Under the Killmilk mask
The hacktivist group Killnet gained prominence in 2022. After backing the conflict in Ukraine, it launched a series of high-profile DDoS campaigns against major targets, including the U.S. Federal Tax Service, the European Union’s SWIFT banking network, and the U.S. arms contractor Lockheed Martin. Observers pointed to the group’s bold stance and technical chatter, signaling a broader influence in cyber activism and crime.
For a long time, the public had little clarity about the identity of its alleged leader, known as Killmilk. In public discourse, Killmilk projected an image of a devoted patriot of the Russian Federation and a vehement opponent of Ukraine, while emerging as a significant figure within the Russian-speaking cybercrime community.
Various media sources and insiders have circulated claims about Killmilk’s true identity. Reports suggested that Nikolai Nikolaevich Serafimov was the man behind the alias, born on May 16, 1993. Alleged details about his personal life include a marriage and ownership of at least two vehicles, including a BMW 520i and a Porsche Panamera, with ownership split between his wife and himself.
The claims originated from several insiders and sources linked to law enforcement and investigative outlets, though verification remained incomplete. Some insiders who spoke to media outlets described Killmilk as a persuasive personality with strong social engineering skills, capable of rallying followers and motivating actions through calculated messaging.
One interviewee noted that Killmilk also possessed a knack for branding, creating information products and marketing them effectively. Yet the same sources suggested his technical prowess was limited, relying largely on others’ botnets for DDoS activities while concentrating on attack planning, coordination, and growth rather than hands-on hacking expertise.
Skeletons in the closet
Despite a favorable public image among some, Killmilk faced a contested reputation within the cybercrime sphere. Allegations and rival claims pointed to various crimes, feeding rival factions who believed Killmilk cast a shadow over the Russian-speaking hacktivist community.
In August 2022, a notable accusation involved defrauding the administrator of a major darknet forum for a large sum with promises of charitable donations. The promised support to social causes reportedly did not materialize, prompting skepticism about the motivations and integrity of the scheme.
Representatives from Killnet launched assurances of forthcoming evidence of charitable activity but failed to deliver, citing political implications as a defense for the lack of transparency. They claimed that the administrator was deceived due to beliefs about foreign interference, framing the incident as a political action rather than mere fraud.
Sources described another project, launched in spring 2023, that presented itself as a nine-lesson hacking course. The program advertised topics such as carding, data gathering, social engineering, DDoS techniques, and spyware use, with course fees set in multiple currencies. Instructors later suggested a sizable portion of attendees received content that was outdated and of little practical value, with refunds sometimes proving elusive.
From insider testimony, the course was not originally designed by Killmilk but by another member of the Killnet collective, though it bore Killmilk’s branding. Early success gave way to internal turmoil when the primary organizer was arrested, placing Killmilk in a position to address the fallout and criticisms from both students and fellow members.
Earlier cyber activities attributed to Killmilk included operations against the Russian Federation’s own infrastructure before the major conflict escalated, with public activity traced to late 2021 on the RuTor forum. The first project, Universal Dark Service, focused on DDoS campaigns and linked to later ventures offering DDoS services for a price, sometimes drawing attention from human rights and anti-corruption groups that tracked abusive online behavior.
There were also mentions of targeted actions against a local information security firm after it publicly critiqued Killnet’s activities, illustrating the volatile and retaliatory nature of online confrontation in this space. Some insiders indicated a pattern of transactional deception, with work often promised on invoices while payment lagged or failed entirely, reflecting problematic conduct in some business dealings.
Against hacktivists
By late 2023, a significant portion of Killmilk’s standing was challenged by fellow activists on Telegram channels devoted to hacktivism. An alliance of groups and individuals emerged to counter Killnet and undermine Killmilk, including media-oriented collectives and OSINT-focused voices. The public discourse revealed a divide within the community, with many remaining reluctant to speak openly due to fears of retaliation and exposure.
One insider described a climate of discontent, noting that some pro-Russian factions preferred anonymity and feared public confrontations that could reveal identities and invite repercussions. The debates extended to figures associated with rival groups who left the movement under pressure and concerns about deanonymization.
Commentators argued that exposing the leader’s identity could destabilize internal dynamics and influence the cohesion of Killnet. Analysts emphasized that turning public attention to the leader could invite legal and extralegal actions from opponents, highlighting the high stakes of visibility in the cybercriminal world.
Experts offered mixed views on the implications of revealing a leader’s real name. Some warned that it could anchor accountability in both legal and non-legal terms, while others believed seasoned professionals could navigate such revelations with less risk. The broader question remained: would de-anonymization deter or simply shift the balance of power within this clandestine ecosystem?
nobility display
Commentary from industry observers suggested that the ongoing information warfare around Killmilk might stem from both real missteps and strategic rivalries. The leader’s high-profile presence attracted attention from opponents who could, in turn, escalate smear campaigns. Critics argued that some in the hacker community labeled Killnet as unprofessional, challenging the group’s ethics and conduct in online operations.
There was speculation that a broader push to form a formal cyber force in Russia could intensify tensions, with security agencies potentially curating activities across different hacktivist factions. In this context, debates about funding, governance, and legitimacy of a centralized cyber army added further complexity to the landscape. Opinions varied on whether organizational structures would improve or worsen the situation for ordinary participants who draw inspiration from patriotic sentiments but face real legal risks.
Some observers suggested that geopolitical calculations and official narratives played a role in shaping the conflict, while others warned that the pursuit of a cyber army could invite unintended consequences for civilians engaging in hacktivist activities. The evolving discussions reflected broader questions about accountability, sovereignty, and the future of cyber operations in a politically charged environment.