Versus Killnet

Uh give him a round of applause. [applause] Thank you. [cheering] >> Good morning uh everybody. It's good to be here and uh it's a pleasure uh to talk uh to you uh at uh besides Frankfurt about um one of the most unusual topics. Um if you Google my name, I think there are 20 million hits uh uh to that uh on Google. Uh don't believe everything that you read uh on the internet. But um um I do a lot of presentations. I talk about different topics. I do a lot of um unusual research as part of um my career and uh my company. Uh but this is uh definitely the most personal and the most unusual

talk that uh I ever given. So um uh please bear with me and hopefully you'll find this uh incredible journey that we took uh to stop a group called Kilnet um fascinating as I do. Uh let's see. trying to figure out how it works. All right. Uh so um the topic today is um a Russian activist group Kilnet. And I'm going to give you a history about I'm going going to also talk about uh the group that really normalized activism. Just imagine that um about 5 years ago it would be completely unheard of that one nation would weaponize its citizens uh to attack another nation or other nations it doesn't like this um before uh Russian invasion into Ukraine

in 2022 would be uh grounds for um s significant conflict if not outright war. But uh we actually live in an age where activism and attacks of one nation against another in cyerspace been called to be normal. And my story today about the beginnings the roots of this and um really how to uh leverage uh cyber security threat intelligence to stop a large uh movement like this. So uh let's meet uh Kilnet. Hilnet is a group um in Russia that was started in November of 2021 um that um were just uh den um distrib um service that was uh taking money for its um uh targets and this happens uh quite a bit. Uh it was not a single uh

source or single service. It was um one of the run of the mills and uh its first targets were um in Russia were highly unusual. In fact, in November and December of 2021, Kilnet DTO services were used to attack uh these type of uh groups. And these are Russian uh different Russian um government groups. As you can see based on their logos, they don't have much of imagination. the um chicken um whatever they have um kind of looks the same everywhere but um imagine that a group that uh became profilic in attacking Russian enemies was first targeting Russian government this uh didn't go unnoticed uh and uh just 3 months after beginning uh of its

existence uh on a day before the Russian invasion into uh Ukraine in 2022 Hilnet actually changes its tune. It declares its allegiance to the Russian government uh and it uh be uh becomes a voice of um Russian uh activists across u Russia. It's interesting that it starts its um uh attack its first uh cyber attacks against anonymous group. they um start dedosing the anonymous group uh websites and anonymous group uh been um very profic

um anonymous um uh group actions for years been my birthday there is a coincidence to that uh because I don't work on my birthday and somebody uh figure out it's going to be fun to create difficult things but kiln net actually targets anonymous and anonymous groups. Kilnet actually goes much further and um just in May of uh 2022 starts attacking not only Ukrainian targets but anybody who would support Ukraine. This is uh interesting and unusual and it starts growing its following on Telegram and other places where it advertises for a number of interesting reasons. Kill it uh in its ranks uh not only enveloping activists uh and hackers from Russia but it's actually inviting into its ranks

previously unprecedented number of individuals simply who did not consider themselves hackers in the past. Imagine this. Before the Russian invasion into Ukraine, a number of individuals uh from Russia called um their employers um in here in Europe and United States around the world and they were actually gainfully employed there. But uh after the Russian invasion into Ukraine, many companies almost all companies in Europe and the United States in uh within a week or two fired every single employee of theirs who lived and work in Russia. So a number of um not only cyber security but a lot of IT personnel developers system administrators even help desk all of a sudden became unemployed and very very angry at their

employers. They were not angry for some reason at the country and the government because they're not allowed to be angry but uh they actually were angry that uh they lost their livelihood and uh they actually been most of them were uh making quite a bit of money working for um uh western companies uh in uh very uh poor uh areas of Russia. So these individuals uh had skills, technical skills and they had resolve to start joining activist movements. Think about this um individuals don't are not career uh cyber criminals still can do a lot of damage. First of all, many of these uh exit employees uh still held keys to their employers. Um they had uh

passwords uh maybe not their own but uh the group passwords or joint accounts. They [clears throat] understood well their infrastructures they used to support and develop and also they had unique skills. Imagine that in even in DOS attack the DOS attack does not need to happen just basically on network layer. It can be overwhelming a routing protocol. It can be overwhelming um basic application by creating very expensive queries or search uh terms uh and really exhausting resources on the web server that they're trying to target. These are individuals who had skills, knowledge and definitely motivation in order to start all these attacks and they had a lot of spare time. In fact, uh one of my um um most

interesting probably favorite character in Kilnet uh according to one guy who was writing about uh this in the channel was uh his grandma. He said that his grandmother joined Kilnet in in fact uh for about an hour a day she sits at her computer uh and opens uh Internet Explorer he said and uh clicks uh reload button as quickly as possible um on this site that was targeted for DOS and well we are not particularly afraid of that grandma and the grandma uh can be definitely stopped by us writers at least uh but um we um see that uh almost anybody who wanted could join this group. At its height, Kilnet um followings uh were over 100,000

individuals uh from uh Russia, not counting everybody else who were just uh lurking or spying on the group. And uh it was uh extremely troubling, extremely difficult. Well, uh, Kilnet was not known for a lot of um, uh, big takedowns and, um, um, they were mostly doing DOS attacks. The interesting findings, the interesting, uh, exploitations were filtered by leadership of Kilnet to other Russian APS and to their um, government sponsors. But um, the DOS DOS attacks were not particularly powerful. The big thing is that when they started DOS attack, they were just targeting the main site of a company and as soon as that site uh became unavailable, they would uh call this a victory uh and move

on to a different target. Um this is um rather interesting and uh not greatly effective. For example, they would attack uh wwwing.com. And while Boeing is a huge company, it's a popular company, uh Boeing didn't lose much business of this. Not many people who come and buy things from Boeing, like a plane, go on the main site and like, okay, I want to order a plane, put it in the shopping cart. So, no, nobody does that. And if a site is down, um it's not um a significant outage. But, uh here's an example. uh on uh January 27th of 2023, this post uh on your left uh translated on the right uh was uh placed by Kilm uh who

was leader of Kilnet and this is a call by him to start attacking hospitals. He is citing that the support of um uh western culture of Ukrainians really uh incites the the the attacks against um the hospitals and medical institutions. He is uh suggesting to uh target um United States, Portugal, Spain, Germany, Poland, um Finland and many other countries. And um he's suggesting do those attacks as a postcript them at the very bottom there he says kill them first. These are the enemies that we are facing. This is a activist collective. And if you don't find this repulsive attacking a hospital barely out of a COVID era and uh trying to cause trouble. This is what this activist group was

about. And um um yes, some of the DOS attacks even uh this attack against hospitals was not greatly successful. In fact, one of the targets was a gift shop in the hospital that we're working with. And I've been to that gift shop. You can buy a teddy bear, you can buy a flowers, you can buy candy uh for uh your loved one who may be in hospital, but um not much you can do damage to that gift shop. uh they in fact they actually use um uh dedicated internet connection for the gift shop. But in the rural areas in the smaller uh towns where a hospital has only one uh internet connection without much redundancy for their

emergency communications for their um ability to get medical information from one place to another. There were real outages and real um um uh problems. uh thankfully no reports of any kind of serious injuries or loss of life. So let's take a look at who are the people behind this group. Kilm who is probably the most uh profilic uh member of Kilnet um and uh deriving his name al also from the name of the group uh is uh highly credited as a guy who established this. Meet Nikolai Saraphimov uh who was less than 30 years old when uh Kilnet uh was uh started and this particular individual looks normal. He is a husband and a musician. In fact um he was um

musician for the past uh 10 years uh trying to release several tracks looked as a relatively normal person. One can also call him a patriot. these um uh pictures from his social media when from the time he was serving in a Russian army where um this was a mandatory thing um uh back about uh 12 13 years ago. Uh but he is well he is all that uh definitely not a patriot. He's also a fascist and racist. Well, I'm not going to be uh showing you specific uh excerpts for this. Um just believe me that uh the comments that he's making uh the behavior that he was exhibiting most of his life definitely meets this

criteria. Uh he's also not a very happy young man. He writes in his social media that there will be payback against everybody in his life who kept him down once he gets to a certain level of um height and career. He is also um um career drug user and drug dealer. He spends his entire um um life uh around drugs and this is one of the components of his uh demise in 2013 in Russian social media while taking one of those quizzes uh like you know who am I going to be when I grow up or something like that. Um he's also answering questions like um um uh what uh things do you like illegal

drugs? What uh controls your mood? Uh he answers that my mood is being controlled by amount of uh drugs in my system. In 2017, the justice in Russia finally catches up with him. he actually uh gets imprisoned and convicted under article 228.1 part five of Russian criminal code. Not that I expect you to know that uh code, but uh it's an interesting note that in 2017 he gets convicted on this particular um um thing that um is prescribing 8 years of prison with minimum four years sentence uh to be served. Sarah Fimov uh who according to court documents um actually fully cooperated with uh the authorities serves only one year or less of this sentence which is unheard of for Russian

uh criminals convicted of uh illegal drug deals. He should have served at least four years and Russian uh law is very stern about this. Why did um uh this happen? We within a year of his uh conviction, we already see uh the um the move of uh his activities uh back on. He's uh taking credit. He is making social media posts. He is uh moving around Russia. Most likely he actually uh turned over and uh start writing out his uh friends in the drug business. Most likely he made a deal but not with Russian justice system which is relatively stern about this but uh he makes a deal with u Russian government who is uh starting to control his

actions and um um builds u this um control over him. So from that perspective we are seeing uh in uh cyber threat intelligence practice that we run uh we are seeing this activities and we are seeing that um this group led by Kilm is reaching new lows new highs uh in uh the dark web and the criminal world. We set out a group shortly after um Kilnet actually start attacking different targets. Shortly after the Russian government, Duma members were actually endorsing Kilnet and uh calling them um patriots. In fact, one member of Duma um uh which is a governing body of uh Russia called being in Kilnet equivalent of serving u in Russian army. So looking at all of this uh we form a

group within our company of nine individuals who are tasked uh to figure out how to take down Kilnet. So there are nine of us, there are 100,000 of them. Let's figure out what to do. Um the opportunity actually opens itself um u not uh quickly but quick enough that uh on October 9 of uh 2022 just 6 months into the war um Kilm is giving an interview he is uh high on power high on fame and he is talking to uh Russian state controlled media called arter Russian uh television um and answering a number of questions we got interested in this particular exert uh where he is being asked um what um um if he if his

group has any support outside of u Russia and he is crediting group called Solaris for um existence of Kilnet he basically says that if not our dark web friends Solaris Kilnet would not exist so we are reading this and okay well that's a clue If there is no Solaris, there is no kill. There is no kill net. I see a kill chain here. No pun intended. Um, so that that's how we decide to set out and figure out what to do next. Now, I'm going to do very belated introduction, probably latest introduction I've done into any talks. And um, uh, I want to tell you a little bit about why we're taking out this um,

task. Uh so my name is Alex and I'm was born uh in Ukraine many many many years ago. Uh my family uh immigrated uh to United States um uh in 1989 and for the past 36 years I live uh in uh a town called Milwaukee uh in state of Wisconsin which is about 100 kilometers north of Chicago. So I spent my entire adult life uh in United States but I still call uh Ukraine uh my home. I spent my entire career in IT and cyber security and I spent my entire career also understanding cyber criminals and figuring out how uh to stop them. the um actions that we made uh in the beginning of war with Ukraine was um to open

office in KF Ukraine in order to support them and give them ability also to do something good in the world. But the highlight of my resume number one thing that I think should be uh uh in beginning of my resume is this. I've been making Vladimir Putin mad since 2014. >> [applause] >> In in August of 2014, we did that little thing uh on the front page of New York Times uh where uh we uh announced probably the biggest um uh breach to uh to that date and one of the biggest uh to date um perpetuated by Russian cyber criminals. And Vladimir Putin was unhappy um with me personally. I was told that I was put on his naughty list.

Um, as a my official response, I put sanctions against him as well. He's not allowed in my house. Uh, but uh he is welcome to stay in my garage while a couple of my Ukrainian friends going to play uh bad cop and bad cop. uh uh but uh we've been working and trying to stop cyber criminals uh from Russia and many other places um very diligently. So when we see this we actually figure out what to do next and the interesting thing is that we know Solaris we know Solaris well we figure out how to use Solaris as a weak point of KNET. In fact, when we are targeting uh something like this, we are coming up with a very

complex plan, we coming up with um a hail Mary, a chance one out of thousand or million, whatever it is. Uh and saying we have a plan to see what would happen next. And as our next actions, we go on the front page of Forbes magazine uh trying to um do a difference in the world. We actually um have quite a bit of knowledge and access to Solaris. we get inside of Solaris group and get them to transfer money from their repositories uh from their stores into Ukrainian charity that helped elderly helps elderly uh in difficult time of war. So this is what uh Forbes writes about but I'll tell you how this came about. So

Solaris is illegal drug market within Russia. It actually was established by a guy named Zanzi um in 2017 and Zanzi is um infamous for creating number of different um illegal drug marketplaces in Russia. Um it uh at its height uh it operated over a thousand shops uh on the dark web in different cities of uh Russia selling illegal drugs electronically to um the drug users uh of uh Russia. And this is a whole big micro economy that Solaris had, but it was a separate marketplace, separate um forums, se separate um shops and full supply chain for the drug dealers. But Zanzi was not outside of um um Russia. Even um Killil is saying that uh he's

thinking his u Solaris is a foreign group. Zanzi is actually uh being tracked by us uh in various places in Moscow. He's moving around Moscow. Um at least his phone is. So we decided to take out um Solaris. And the reason why we have visibility into Solaris is that because uh we have as a cyber threat intelligence uh company, we have great interest in illegal uh drug trade in Russia. Not because we actually um care about that part because uh it's a job of Russian government to stop their illegal drug trade. But it's actually a very interesting thing that um the drug dealer drug users in Russia some of them very infamous uh cyber criminals tend to

buy their drugs next to their home. So they live nearby where they buy their drugs. And because uh the cyber criminals on dark web tend to reuse their nicknames and identity, we can actually trace them down to their physical location within Russia where they're buying their drugs. So we actually tracking where they are based on their geol locations and where they are buying their illegal drugs. So we had ability to infiltrate Solaris. So um we infiltrate Solaris. um get on the front pages of forms but I'm sure you want to know how we did it. Uh so in 2017 2018 uh Zanzi reaches out to us u the uh guy who designed this because he was had the technical problem

and he uh approached one of our alter out alter egos on dark web and he was asking for technical assistance and we do portray ourselves on dark web sometimes as a technical experts that we are. he had problems with um uh some PHP code that was not uh running and he asked us to help. So we said of course we'll take a look, we'll try to help and he gave us root access to one of his servers. So, uh, we were nice enough to ask if he, um, you know, if it's going to be okay to make sure that, um, um, we, uh, put in, uh, um, additional safeguards so we don't get locked out of the system.

He said, "Okay." So, we installed a back door on that server. Well, he said it could. It's legal if he asked for it. um we forgot to remove it but uh uh we also couldn't figure out how to um uh make his PHP code work because uh we didn't look uh but uh but uh we had this back door um available for us um and once they went to um to so to nodes connecting back was uh just a piece of cake because nobody ever looks at tour traffic. Uh so um we are inside but it's a big network of uh um u the entire infrastructure is about 40 servers. We have access to one and a

half servers or two servers. Um so so what do we do? It's extremely secure system. They build it very very securely. It's u protected there wire guard um DOS protection everything. Uh there also uh SSAS SSH file with authorization to connect to other servers uh which makes it easier uh for us. Um but we couldn't get to every server. So we went to Anible because Anible allows us to automate things and they were automating a lot of things. So we ran uh a couple things on on to gain access to all the other servers but we couldn't get to all the servers uh like that. So we went to the Zabix configurations and which were they were

monitoring uh system for uptime and ran local scripts through Zambix and then we gain access to all their servers. That's I know. Um so um we actually don't transfer money ourselves. We let them uh transfer uh money themselves from their daily gains uh which uh amounted to about uh 45 uh,000 um when the charity um converted this uh to um uh money, but they actually uh transfer all the money themselves uh from uh instead of to their own wallets to the um um crypto wallets of this great Ukrainian charity. So, so they they do that. Um, Forbes publishes the article and then Salar says, "No, no, no, no. There was no breach." They um uh

actually asking people to look themselves saying, "Hey, everything is up. Your money is not gone. Maybe, but we'll find out. Um, don't worry about it. There was absolutely no breach." That's the long statement in Russian. They say, "Well, don't believe everything you read on the internet. Uh, everything is fixed." So, uh, we didn't believe them. We go to the git gitlab repository because they fixed everything. They kicked us out. Uh, but GitLab really shows that, uh, they changed, um, the, um, uh, tour node address. They, uh, changed the, um, the logo, the copyright date, um, and, uh, the, uh, Bitcoin address what they were depositing. So, they didn't do much. And uh we're kind of confirming this and

say, "Hey, you know, um uh the the we still have full access. Um and then 3 weeks later, we actually to make sure that people hear us publish this on our site uh with a full exposure of uh Solaris infrastructure. Not only that, we actually uh publish their source code. We publish uh the uh entire marketplace um databases of communications um uh money transfers and uh treasure trove of information. Now uh at that point they actually start paying attention. The um competing group uh called uh Kraken which is also illegal drug marketplace takes over the exit um to nodes uh for Solaris taking over and routing traffic to themelves. Um meanwhile, Solaris panics and um

closes down their site uh for repairs for several weeks. They never really recover. From 1,000 shops, they came back with about 30 to 40 shops that were functioning. And while it took them uh significantly longer than they anticipated to die, in 2024, this illegal drug marketplace actually uh called it quits, shut down, and never appeared again, which is a good thing. Now we had to weather the storm. Weathering the storm was not particularly pleasant. There were cyber threats. Uh Kilm considers uh me his arch nemesis. I don't consider him an arch nemesis. Uh but um there were threats. There was uh doxing which is unpleasant. Um and also uh we got uh uh targeting. Um thankfully to our local police

department uh there were several swatting attempts and uh our local police department was very understanding um and very easy to work with. So um these issues did not present any uh physical threats uh to me and my family. And while we still had ability to access um systems of Solaris till very last day as I said um um this image um of um Ronald McDonald which was running at store on Solaris uh infrastructure warning of ramp illegal Russ uh Russian drug marketplace um uh in 2017 seeing how uh another illegal uh drug marketplace Hydra died in 2022. too. In 2024, Solaris also bit the dust. Now, what's happening with uh Kilnet? In our publications, in Forbes

publication, we actually calling out publicly connection of the Russian drug marketplace and the Russian activists. This is a key connection between the two which actually allows everybody to see that Russian activism not only powering Russian pride but also uh powering Russian illegal drugs and illegal drug trade and the Russian government is not happy. Russian government actually uh does not like competition and things that they don't control and they saw they controlled kill milk in February of 2023 uh supposedly but based on much secondary data um kill milk and kiln net lose Russian government funding and support. There is an unraveling uh of uh kiln net and kill milk that happens throughout 2023. It is visible on the

personal side. Uh Kilm is uh hurting. He is raving about this. But on the public side, he is making statements. He's making statements saying that altruism is over. From now, Solar is going to be making money off uh individuals uh who want to hire them to do activist activities. But he didn't really explain how 100,000 uh members of Solar is going to get paid. He was uh mostly talking about himself. Then uh he disbands a group. He disbands the entire group saying that uh now I don't trust anybody. K uh Kilnet is over. I'm working there alone. You all fired. Um then he said I'm kidding. And before too many people left the channel. Um then he

actually uh hands over uh control of Kilnet to the guy called Blackide. He's saying that uh to stop uh these issues that are happening to um Kilnet, I'm stepping away. Now the guy Blackside is in charge. And then uh later that uh day somebody says, "Well, remember a year year and a half ago you your nickname on the dark web was blackside." He's like, "Oh yeah, yeah, I forgot." So uh this uh handover did not uh happen either. uh on October 6 of 2023, Kil Kill milk and Kilnet makes an actually a statement that makes sense. He um called for peace. Um this call for peace was um interesting. He's actually suggesting that Kilnet from that point

on should not be attacking any civilian targets in Ukraine or anybody else. They should be following the Red Cross uh guidelines, not causing any outages, any issues that can harm civilian uh civilians and individuals. He made uh makes a plea to the members to understand that uh this is just a war and actions in theater war are acceptable, but anything that hurts civilians is not. That was October 6 of 2023 and that was a relatively peaceful day in our world even though the war in Ukraine was raging because on October 7th of 2023 as many of us may remember uh Hamas did uh their terrorist attack against Israel and Kilm changes it his uh story. He actually condemns the

government of Israel um supports Hamas and um calls for destruction of all the enemies of Russia returning back to the normal um uh flow of things. But Kilnet in 2024 changes completely. In January of um uh 2024, Kilm actually sells uh channel uh via Kil Kilnet uh from his control to a group called the Anan Club. The Anan Club um claims paying between 10 and $50,000 for control of that channel. Kill milk no longer feels that he is in control and we are Kilnet channel now down to only 3,000 members from 100,000 plus uh changes direction as well and you guys would never believe what they they done for the past two years. This uh entire

channel via Kilnet now dedicated to fighting illegal Russian drug trade. They actually I don't know where they got the idea u but um we um see that uh they um dedicated themselves not only to activist activities but also to fighting Russian illegal drug trade doxing uh their drug lords drug dealers trying to take down the illegal drug marketplaces. I can tell you actually a common sense reason for this not uh our example. Russian government withdrew their support for Kilnet but now under new management they were hoping to rebuild Kilnet and they were actually doing opposite of how Kilnet got into bad graces of Russian government or this can be also the Russian government itself trying to write their wrongs. We don't

know but u it's not a bad thing but Kilm milk actually changes it his life um differently the Russian media itself Russian media itself in 2023 docs uh Kilm milk and while we knew his identity uh for quite a while the entire Russian population now uh knows who Kill milk is and they're not happy about it not that anybody's uh going after him but um no nobody really cares and while he was initially denying then said yeah it's me uh still nobody cares starting in February of 20 uh 23 once the Russian government withdrew it support Kil had significant money problems um he files for bankruptcy um in April I think 2023 he pawns uh all his cars uh actually uh

trying to take loans um to get as much money as possible from um these cars, his and his wives. Um he uh also tries to join different uh projects. Um and he's trying to uh make money any way he wants. Um but when he actually joins different projects, he makes a big deal. Um you know, there may be excitement, more activities in that channel on Telegram for a day or two and then nobody cares. Then he makes um he starts fighting with um uh people within the group and he gets kicked out. Uh mostly he makes his money out of selling uh something called school um of darknet uh training and he's uh offering this uh

for um about $300 US uh up to $30,000 US. Uh I didn't buy this uh but I read the reviews. Uh reviews are not great. Um basically they say as as soon as you pay uh he stops talking to you and uh sporadically sends you links that he finds on Google. Um and uh don't buy it. Uh and u most of what uh he does he gets into flame wars. The most interesting thing that he does he actually goes back and starts recording uh music. Uh he um records a couple profoundly written uh tracks uh about Biden and others. Uh nothing worth listening. Uh don't buy his tracks. Uh but uh uh that's about all uh about him. Um

earlier this year he uh spread the rumor that he died. Then he two days later he came back said I was not killed. It was close. Uh there were like uh five likes to that post. But let's talk about uh the legacy legacy that uh uh uh Kilnet left in the world. This is a way of um activism. The wave of cactivism as I mentioned in the beginning that um actually started uh in a very terrible way and it normalized attacks of one nation to another. This is experiment of Russian government to weaponize the entire population. And while 100,000 people in Russia is not that much percentage- wise, it shows that one nation can engage into cyber

warfare against uh its enemies without declaring a formal war. And this example was actually set uh beyond Russia. We see the same thing happening in Middle East right now. When one nation can attack another one in cyerspace, one group uh religious or political can attack another group without much repercussions. Uh in 2024 we saw um political spat between uh Canada and India and the next very next day activists from uh India start attacking um Canada Canadian citizens uh across the entire uh internet doxing um releasing information on Canadian citizens. This is a legacy of kilnet that we have to reckon with. We also uh see that activism now does not only belong on the dark web. Activism right

now is a main movement of individuals. We see activist activities within our social media. We see activist activities on um popular uh instant messengers. We actually see the knowledge that being shared as well across um activist um u collectives. We also see that um propaganda becomes a big big deal in cyber warfare. Kilnet did not do much damage by actually hacking systems. They did a lot of damage um by talking about this. They spent time photoshopping um the leaders of Loheed Martin and Boing in this caskets saying that if you're working for these companies this will happen to you. This was effective to put these companies on lockdown. We've seen attacks against hospitals. We've seen

attacks against uh financial institutions. We've seen airports shut down because of intended cyber attacks. This is a legacy of Kilnet that is visible and it was uh extremely well highlighted in the media. But the positive thing about the story is that uh a group of nine people set out to find in the helix heel of a giant. Ukrainian media uh called this um activities as nine people standing against a herd of Russians and finding this Achil stopped this group dead. I'm not going to take credit for um taking down Ket completely. It was a community movement. It was um um good way to highlight weaknesses and letting um Kilnet handlers and members to unravel themselves. But it was also activities

uh of law enforcement, other cyber security professionals and governments to do the right thing. also um want to say that uh while Kilnet is dead the other activist groups um like um Anonymous Sudan and many others no-name groups they they were born but uh they were much smaller and much better controlled by Russian government the experiment that Russians tried to do with um Kilnet had failed and finding this Achilles skill us for us as cyber security professionals is a feat I don't want to say it's big but it is big and I can tell you that each one of you having special skills having good understanding of what you're doing can also make a difference on this scale on

smaller scale in different way but uh as cyber security professionals we can find these weaknesses we can leverage things and we can actually uh be uh David that takes down the Goliath. This is all that I had uh as of my presentation today, but I think we have a couple minutes for questions. [applause]

[applause]

>> Any questions?

Thank you. Um, so my question is regarding this Solaris, was there any customer data so of drug users and did you publish it as well because it could also result in many arrests of drug users? >> Yes. Uh uh so we published their uh forum uh database where people were uh communicating. We found uh published their uh cryptocurrency and financial transactions because they actually had an exchange of Russian credit cards or debit cards into uh cryptocurrency. So we published quite a bit of information to be able to identify those. Um because most of these activities were inside Russia. We don't know if Russians actually paid attention to that or not. Uh I'm assuming quite a bit of Russian

authorities also use uh these services. But uh definitely there was enough information and we actually partnered with several um crypto investigation groups to uh track down the cryp uh crypto wallets uh to identify threat actors and also some interesting individuals uh who resided outside of Russia as well. So yes. All right. Thank you. [applause]