KillNet
KillNet is a pro-Russian hacktivist collective that rose to prominence during the Russia-Ukraine war, launching widespread DDoS campaigns against NATO nations, government infrastructure, healthcare systems, and organizations supporting Ukraine. Despite limited technical sophistication, KillNet became one of the most visible hacktivist groups of the conflict era through aggressive propaganda, Telegram-based coordination, and an ever-shifting network of affiliated sub-groups.
Overview
KillNet originated as the name of a DDoS-for-hire tool advertised on Telegram and dark web forums beginning in October 2021. The tool was first offered on a subscription basis in January 2022 by a user known as KillMilk, who charged approximately $1,350 per month for access to a botnet reportedly capable of 500 Gbps throughput. Following Russia's invasion of Ukraine in February 2022, the group pivoted from a commercial service to a politically motivated hacktivist collective, pledging allegiance to Russia and launching waves of DDoS attacks against Ukrainian targets and nations supporting Ukraine.
KillNet quickly became one of the most visible pro-Russian hacktivist groups of the conflict, primarily due to its aggressive use of Telegram for propaganda, attack announcements, and recruitment rather than any particular technical sophistication. The group absorbed and coordinated with smaller affiliated collectives including Legion, Anonymous Russia, Anonymous Sudan, Zarya, Phoenix, and XakNet, forming a loosely structured umbrella of pro-Kremlin cyber operatives.
Despite the media attention, KillNet was widely derided within sophisticated cybercriminal circles. Members of top-tier Russian forums such as XSS and Exploit referred to the group in dismissive terms, and KillNet's leader KillMilk was criticized for exaggerating claims, taking credit for operations conducted by other groups, and engaging in financial fraud within the hacker community.
In November 2023, Russian outlet Gazeta.ru identified KillMilk as Nikolai Nikolaevich Serafimov, a 30-year-old Russian citizen with a prior drug distribution conviction. Following the exposure, Serafimov announced his retirement from KillNet in December 2023 and transferred control to the Deanon Club collective. The new ownership reportedly purchased KillNet assets for between $10,000 and $50,000 and steered the group away from hacktivism toward financially motivated cybercrime, including exposing darknet drug dealers and offering hack-for-hire services.
Serafimov later formed a new ideological offshoot called Just Evil in January 2024, while a separate faction called KillNet 2.0 also emerged as a decentralized collective claiming to continue the original pro-Russian mission. In May 2025, the KillNet brand resurfaced after months of silence, claiming to have hacked Ukraine's drone-tracking system in a claim heavily promoted by Russian media but unconfirmed by independent analysts. Researchers assess that the KillNet brand continues to splinter and reform, with factions operating under different identities while leveraging the original name for recognition and credibility.
Target Profile
KillNet's targeting has been overwhelmingly dictated by geopolitics, focusing on nations providing military, economic, or political support to Ukraine. The group has struck targets across North America, Europe, and Asia-Pacific, with a preference for high-visibility websites where temporary outages generate maximum media coverage.
- Government & Public Sector: Primary target category. KillNet has attacked government portals, legislative websites, and public administration systems across the US, UK, Germany, Italy, Lithuania, Estonia, Poland, Romania, Czech Republic, Norway, Latvia, and Japan. Attacks are typically retaliatory, triggered by specific policy decisions such as sanctions, arms shipments, or public statements of support for Ukraine.
- Healthcare: In January 2023, KillNet claimed responsibility for disabling the websites of 14 US hospitals, including Stanford Healthcare, Duke University Hospital, and Cedars-Sinai. The US Department of Health and Human Services issued a formal analyst note warning the healthcare sector about KillNet targeting. Group members also claimed intent to target hospital ventilators and other life-critical systems.
- Transportation & Critical Infrastructure: Multiple US airport websites were taken offline in October 2022. KillNet also targeted the Tokyo Metro, Osaka Metro, and European transportation infrastructure. The group attacked Latvia's public broadcaster in what was described as the largest cyberattack in that country's history.
- Financial Services: In June 2023, KillNet announced a campaign against the European banking system and successfully targeted the European Investment Bank. The group also claimed attacks against SWIFT and IBAN banking infrastructure, though the actual impact of these claims remains disputed.
- Defense & Military: KillNet claimed attacks against Lockheed Martin in August 2022 in retaliation for HIMARS deliveries to Ukraine, and targeted NATO Special Operations Headquarters, Strategic Airlift Capability, and NATO communications networks.
Tactics, Techniques & Procedures
KillNet's operational playbook is centered on volumetric DDoS attacks, brute-force credential access, and information operations. The group is not considered technically sophisticated and primarily relies on commodity tools, publicly available scripts, and IP stresser services. Attacks documented by Italy's CSIRT followed a three-phase pattern: an initial wave of TCP-SYN, UDP, SYN/ACK amplification and DNS amplification attacks, followed by IP fragmentation attacks, and concluding with lower-frequency volumetric and state exhaustion attacks. Peak observed throughput was approximately 40 Gbps sustained for over 10 hours.
| mitre id | technique | description |
|---|---|---|
| T1498 | Network Denial of Service | Primary attack vector. KillNet conducts Layer 3/4 and Layer 7 DDoS attacks using botnets, IP stresser services, and the proprietary KillNet DDoS tool. Attacks include TCP-SYN floods, UDP floods, SYN/ACK amplification, DNS amplification, and IP fragmentation. |
| T1110 | Brute Force | Forescout researchers confirmed brute-force credential attacks targeting TCP ports 21 (FTP), 22 (SSH), 80 (HTTP), and 443 (HTTPS) via honeypot analysis. Attacks used dictionary methods against common default credentials across 58 observed IP addresses. |
| T1572 | Protocol Tunneling | During SSH sessions, KillNet operators attempted to establish SSH tunnels to create proxy connections, suggesting reconnaissance or pivot capabilities beyond simple denial-of-service. |
| T1592 | Gather Victim Host Information | Targeted FTP port attacks included repeated use of the SYST command to determine remote system types, indicating reconnaissance efforts to identify target infrastructure before escalating operations. |
| T1491 | Defacement | KillNet has conducted website defacement operations alongside DDoS campaigns, altering public-facing content to display pro-Russian messaging and propaganda. |
| T1078 | Valid Accounts | The group has claimed access to compromised VPN credentials for government networks and has advertised stolen credentials and exfiltrated documents from NATO countries on Telegram and dark web forums. |
Known Campaigns
Confirmed or highly attributed operations linked to KillNet and its affiliates. Campaign activity peaked in 2022 and declined significantly following internal fragmentation in late 2023.
Retaliatory campaign against Lithuanian government and private infrastructure after Lithuania blocked transit of EU-sanctioned goods to Russia's Kaliningrad exclave. Over 1,652 web resources were disrupted across a 10-day period beginning June 22, 2022, representing one of the group's largest sustained operations.
Attempted DDoS attack against the Eurovision voting system during Ukraine's performance at the 2022 contest in Italy. The attack was blocked by Italian state police. KillNet denied the failure on Telegram and subsequently attacked the Italian state police website in retaliation.
Broad campaign targeting government websites across Italy, Germany, Romania, Norway, Poland, Estonia, and the Czech Republic. On May 16, 2022, KillNet formally declared war on 10 nations. Attacks hit the Italian Senate, multiple government ministries, and critical public services. Italy's CSIRT documented attacks peaking at 40 Gbps sustained for over 10 hours.
DDoS attack against US defense contractor Lockheed Martin in August 2022, launched in retaliation for the company's provision of HIMARS rocket systems to Ukraine. KillNet claimed to have targeted production systems and employee data, though the actual operational impact was limited.
DDoS campaign against multiple US airport websites in October 2022, alongside attacks on 12 US state government websites. The attacks caused temporary service outages but did not affect airport operations or flight systems.
In September 2022, KillNet claimed attacks against 23 websites across four Japanese ministries and agencies, including the e-Gov administrative portal and eLTAX local tax system. The group also posted a video declaring war on Japan and claimed attacks on Tokyo Metro and Osaka Metro systems.
In January 2023, KillNet claimed responsibility for disabling the websites of 14 US hospitals including Stanford Healthcare, Duke University Hospital, and Cedars-Sinai. The US Department of Health and Human Services issued a formal analyst note warning the healthcare sector about KillNet targeting.
Wide-ranging DDoS campaign against German government agencies, airports, and financial sector websites in January 2023, announced as retaliation for Berlin's decision to send Leopard 2 battle tanks to Ukraine. The German Federal Office for Information Security (BSI) issued an alert about the ongoing attacks.
In June 2023, KillNet announced a joint campaign with Anonymous Sudan and claimed collaboration with REvil to target the European banking system. The European Investment Bank was successfully disrupted. The REvil involvement was unconfirmed and likely a reputational play by KillNet.
In May 2025, KillNet resurfaced after months of silence claiming to have hacked Ukraine's drone-tracking system and provided geolocation data to Russian forces. The claim was heavily promoted by Russian media but remains unconfirmed by independent analysts. Timing coincided with Russia's Victory Day, suggesting a propaganda operation.
Tools & Malware
KillNet relies primarily on commodity DDoS tools and publicly available scripts rather than custom-developed malware. The group's technical footprint is relatively shallow compared to state-sponsored APTs.
- KillNet DDoS Tool: The group's namesake tool, originally offered as a subscription service. Capable of Layer 3/4 and Layer 7 DDoS attacks, reportedly backed by a 700,000-node botnet utilizing blockchain technology. Priced at $1,350/month with 500 Gbps capacity.
- Low Orbit Ion Cannon (LOIC): Well-known open-source DDoS tool used by KillNet members and volunteers. Distributed via Telegram channels to enable crowdsourced denial-of-service attacks.
- CC-Attack: HTTP flood tool used for Layer 7 application-layer DDoS attacks against web servers and APIs.
- MDDoS: Multi-vector DDoS script used alongside other tools during coordinated campaigns.
- KARMA & Dummy: Additional DDoS scripts distributed among KillNet affiliates and shared via Telegram coordination channels.
- IP Stresser Services: KillNet members are known to use commercial stresser-for-hire platforms including Crypto Stresser, DDG Stresser, Instant-Stresser, and Stresser.ai for amplifying attack volumes.
- KillNet Ransomware: A rebrand of the Chaos ransomware family, a Ransomware-as-a-Service program previously advertised on the XSS forum. Employs single-extortion encryption techniques and is used by lower-tier operators within the KillNet ecosystem.
Indicators of Compromise
KillNet IOCs are primarily sourced from DDoS traffic analysis and brute-force credential attack logs. Due to the group's use of rented botnets, IP stresser services, and shared infrastructure, IOCs have a short operational lifespan and high turnover rate.
KillNet IOCs are highly transient due to the group's reliance on rented botnets and stresser services. IP addresses rotate frequently and shared infrastructure means attribution based solely on network indicators is unreliable. Cross-reference with live threat intel feeds and behavioral analysis before blocking.
Forescout's honeypot research documented 381 attack instances from 58 IP addresses associated with KillNet activity, including brute-force credential attacks on FTP, SSH, HTTP, and HTTPS ports. Specific IOC feeds are available through Forescout's Vedere Labs, Flashpoint, and SOCRadar threat intelligence platforms. Organizations should consult these platforms directly for current indicators, as static IOC lists for KillNet degrade rapidly.
Mitigation & Defense
Recommended defensive measures for organizations in KillNet's target profile. Given the group's reliance on volumetric DDoS and brute-force techniques, defenses should prioritize availability protections and strong authentication.
- DDoS Mitigation Services: Deploy DDoS mitigation through an ISP, CDN, or dedicated WAF provider. Organizations should have pre-configured scrubbing services that can absorb volumetric attacks exceeding 40 Gbps, the observed peak of KillNet campaigns.
- Rate Limiting & Traffic Filtering: Implement rate limiting on public-facing web applications and API endpoints. Configure firewalls to detect and block TCP-SYN floods, UDP floods, DNS amplification, and SYN/ACK amplification patterns documented in KillNet's three-phase attack methodology.
- Strong Authentication Policies: Enforce strong, unique passwords across all internet-facing services, particularly FTP (port 21), SSH (port 22), HTTP (port 80), and HTTPS (port 443) where KillNet brute-force activity has been confirmed. Deploy multi-factor authentication on all administrative interfaces.
- Telegram Channel Monitoring: KillNet consistently announces targets on Telegram channels prior to launching attacks. Organizations should monitor relevant channels for mentions of their domains, brands, or sectors to gain early warning of impending campaigns.
- Incident Response & Business Continuity: Maintain documented DDoS response playbooks with predefined escalation procedures, communication plans, and failover configurations. Test these plans regularly, as KillNet attacks are typically short-duration but disruptive.
- Geopolitical Awareness: KillNet's attack timing is tied to geopolitical events such as sanctions announcements, arms deliveries, and political statements of support for Ukraine. Organizations in targeted sectors should increase defensive readiness during periods of heightened geopolitical tension.
While KillNet's original structure has fragmented significantly since late 2023, splinter groups such as KillNet 2.0 and Just Evil continue to operate under related banners. The KillNet brand resurfaced in May 2025 with unverified claims of hacking Ukraine's drone systems. Organizations previously targeted by KillNet should maintain monitoring posture, as the group has a pattern of dissolving and reconstituting under new identities while retaining the same operational playbook.
Sources & Further Reading
Attribution and references used to build this profile.
- Flashpoint — KillNet Threat Actor Profile (2025)
- The Record — Russian hacker group Killnet returns with new identity (2025)
- Quorum Cyber — KillNet Threat Actor Profile (2025)
- SOCRadar — Dark Web Profile: KillNet (2025)
- ReliaQuest — KillNet: The Hacktivist Group That Started a Global Cyber War (2025)
- Flashpoint — For Money and Attention: Killnet Apparently Reorganizes Again (2023)
- The Record — Report claims to reveal identity of Russian hacktivist leader (2023)
- The Record — Leader of Russian hacktivist group Killnet retires (2023)
- Grey Dynamics — Black Skills: Russian Cyber PMCs? (2023)
- Avertium — An Update on the Pro-Russia Threat Actor, KillNet (2023)
- SOCRadar — Dark Web Profile: Just Evil (2024)
- Wikipedia — KillNet (2026)