KillNet

Russian media outlet Gazeta.ru published a report identifying Killmilk, the public leader of the Killnet collective, as a 30-year-old Russian citizen named Nikolai Serafimov, citing other hacktivists and an unnamed law-enforcement source. The Record from Recorded Future News reported the disclosure and noted it could not independently verify the identification. The exposure was followed weeks later by a Telegram post in which Killmilk announced he was 'retiring' from Killnet and handing leadership to Deanon Club.

Mandiant published an analysis of the Killnet collective covering activity from January 2022 onward. The report tracks more than 500 distinct victims between January 1 and June 20, 2023, documents Killnet's shift from a squad-based structure to higher-profile affiliates including Anonymous Sudan, Zarya, Anonymous Russia and Devils Sec, and notes that Anonymous Sudan accounted for roughly 63% of identified DDoS attacks claimed by the collective in 2023. Mandiant assessed with high confidence that operations claimed by Killnet consistently mirror Russian strategic objectives, while stating that direct ties to Russian security services remained unproven.

Killnet founder Killmilk announced on Telegram the creation of 'Black Skills', described as a 'Private Military Hacking Company' modelled on Russian PMCs such as Wagner. According to Flashpoint, the planned structure included subgroups for payroll, public relations, pen testing, data collection, information operations and operations against priority targets, with applicants required to declare prior army or public-service experience. Flashpoint assessed the move as an attempt to make Killnet's capabilities easier to monetise and to position the collective as a cyber-mercenary option for the Russian state.

The U.S. Department of Health and Human Services Health Sector Cybersecurity Coordination Center (HC3) published a TLP:CLEAR analyst note characterising Killnet as a pro-Russian hacktivist group active since at least January 2022 that conducts DDoS attacks against nations perceived as hostile to Russia. The note cites recent targeting of a U.S. healthcare organisation and assesses Killnet as a continuing threat to government and critical infrastructure, including the health and public health (HPH) sector. Ties to the FSB or SVR are described as unconfirmed.

Italian police said the pro-Russian Killnet collective targeted the Eurovision 2022 grand final and the two earlier semi-finals with DDoS attacks aimed at the contest's network infrastructure during voting and performances. The attempts were mitigated by the Polizia Postale together with ICT Rai and Eurovision TV. Killnet denied the attribution on Telegram and shortly afterwards posted a video declaring 'cyber war' on ten countries supporting Ukraine.