Versus Killnet

All right, folks. I am John D and you are here in the IMAX theater in the best theater in the house for excellent presentations and we're going to go ahead and get started. So, I'm happy to pass this over to an incredible speaker. This is Alex Holden with Hold Security. Take it away, Alex. Oh, wait. Hang on. Sorry. Got one one more thing. Sorry not to to uh to the questions are on Slido. So if you want to ask a question of Alex, go to Slido and we'll have them at the end. All right. One more round of applause for Alex and he's going to get going. Here we go. All right. Well, thank you

everybody and it's pleasure to be here at uh Bites in San Francisco. Um this is um a huge huge screen. I think the true purpose of my uh first slide is that uh if you guys get bored, snap a picture of this. Um find me on LinkedIn, post a picture of me uh speaking. I think uh from especially the back rows, I'm going to look really really thin. Uh so my mom likes those pictures that you know don't take the full frame. Uh but absolutely a pleasure and uh I'm going to uh tell you today a story uh a story that uh you probably won't hear in too many places. I'm going to talk about Russian

activists and uh I'm going to um put a personal connection uh to this. I uh do a lot of different presentations uh speak at um uh hundreds events um and uh this is uh indeed the most personal uh presentation and story that uh I've ever done. So um hopefully uh this uh actually brings uh things um very close to for some of you as well. Uh I'm going to be talking about Russian activism and kind of explain why Russian activism that emerged over the past three years uh became uh game changer uh for divorce uh on um the internet on u uh for all of us. Uh before um um uh the Russian invasion of Ukraine, uh activism was

kind of frowned upon and uh there were attempts of uh hacking groups uh to wreck some havoc. But um Kilnet and many other Russian gangs at conquest of activists made things normal. We no longer retaliate on a national level uh against attacks from activists foreign nation. uh think about uh after uh this uh what uh Russians been doing uh with um anybody that they don't like not only Ukrainians but US, Europe and everybody else in the world world. Um this same uh wave went uh through Middle East and uh when uh uh the war in Israel um has started. Um the uh pro- Hamas um activists actually start destroying anything in Israel without much repercussions. And even today uh we see

attacks uh from uh foreign nations. For example, uh several years ago, uh Canada and India had uh diplomatic issues and uh within 24 hours next day using the same techniques that Russian activists did uh Indian uh um activists start attacking nation uh of uh Canada targeting their citizens. So this is story of how um activists became normal and there is really no retaliation uh from us as a nation against these groups. So this is a bad part. The good part I'm I'm going to start right now. Uh so first of all um the talk is about uh Russian activist group Kilnet. Kilnet um itself uh came to existence uh on November 13th of uh 2021 uh three months

before the beginning of the war uh in Ukraine. It was a Russian group. Uh they uh marketed themselves as a distributed of service uh as a uh as a paid service. uh they start attacking things and um uh they started their uh career as a DOS service uh in very interesting ways. So um when the DTO service establishes in Russia uh it picks its targets, it picks its enemies and uh Kilnet that became a pro-Russian activist uh group uh in just several months. Uh its first targets were just uh opposite actually the Russian uh law enforcement and other government institutions. Uh on a personal note uh look at all those logos. Uh man, they're huge. But uh I

think I think Russian um um uh branding doesn't have much imagination. It's just this chicken with two heads and uh that's it. All logos for all the different organizations. Nevertheless, uh Kilnet uh actually targets all of these uh organizations um in a blind way to show that hey we are strong we can take down our own government institutions. Um very interesting and bold move. But just in a short two months um on uh February 23rd, just a day before the invasion uh of Russia in to Ukraine, uh Kilnet all of a sudden declares itself pro-Russia uh Russian um activist movement u and everything pro Ukra uh pro-Russia against Ukraine. The redefining of activism uh is happening just about then

because uh Kilnet uh picks on anonymous group immediately. They uh start attacking anonymous group, start taking things out um uh almost immediately just to pick new enemies to show hey we can do this. But what Kilnet does it start uh drafting its ranks unusual folks. Think about Russian Federation beginning of the war uh um with Ukraine not as a only evil empire but also a nation of uh really smart IT folks and most of them that actually been employed by western organizations uh in US in Europe lost their jobs really overnight. So I know lots of uh companies including some of your companies that uh have fully divested and exited Russian uh market fired every single uh employee that they

had in Russia. So thousands tens of thousands or hundreds of thousands of individuals um with tech good technical skills not hackers but just IT personnel became unemployed overnight and they were not particularly happy about this for some reason. Um so uh what they start doing they start joining this activist movement because they got a personal vendetta not even a na nation um idea but they actually start joining activist collective because they want payback to their previous employees employers and uh guess what they know some secrets they know some passwords they know uh access techniques and what's more important they hold certain unique skills that typical threat actors don't. So think about the network people. Network people understand the

network protocol. So they probably like even in DOS can max out uh bandwidth much more effectively if you versus folks who don't understand the network stack. And for developers who don't understand network stack as much uh but they understand layer 7 and application uh components they can actually uh build a very expensive layer 7 queries for example to max out resources of their target. So, Kilnet Collective actually made things attractive for Russian uh IT folks, disgruntled people who were upset at west to use their skills. The interesting thing that um um I've read probably one of the funniest things I read in the Kilnet uh collective telegram channel was one guy said that even my grandma joined Kilnet. she is

sitting uh on her computer half a day and she's clicking reload really quickly on her uh uh Edge uh browser. So that's a dos that she is participating and obviously you know uh didn't expect that from this evil grandma uh and her uh uh web browser and um you know probably arthritis she would get from clicking so much but uh this shows that uh it uh actually makes activism uh normal component and Russian government actually contributes to all of this because uh they uh go out of their way and suggest that participating in activist activities pro-Russia is actually a good thing. It's patriotic thing. So Russian members of Duma, which is equivalent of US Congress, uh they

actually go on the record saying that um we should not be drafting uh into military uh folks who are activists because they are using cyber weapons to fight for Russia. Kilnet at its uh high uh highest uh point had 120,000 members within their uh telegram channels and uh almost 100,000 channels I'm sorry 100,000 individuals actually contributed in some way towards this activist collective. It's decentralized. It's huge and uh they all take uh orders for various things. I want to show you uh one of the uh interesting things um uh here. Usually um this is much easier to read uh for some of you. On the left side uh you're going to see the original Russian

text. Uh we took out some offensive graphics. Uh and on the right side there is a translation. This is a call for actions in February or January of 2023 uh on posted one of the many uh calls or actions posted by um um Kilm leader of uh Kilnet uh in their channel. It basically calls for DOS attacks against hospitals uh US hospitals, hospitals around the world. And um this is um a vile uh show of uh attacks against u just um medical institutions. What's probably the most vile is uh the uh postcryum at the end. Uh it says kill them first in Russian. This is how Russian activists look at our medical institutions. They attacked

uh financial institutions. They attacked airports. Their attacks were maybe not as uh difficult to mitigate technically, but uh their attacks were absolutely uh despicable and vile. We see their attempts to intimidate uh employees of Lakit Martin and Boeing by uh photoshopping their leadership in caskets saying that this will happen to you if you keep supporting Ukraine with your weapons. This is uh what we are set against. And if you think about this is a face of our enemy, a true face of the enemy that is very hard to ignore. Who are the leaders of this organization? Let's talk about um young person named Kilm uh who uh really organized and built this whole thing. On the surface

uh Nikolai Saraphimov uh is just a young person uh in the beginning of um uh Kilnet. He was not even 30 years old. Um and if you look at uh him as a persona, you actually find him a normal person. He is a husband, a musician. Um, in the early in his career, he recorded a whole bunch of uh interesting uh music tracks, not terrible. Um, and he led Kilnet for um its entire existence uh through a lot of um rhetoric and uh a lot of um um uh patriotic things. uh if you look at his uh social media, you'll find pictures like this uh from his military service and you see that uh he branded himself

as a patriot, somebody pro-Russia, a Russian, pro-Russia. Uh but the real kill milk is nothing like that. He is a racist and fascist. Uh you know, we looked at lots of his uh sources of social media, other posts. I don't care to post uh show put on screen uh the fascists and racist things that he have said but trust me on that that there is nothing um interesting or good about this person. Uh he is also a young man with Vendetta back in 2013. He writes uh about um um getting payback uh to anybody who didn't believe him who wrong him when he rises to power. And uh this is um him as his uh um direction in

life. Uh the real kill milk is also uh a drug user very avid uh drug user and drug dealer. Uh in fact uh in one of those social media surveys that he had uh again when he was younger um he was asked was answering like 50 questions about himself and he's being asked questions like uh uh what kind of surprises you like and he's like illegal drugs. Uh yeah that's what I like. Uh what um controls your mood and he says well it's depends on the amount of drugs in my system. Yeah. uh but uh this um uh desire drive drive to drugs actually left him uh led him to dealing drugs and in 2017 he actually gets arrested by

Russian law enforcement for drug dealing. This is a very important thing because um the con uh he was uh arrested uh based on court records. He fully u cooperate with investigation uh and um u this uh conviction was based on article 2281 part 5 of a Russian uh criminal code. Uh the reason why I'm mentioning this by name because you guys obviously know about it. Uh but um this actually um this uh statue uh requires uh 8 years of imprisonment and even with uh good behavior and full cooperation with uh uh investigation. Uh the judge only at liberty to have the sentence. So he had to spend at least four years in prison by Russian law. The interesting thing

that um we see within a year of his conviction in 2018, he is all already out. He is uh communicating, he's taking out uh personal loans. He's uh living life outside of Gulak. Why? This is really unprecedented for Russia. Russia does not really deal well with its drug users. Uh so what they do uh most likely uh for these type of commuted sentences um full cooperation with Russian law enforcement and becoming a rat for the Russian uh law enforcement. So Killmilk uh at that point most likely flipped and started working for the Russian government. We uh fast forward to 2022 when the kill milk is at top of his game. He organized uh Kilnet uh and

Kilnet is uh being covered in all our news channels and we are watching in horror how much uh damage Kilnet is doing. In his interview on October 9th uh of 22, he actually answers a question uh to Russian um propaganda magazine Art uh which is a mainstream magazine. He does in this anonymous uh interview and he uh actually talks about um um he he's being asked who to uh he wants to sink outside of uh Russia and he um uh sanks a group called Solaris which is a Russian illegal drug cartel um for all its success and success of Kelnet that would not exist without help of Solaris. we saw this and we decided to do

something about it. Uh by the way of very belated uh introductions because we're halfway through presentation and um I think I it's good thing to uh explain why I'm uh going to be talking about myself a little bit right now is that this is where it gets personal. So my name is Alex. Uh I was born in Ukraine uh many years ago. Uh today is actually uh a 39 year anniversary of uh the day uh that changed uh my life because today is 39 year anniversary of Chernobyl tragedy. After that my parents uh have left uh Ukraine um and in 20 uh in 1989 we immigrated uh to United States. Uh I lived for 35 years in

Milwaukee. Uh I spent my entire career in IT and cyber security. I know a single tool in cyber threat intelligence. But the highlight of my resume is very simple. I've been making uh Mr. Putin mad since uh [Applause] [Music] 2014. In 2014, we did something on the front page of New York Times and uh that put me on Putin's naughty list. um then and uh I uh been uh not allowed in Russia since uh I put my sanctions against Putin myself. He's not allowed in my house. If he comes in, he can wait in the garage. But um yeah, payback. Uh so uh having uh started uh my organization 12 years ago and uh having um uh much

love uh to Ukraine for Ukraine as my homeland uh I uh actually started uh part of my company in Ukraine two weeks after the beginning of uh Russian invasion in Ukraine in 2022. Uh and I wanted to do something about this um because um when he mentioned Solaris I actually know much about Solaris. Why a threat intelligence company knows much about uh Russian illegal drug uh trade? Very very simple. Uh we actually monitor cyber threat actors by their drug use. A lot of them use their drug um uh like buying illegal drugs. They go on dark web. They use same nicknames and we know where they buy their drugs. Most uh people in Russia buy their drugs near

their home. So we can actually triangulate uh their physical location, monitor these uh things. So we do something incredible. We destroy uh Solaris as a platform and uh we uh take money um uh that Solaris is making and getting them themselves to deposit their money into uh pro- Ukrainian charity that helps elderly uh in the winter um in the cold winter uh that Russia caused by uh uh for them by taking out electricity. So uh we uh started a step one of attack against Kilnet by getting on uh uh Forbes magazine uh by going after Solaris. So how this happens on the technical side we um been uh we knew Solaris for quite a while. It was

established by a threat actor named Zanzi in 2017. Um it operates more than a thousand uh drug shops because it's a platform uh for uh Russian uh drug service. At the time it was number two Russian uh drug service platform with about four bitcoins of daily uh revenue. And to me it was confusing because uh we knew Solaris well a couple years before uh Zanzi came to us and asked us uh to fix some of the uh code uh of his uh PHP. We are threat intelligence firm. So we have connections and when he reached out said hey help us out. We definitely didn't get his PHP code running, but we installed a little back door on one of

his servers that survived several years. So, uh, monitoring these guys for so long, uh, we actually had ability to track Zandi's cell phone. So, well, uh, kill milk is saying, "Hey, we see um this, uh, we got help from Solaris, which is a foreign organization." No, Zanzi is actually inside of Moscow. He's moving around shopping in shopping centers, going to restaurants. We got uh visibility. So we log in into uh Salar's platform and we jerry rig it. So uh for day it's actually depositing all the money and helping uh uh folks in Ukraine to weather the win uh win rough winter elderly people who could not defend for themselves. And we put this on the front

pages of Forbes because um this was important. So response from Solaris like we were not breached. Somebody just logged in and uh did something. We fixed everything. Uh so they said that they kicked us out. Uh we log into their GitLab to take a look what exactly was changed because they kicked us out from everywhere. Um and they see we see that they changed obviously the Bitcoin wallet where they depositing. Uh they changed their logo and they changed the date on the copyright because it was about time. Uh so uh we uh still have full control over Solaris infrastructure thanks to Anible, thanks to SSH keys that are very easy to uh monitor. Um and

um couple weeks after that we actually go out with our own uh post um and we actually posting uh that um uh not only about Solaris and their infrastructure but we dump all their source code, we dump uh all their forums, we dump all their um transactions um of illegal drugs buying a side effect uh really um cool that SARS immediately got taken out by uh competition. Uh but um just a year ago, Salaris finally ceased to exist because they never regained number two position. They were not really a viable marketplace. So we destroyed that. But uh we had to weather the storm. So the the weathering the storm is extremely difficult because um there are cyber

threats. Uh um I didn't translate that. There's nothing good. He's saying um that's Kilnet uh kill milk making me a number one enemy till this day. Um some doxing a little bit uh nothing embarrassing but uh it's out there. Uh targeting swatting uh swatting is not fun. Um but thanks uh for my local PD who was extremely understanding and uh very sensitive uh for these type of things. Uh but what we are doing here, we did something really great because uh by getting into the front uh pages of the media, we were actually able to give this message not to our own folks but to Russian oligarchs and the Russian government that they got competition. I

saw Russian government thought that they running Kilnet but Kilnet was really um being powered by Russian illegal drug trade and Russian government doesn't like like competition. So they cut off uh Kilnet from uh its monetary source and unraveling of Killmilk starts. So Kill milk post saying hey um altruism is over. we a killet. We're going to be uh only for-profit organization pay us and we're going to take out uh your um targets. But it doesn't really work. I mean I mean how 100,000 people would uh go and uh get paid from their tax. So it's only killing getting paid. It doesn't work. Then uh he uh says uh everybody is fired. We're starting Killet over. Um I'm the only one uh

rebuilding. Doesn't matter. Uh then he hands over um uh control to somebody called backside and u all of a sudden that uh somebody mentions did you kill milk used to be blackside a while ago so you just gave this to yourself doesn't make sense. Um furthermore on October 6 of uh 20 23 he actually post something like this uh on their telegram channel and he actually says that now for today Kilnet is making a first step toward the peace. He actually outlined the way that Kilnet no longer attacks civilian targets. It only uh participates in military actions and uh that's actually sounded uh good. It actually said that he's going to be following the Red Cross

uh uh directive. But on October 6 of 23 was a relatively good day because the next day uh when tragedy in um Israel's um happened with a terrorist attack by Hamas, uh we uh saw a completely different different rhetoric where um Kilm didn't wait much uh just 24 hours to call for attacks against Israel. So that's um you know again uh going to the character going to uh these type of attacks. Now going into 2024 in January of 2024 uh Kilnet actually um the channel for Kilnet uh Kilm sells that channel for about $10,000 US. He sells it to DNA club. Uh so he's uh no longer making money. He's trying to make money anyway he could. And the last asset that

he had uh he actually sells uh to the anan club. Guess what that uh guess what Kilnet channel does right now? You would never guess because it's so much fun that uh the anan new management of Kilnet channel is uh dedicating this channel to fighting illegal Russian drug trade. I think we set a good example. Um they actually trying to get in the good graces of uh Russian government uh by um doxing the drug dealers in Russia so they can get um uh money uh financial support. They didn't uh so what uh Kill Milk is doing um Kilm milk itself gets exposed by Russian media. So Russian media uh which is government controlled was actually set against Kilm uh to dox

him completely to show him at home stuff like that. Um, Kilm uh is uh in complete financial ruin when we see in the beginning of 2023 he owning uh four cars. Some of them uh pretty expensive BMWs, Porsches, Panamera, stuff like that. Four cars between him and his wife. He pawns all of them. Uh takes money from under them. Uh and uh there are micro loans that uh we can see uh that he's taking out and uh these uh loans that he's taking out like for 50 bucks for his wife's nails, something like that. It's just funny and ridiculous. Um he leaves Kilnet completely. So Kilm is done with Skill Net. He doesn't want to do anything. He

joins couple other projects, gets in a fight and absolutely like uh destroys uh his reputation. um he uh started uh school of u darknet. Uh if you have extra money and you want to buy this course from him, it's between 300 bucks and 29,000 bucks. Um uh based on reviews because we didn't buy it. Um and these are terrible reviews saying that he just sends you a whole bunch of links and uh he doesn't help and he um immediately leaves. He collects money uh and uh he's spending a lot of time uh getting in flame wars. Um the only interesting thing he've done he actually released a couple singles he sings um it's profanity ridden uh songs about uh Biden

about uh other folks and um not not much uh quite more recently he actually declares like there's rumors that he spread that he had died he was killed uh that evening he comes back saying no I was not killed I was just seeing if you pay attention we didn't uh but um that that's kind of the thing but let's talk about legacy we uh were able to um identify uh these things and we were able to uh show that activism is actually sweeping the world. Uh Kilnet was u a group huge group of um threat actors who made a lot of splashes. They made things uh difficult. They scared people. They assaulted people. They breached things. um they uh

made activism acceptable in mainstream Russia and now it's acceptable in mainstream other countries and showing that they would not be punished. This is uh showing also how propaganda is a huge tool that a group of people who can uh run a telegram channel or Twitter channel or something like that can actually be extremely uh successful and from our perspective the great thing about this was our ability to make a difference the operation against 100,000 Russian uh threat actors who some of the Russian Ukrainian press called herd of wild animals um that were just attacking everything that they could. We had a team of nine people who devised this plan. Step one to highlight their connection with illegal Russian

drug trade. Step two, make sure that everybody hears about it. Step three, sit back and watch things uh unveil. This is not only a story about Russian activism. It's also about finding a helix team, a hill for with a very small team of dedicated folks. All of them are from Ukraine who were able to take out this herd of wild animals and stop them quite successfully. Didn't happen overnight but happened eventually. And that's the story I wanted to tell to you today. Thank you. [Applause]