under fire
Since February 24, Russian online resources have faced heavy disruption through DDoS attacks. Nearly forty Telegram channels were created to coordinate these actions, which many countries’ laws classify as crimes punishable by prison. Igor Bederov, founder of Internet Search, described the situation to socialbites.ca.
“The activity is organized by about 40 communities. Some groups are large, others small. Larger groups break into teams with specific targets, such as banks or media outlets,” Bederov explained.
The situation is notable because Ukraine’s Minister of Digital Transformation, Mikhail Fedorov, has publicly invited participation in such attacks. In interviews with international media, he described building a “world’s first cyber army.”
“Right now there are roughly 300,000 potential volunteers. Participation is voluntary, and communication happens through Telegram, with daily tasks posted there. There is no direct personal contact with cyber volunteers,” Fedorov told the Spanish newspaper El País on April 27.
Igor Bederov estimated that around 650,000 people could be involved, though precise figures are hard to pin down. Aleksey Novikov, director of the Positive Technologies Security Expert Center, agrees on the difficulty of counting participants. “We see about 300,000 participants in one chat where attacks were coordinated,” he told socialbites.ca. “It’s impossible to know the total number. But it’s clear they aren’t shrinking.”
According to Bederov, Telegram does not intervene in this activity. Administrators run multiple chats that are interconnected. “There are admins who manage several channels. We identified about 20 individuals, mostly aged 23 to 30, many of them university students, some still studying,” he noted.
The expert adds that most participants use publicly available software hosted within the communities or on external sites. This suggests that the technical level among participants and organizers is relatively low.
What is a DDoS attack?
A DDoS attack aims to block a website or online service by flooding it with requests. When these requests exceed what the server can handle, service slows or stops. The effort relies on thousands of participants delivering high volumes of traffic.
A true DDoS operation relies on a mass, coordinated flow of actions. Examples include sending incorrect commands to a server so it crashes or directing vast amounts of data to overwhelm network channels. The end goal is to halt the targeted site or resource.
In Ukraine, the Digital Transformation Ministry organized Telegram channels under the banner “Ukraine IT ARMY,” which published daily target lists for DDoS actions against Russian sites.
Recent targets (as of May 25) included Moscow and St. Petersburg’s currency exchanges. Reports from the channels often include screenshots to attest to claimed results, such as notices that major Russian microfinance organizations experienced outages on May 23, with online lending affected in multiple cases.
Digital “reapers”
There are additional Telegram channels linked to the “Ukrainian IT ARMY” that have assisted the ministry’s efforts. Socialbites.ca identified about a dozen ongoing communities, including Ukrainian Reaper, CyberPalyanitsya, the Student Cyber Security and Defense Committee of Ukraine, CYBER CERBER, Gaidamaki, and Anonymous – Ukraine, among others.
Some attackers actively work on improving their tools. For instance, organizers of the Ukrainian Reaper channel report that their Multiddos program is updated roughly every five days. They note updates to mhddos_proxy and suggest a Telegram bot capable of provisioning cloud resources to launch centralized strikes, according to channel curators.
Multiddos was created specifically for DDoS work and is not a mere modification of an existing admin tool, according to Swordfish Security’s technical director Anton Basharin. He explained that the software serves as an interface for multiple utilities, some known previously and others developed recently. Multiddos, formerly auto_mhddos, appeared on the web in mid-March this year and offers features that combine traffic generation with monitoring tools.
Experts say Multiddos can emulate real-user traffic by generating diverse data. Traffic is drawn from multiple systems to shape the request patterns, aiding attackers in building a realistic stream of activity.
To keep the ecosystem active, the Ukrainian groups periodically seek specialists with skills in virus creation, penetration testing, and phishing site development. They also value significant free time dedicated to refining IT weapons.
Security researchers from Positive Technologies and other firms often publish findings about attack targets to help prevent harm where possible. They note that preemptive defense is more feasible when it concerns already protected organizations and services. In some cases, defenders can replace access credentials as a protective measure, but keeping defenses activated continuously is not always practical or effective in a short window of time.