representation
Phoenix has been active since May 2022.
The so-called Phoenix group that was arrested in Ukraine in 2021 and allegedly connected to KillNet is not easily defined as a standalone unit. It functioned more like a small arm of a larger hacker network, consisting of five core members who operated under the supervision of a broader leadership, including the speaker themselves.
Regarding the nature of the union, there are limits to what can be disclosed.
What the Ukrainian division reportedly did drew mixed assessments. Official statements highlighted claimed successes in compromising iPhones and Android devices, yet the narrative suggested these operatives were pawns used to support larger actors who remained beyond Ukraine’s borders.
Authorities portraying the arrested individuals may have magnified their capabilities, and in fact, there are indications that more influential figures remained active outside Ukraine.
Why, then, is the current Phoenix faction presented by KillNet as a group of Ukrainian hackers aligning with Russia?
The creator of Phoenix suggests KillNet lacked awareness of the finer details described here. The Phoenix leadership asserts continuity with past Ukrainian operations and notes no objections to the stated alignment.
The new Phoenix faction carries a name that can cause confusion, but the creator explains that the label was used symbolically. The Phoenix embodies a rebirth of a hacker collective, mirroring the legendary myth of rising anew from ashes.
Are there members still located in or temporarily operating from Ukraine?
Yes, there are individuals who engage in various technical fields alongside Russian operators, while taking significant personal risks. Some engaged persons include individuals connected to Ukrainian political circles and security personnel.
The decision to support Russia is attributed to widespread dissatisfaction with the current government within parts of Ukraine.
When asked about the current identity of Phoenix, the stance is pragmatic—whether labeled Russian, Ukrainian, or international, the emphasis is on the practical outcome rather than the label.
DDoS attacks
The conversation confirms that DDoS is a primary tool for some Russian hackers, a method that overwhelms websites and online services by coordinating large botnet networks.
One panel member admits it is a central technique for certain operators, though not the only method employed.
Claims persist that Russian DDoS campaigns frequently challenge protection services from major providers, raising questions about the reasons behind the perceived superiority of Russian capabilities.
Experts describe constant development of new attack methods, making it harder for defenses to keep pace. The assertion is made that Russia houses the most formidable DDoS capabilities today, supported by diverse botnets and numerous actors.
Attack techniques described include simple HTTP GET floods, where a target server is bombarded with requests to fetch files, images, scripts, or other data, resulting in overwhelmed infrastructure.
In discussions about DDoS platforms, it is noted that public services are often avoided in favor of privately developed botnets, which may offer stronger power. Phoenix and KillNet are cited as groups pursuing more tailored attack capabilities and even sharing resources when advantageous.
There is a belief that a coalition of groups could form an immense power to overwhelm defenses, with some claiming the collective strength approaching that of well-known botnets like Mirai.
Regarding the use of hired force, the consensus is that Phoenix relies on its own botnets and original methods. The group has expressed ambition to scale to millions of infected devices, approaching the capabilities of leading botnets.
Power and scale vary by group, with some operators reporting ranges from tens of gigabits per second to hundreds of gigabits per second. The Mirai botnet, cited as a benchmark, demonstrates the potential scale of such attacks.
There is a caution about ordering attacks on major government portals from abroad; the reply emphasizes substantial barriers and risk for those attempting such actions, especially given the control some actors maintain over large botnets in the region.
future plans
The discussion touches on earnings and monetization, noting that operations include DDoS assignments from abroad and competing in crypto-related activities. Concrete financial details remain inconsistent, with occasional inbound orders from European clients described as reflecting political tensions or opposition movements.
Regular income is not guaranteed, and salaries can vary widely. A top-level operator might command a substantial monthly stipend one month, while the next month may see a return to ordinary work to cover debts and keep the group operational.
When asked about life after armed conflict ends, the perspective is that work would continue in Europe, potentially with a shift toward more lawful and societally beneficial activities—though words are careful to remain hopeful rather than prescriptive.
There is skepticism about government plans to legalize cybercrime or to create an official cyber army. The sentiment is that such moves could constrain freedom and would not attract many within the hacking community. If a formal role as an official cyber soldier existed, it would require attractive terms and a strong need.
Overall, voices within the hacking community suggest that while some would cooperate with government efforts, many would resist formal control, valuing the freedom to operate and the autonomy that comes with it.