity. Volunteers can monitor their personal impact metrics through the bot.

Indicators and Infrastructure

This section differs from typical threat actor IOC sections. The IT Army is a government-aligned hacktivist operation targeting Russian infrastructure — the "indicators" relevant to defenders are the attack signatures of the tools, and the key operational intelligence is how the operation is organized rather than how to detect it as an intruder.

legal and participation warning

The legality of participating in IT Army operations for foreign nationals is a significant unresolved legal grey area. Citizens of countries not party to the Ukraine-Russia conflict who conduct DDoS attacks may face criminal liability under their own national laws regardless of the political framing of the operation. Several Western governments have not formally endorsed IT Army participation. CSIS researchers and legal scholars have flagged that large-scale dissemination of DDoS tools to civilians could create longer-term instability in global cyberspace norms. Organizations assessing DDoS risk from the IT Army are primarily Russian infrastructure operators; for Western organizations, the primary risk is tool proliferation — volunteers with DDoS capability gained through IT Army participation could apply those tools elsewhere.

operational infrastructure — key identifiers

telegram channel @itarmyofukraine2022 — primary target distribution and coordination channel

website itarmy.com.ua — tool distribution, instructions (in 11 languages), and target refresh (15-min interval)

tool (primary) MHDDOS / mhddos_proxy — GitHub-hosted, multi-proxy rotating Layer 7 HTTP/HTTPS/UDP DDoS tool

tool (go-based) DB1000N / db1000nX100 — Go DDoS tool with parallel VPN connections, 15-min IP rotation

tool Distress — proxy-rotating multi-target DDoS tool

tool (windows installer) IT Army Kit (UKITA) — automated installer and service manager for Windows volunteers

attack traffic pattern Distributed source IPs from 171+ countries; automated proxy rotation every cycle; C2-like target pull from itarmy.com.ua every 15 minutes

c2 ports (attack tools) HTTP (80), HTTPS (443) — primary attack protocols; UDP floods; tool-determined port selection per attack method

affiliated communities Ukrainian Reaper, KiberBull, Cyber Palyanitsa, Studentcybergroup, DDoS Cyber Cossacks, Anonymous-Ukraine, UA DDoS joint group

Mitigation & Defense

Defensive recommendations primarily relevant to organizations operating Russian-linked infrastructure or organizations that may be targeted if they are perceived as supporting Russia. For Western organizations, the primary concern is legal and policy risk from employee participation, and the downstream tool proliferation risk.

Layer 7 DDoS Mitigation Infrastructure: MHDDOS specializes in HTTP/HTTPS application-layer floods. Russian government reporting noted that nearly half of Russia's top-100 companies by revenue lacked professional Layer 7 DDoS protection as of April 2024. Effective Layer 7 mitigation requires behavioral analysis, traffic profiling, and challenge-response mechanisms (CAPTCHA, JS challenge) that can distinguish attack traffic from legitimate users, particularly given that the IT Army tools mimic legitimate traffic patterns across diverse geographic source IPs.
Anycast CDN and Traffic Scrubbing: Distributed content delivery and traffic scrubbing services absorb volumetric attack traffic before it reaches origin infrastructure. Given the IT Army's claimed peak of 70,000 contributing servers across 171 countries, scrubbing capacity must be globally distributed — attacks cannot be absorbed by a single regional scrubbing center.
Rate Limiting and Geographic Filtering: For Russian infrastructure operators, filtering traffic from known-volunteer geographies is an option but is limited by the diversity of participating countries. For organizations with primarily Russian user bases, aggressive rate limiting on unusual source countries can reduce attack surface.
Redundant ISP and BGP Diversity: The Lovit attack demonstrates that single-ISP dependence creates catastrophic disruption risk. Critical Russian infrastructure depending on a single internet service provider should implement ISP diversity and BGP multi-homing to prevent single-point disruption.
Tool Proliferation Policy for Western Organizations: CISA's DDoS guidance and CSIS research both note the risk that DDoS tool distribution to volunteers creates a trained pool of operators who could apply those skills to non-conflict targets. Organizations should monitor for unauthorized installation of IT Army tools (MHDDOS, DB1000N, Distress, UKITA) on corporate systems and include these tools in application allowlist policies.
Legal Guidance for Personnel in Conflict-Adjacent Countries: Foreign nationals participating in IT Army operations may face criminal liability under their home country's computer fraud statutes regardless of political framing. Organizations should provide clear guidance to employees in affected regions about the legal risks of participating in crowdsourced cyberattack operations, even those framed as patriotic or political.

analyst note

The IT Army of Ukraine defies straightforward categorization within standard threat actor taxonomy. It is not criminal, not financially motivated, and not technically sophisticated in the traditional APT sense — yet it has sustained operations for over three years, achieved measurable impacts on Russian financial and telecom infrastructure, and has been identified by Russian intelligence-linked cybersecurity firms as the single most active hacking group targeting Russia. Its significance is primarily organizational and strategic rather than technical: it demonstrated for the first time that a government can mobilize a globally distributed volunteer cyber force at scale within days of a conflict trigger, using freely available tools, a single Telegram channel, and the moral framing of defensive resistance. Ukraine's experience with the IT Army is actively studied by other governments assessing whether analogous reserve cyber forces could be built for their own national defense postures — Finland, Estonia, and others are explicitly referenced in policy discussions. The principal long-term risks of the model are the normalization of civilian participation in offensive cyber operations, the proliferation of DDoS capabilities to volunteers who retain those skills after the conflict, and the unresolved questions of international humanitarian law governing state-sponsored but non-military cyber operations against civilian infrastructure in a war zone.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile