“They are tired of him, but they are afraid”: what is known about the leader of the hacker group Killnet
“They are tired of him, but they are afraid”: what is known about the leader of the hacker group Killnet
Gazeta.Ru revealed the identity of the Killmilk hacker
"Gazeta.Ru"
close
100%
Global Look Press
A new conflict is brewing in the pro-Russian hacker community. More than ten hackers and hacktivists publicly spoke out against the Russian group Killnet and its leader, known under the nickname Killmilk. He is accused of attacks on the infrastructure of the Russian Federation, fraud and numerous violations of hacker ethics. Gazeta.Ru tells what Killnet became famous for and de-anonymizes the identity of the group’s leader.
Under the mask of Killmilk
The hacktivist group Killnet rose to prominence in 2022. After the start of the SVO, she openly sided with Russia and carried out a number of high-profile DDoS attacks on large targets such as the US Federal Tax Service , the banking systems of the European Union SWIFT and IBAN, the American arms company Lockheed Martin and others.
At the same time, little was known about the identity of its leader, the hacker Killmilk, for a long time. In the public space, he formed the image of a great patriot of the Russian Federation and an enemy of Ukraine , as well as an influential personality in the Russian-speaking cybercriminal community.
According to Gazeta.Ru, KillMilk’s real name is Nikolai Nikolaevich Serafimov. The future hacker was born on May 16, 1993. Married, the couple owns at least two cars: a BMW 520i and a Porsche Panamera. The first one is driven by the wife, and the second one by Serafimov himself.
This information was confirmed to us by the hacktivists Abbadon and NET-WORKER, the founder of the Dark Femida project Pyotr Vrublevsky, as well as a Gazeta.Ru source associated with law enforcement agencies.
close
100%
Presumably the hacker Killmilk, aka Serafimov Nikolai Nikolaevich
Hacktivist Abbadon
The hacktivist Abbadon also told Gazeta.Ru that Serafimov had previously been convicted of distribution, illegal production, sale or transfer of narcotic drugs, psychotropic substances or their analogues (Article 228.1 of the Criminal Code of the Russian Federation). He served his sentence in the Republic of Bashkortostan , in IK-2 in the city of Salavat. Gazeta.Ru was unable to confirm this data.
Killmilk himself neither denied nor confirmed information about his identity. However, he asked the Gazeta.Ru correspondent to reveal the source. This interest was motivated by the desire to ensure the safety of his family. After the refusal, the hacker stopped communicating with the publication’s correspondent and deleted the correspondence.
Some former Killmilk associates interviewed by Gazeta.Ru describe Nikolai Serafimov as a person with the gift of persuasion and good social engineering skills. That is, a hacktivist knows how to gather people around him and motivate them to do what he needs.
“Killmilk is also good as a brand maker - he knows how to create information products and then sell them. Well, like infogypsy bloggers, you know? At the same time, he is very weak as a technical specialist. Killmilk has some DDoS skills, but they are mostly limited to using other people's botnets (a group of devices configured by malware to carry out DDoS attacks - editor's note) for their own purposes. The rest: hacking, consolidation, development of attacks... Other people do all this for him,” one of them told Gazeta.Ru.
Skeletons in the closet
Although Killmilk has the image of a positive hero in the eyes of ordinary people, he has a controversial reputation in the cybercriminal community. Serafimov has many opponents who accuse him of various offenses, which they believe cast a shadow over the entire Russian-speaking hacktivist community.
For example, in August 2022, Killmilk scammed (that is, deceived) the administrator of the RuTor darknet forum for 1 million rubles. and promised to transfer half of this amount to “orphanages of the Russian Federation”, as well as provide evidence of the charity event. Since then, there has been no confirmation of the transfer of money to orphanages.
In a dialogue with Gazeta.Ru, a Killnet representative promised to provide evidence of the charity event in the near future, but never did. He justified the fact of deception of the RuTor administrator by the fact that this forum is allegedly supervised by the Ukrainian special services.
“They did the right thing. This is politics. They took away a million that would have been used to kill our soldiers. This is taking money out of the Ukrainian economy, at a minimum,” said a Killnet representative.
The “Dark School” project, which Killmilk launched in the spring of 2023, also turned out to be dubious. The “Dark School” was supposed to be nine courses in hacking skills. In particular, applicants were promised lessons in carding (theft and use of other people's bank card data - editor's note), data reconnaissance from open sources, social engineering (fraud and deception - editor's note), DDoS attacks, and the use of spyware and not only. The courses were sold in Russian, Hindi, English and Spanish for $250.
Hacktivist NET-WORKER told Gazeta.Ru that about 150 people purchased the courses. However, not everyone was satisfied with the content: “students” received materials once every few weeks. They were of no practical value, since in most cases the information they contained was outdated and available for free. At least one buyer tried to get a refund for Dark School, but was unsuccessful.
“The problem with Dark School is that it was originally conceived by another Killnet member, not Killmilk. But it was advertised and promoted on behalf of Killmilk. The training started well. Then the group member responsible for the school was arrested and Killmilk had to deal with the problem. It turned out how it turned out,” added hacktivist Abbadon, another opponent of Killmilk, who positions himself as an open data intelligence (OSINT) expert, in a conversation with Gazeta.Ru.
Killmilk’s offenses also include cyberattacks on the infrastructure of the Russian Federation, which he carried out before the start of the SVO. Killmilk initially became active in late 2021. This happened on the RuTor forum. Killmilk's first project was called Universal Dark Service and was focused on carrying out DDoS attacks. The Universal Dark Service project became famous, at a minimum, for attacking the websites of the Federal Penitentiary Service and collaborating with the Gulagu.net project. On the wave of success, Killmilk began providing DDoS as a service, that is, carrying out attacks on specified targets for money.
In addition, Killmilk hinted in his Telegram channel about carrying out DDoS attacks on the Russian information security company Zecurion. The company's website stopped working after an expert from this company spoke unflatteringly about Killnet's activities in one of the media comments.
It also follows from NET-WORKER's words that KillMilk periodically deceives its own clients. This happens because the hacker convinces them to work on a postpaid basis: business first, money later. At least one colleague of KillMilk told Gazeta.Ru that the head of Killnet owed him $2 thousand for a custom hack.
Hacktivists against
Since the end of October 2023, Killmilk’s authority has been challenged by many of his colleagues in Telegram channels dedicated to hacktivism. An entire alliance has already formed that opposes Killmilk and is trying to destroy its reputation. Publicly speaking out against Killnet and Killmilk were such associations and individual hacktivists as Dark Femida (positions itself as a media outlet about cybercrime), Abbadon, NET-WORKER, ForceDDoS, CyberArmy_coordinator, Leader_russ, Stumer_Patriot, Legit_hubb, BTC and others.
From the words of some of them it follows that in fact there are many more dissatisfied with the activities of Killnet, but they are afraid to speak out against it openly.
“A lot of people are tired of Kilmilk. Behind the scenes, a significant portion of pro-Russian groups oppose him. But they are afraid to “have a bite” with him in public. First of all, they are afraid of de-anonymization - Kilmilk likes to reveal the identities of its competitors or blackmail them with this information,” hacktivist NET-WORKER told Gazeta.Ru.
According to him, under the threat of de-anonymization, hacker Chapaev, who led the Phoenix group, left hacktivism in 2023.
Opponents of Killmilk consider their main goal to be to destroy the hacker's reputation. To do this, they not only recall Killnet’s various mistakes, but also actively collect and publish information about the identity of the group’s leader. They believe that the publicity of this information will lead to destabilization of relations within Killnet and, possibly, Serafimov’s departure from hacktivist activities.
According to Igor Bederov , head of the information and analytical research department at T.Hunter , de-anonymization is unpleasant for a hacker primarily because cybercrimes committed under an anonymous username will be compared with his real identity. In addition, declassifying the name can expose the hacker to attack from enemies in the cybercriminal community.
“Deanonymizing a hacker dramatically increases the risk of bringing him to justice. Both in the legal field and in the extra-legal field,” he said.
In turn, Pavel Sitnikov, a hacker and founder of the information security company XPanamas , believes that for serious professionals, revealing one’s identity is not a death sentence. First of all, according to him, young hackers scare young and inexperienced competitors with Deanon.
“Real hackers work cleanly and conduct business in such a way that after deanon it is difficult to present anything to them,” said Sitnikov.
Screen of nobility
Igor Bederov from T.Hunter suggests that one of the reasons why there is now an active information attack on Killmilk may be the hacker’s careless and unprofessional actions as the leader of Killnet, which attracted the attention of competitors. By roaming cyberspace and considering himself a significant figure, Killmilk could have made powerful enemies.
“The reviews about him were quite harsh. Moreover, professional hackers criticized the entire group for unprofessionalism. On the part of the near-hacker party, scandalousness and unethical attitude towards the participants were noted,” Bederov said.
Meanwhile, Sitnikov is “almost sure” that Killmilk became a victim of “curatorship squabbles” against the backdrop of the possible formation of an official cyber army in Russia. This topic became especially relevant after on November 1, 2023, the head of the Ministry of Digital Development of the Russian Federation, Maksut Shadayev, supported the idea of creating cyber troops within the Ministry of Defense. By “curators,” Sitnikov means the security forces that coordinate the activities of some hacker and hacktivist groups.
“This showdown is related to the division of the budget for the cyber army. The budget, which, by the way, does not exist, is trying in vain. The worst thing in this situation is that ordinary people who turned to hacktivism out of patriotic feelings may suffer,” the hacker shared his opinion.
An expert on international politics in cyberspace, consultant to the Russian International Affairs Council, Oleg Shakirov, doubts that the cause of the showdown between hackers could be the prospect of forming a cyber army. According to him, conversations about its creation in Russia have been going on for a long time, and are being conducted exclusively within the framework of the political game of officials.
“There is no reason yet to consider these comments [about the cyber army] as a harbinger of the creation of any new structure. In most countries, cyberattacks carried out by hacktivists are illegal. There are no exceptions anywhere that would absolve civilians of responsibility for such actions, subject to patriotic motivation,” he said.
Gazeta.Ru revealed the identity of the Killmilk hacker
"Gazeta.Ru"
close
100%
Global Look Press
A new conflict is brewing in the pro-Russian hacker community. More than ten hackers and hacktivists publicly spoke out against the Russian group Killnet and its leader, known under the nickname Killmilk. He is accused of attacks on the infrastructure of the Russian Federation, fraud and numerous violations of hacker ethics. Gazeta.Ru tells what Killnet became famous for and de-anonymizes the identity of the group’s leader.
Under the mask of Killmilk
The hacktivist group Killnet rose to prominence in 2022. After the start of the SVO, she openly sided with Russia and carried out a number of high-profile DDoS attacks on large targets such as the US Federal Tax Service , the banking systems of the European Union SWIFT and IBAN, the American arms company Lockheed Martin and others.
At the same time, little was known about the identity of its leader, the hacker Killmilk, for a long time. In the public space, he formed the image of a great patriot of the Russian Federation and an enemy of Ukraine , as well as an influential personality in the Russian-speaking cybercriminal community.
According to Gazeta.Ru, KillMilk’s real name is Nikolai Nikolaevich Serafimov. The future hacker was born on May 16, 1993. Married, the couple owns at least two cars: a BMW 520i and a Porsche Panamera. The first one is driven by the wife, and the second one by Serafimov himself.
This information was confirmed to us by the hacktivists Abbadon and NET-WORKER, the founder of the Dark Femida project Pyotr Vrublevsky, as well as a Gazeta.Ru source associated with law enforcement agencies.
close
100%
Presumably the hacker Killmilk, aka Serafimov Nikolai Nikolaevich
Hacktivist Abbadon
The hacktivist Abbadon also told Gazeta.Ru that Serafimov had previously been convicted of distribution, illegal production, sale or transfer of narcotic drugs, psychotropic substances or their analogues (Article 228.1 of the Criminal Code of the Russian Federation). He served his sentence in the Republic of Bashkortostan , in IK-2 in the city of Salavat. Gazeta.Ru was unable to confirm this data.
Killmilk himself neither denied nor confirmed information about his identity. However, he asked the Gazeta.Ru correspondent to reveal the source. This interest was motivated by the desire to ensure the safety of his family. After the refusal, the hacker stopped communicating with the publication’s correspondent and deleted the correspondence.
Some former Killmilk associates interviewed by Gazeta.Ru describe Nikolai Serafimov as a person with the gift of persuasion and good social engineering skills. That is, a hacktivist knows how to gather people around him and motivate them to do what he needs.
“Killmilk is also good as a brand maker - he knows how to create information products and then sell them. Well, like infogypsy bloggers, you know? At the same time, he is very weak as a technical specialist. Killmilk has some DDoS skills, but they are mostly limited to using other people's botnets (a group of devices configured by malware to carry out DDoS attacks - editor's note) for their own purposes. The rest: hacking, consolidation, development of attacks... Other people do all this for him,” one of them told Gazeta.Ru.
Skeletons in the closet
Although Killmilk has the image of a positive hero in the eyes of ordinary people, he has a controversial reputation in the cybercriminal community. Serafimov has many opponents who accuse him of various offenses, which they believe cast a shadow over the entire Russian-speaking hacktivist community.
For example, in August 2022, Killmilk scammed (that is, deceived) the administrator of the RuTor darknet forum for 1 million rubles. and promised to transfer half of this amount to “orphanages of the Russian Federation”, as well as provide evidence of the charity event. Since then, there has been no confirmation of the transfer of money to orphanages.
In a dialogue with Gazeta.Ru, a Killnet representative promised to provide evidence of the charity event in the near future, but never did. He justified the fact of deception of the RuTor administrator by the fact that this forum is allegedly supervised by the Ukrainian special services.
“They did the right thing. This is politics. They took away a million that would have been used to kill our soldiers. This is taking money out of the Ukrainian economy, at a minimum,” said a Killnet representative.
The “Dark School” project, which Killmilk launched in the spring of 2023, also turned out to be dubious. The “Dark School” was supposed to be nine courses in hacking skills. In particular, applicants were promised lessons in carding (theft and use of other people's bank card data - editor's note), data reconnaissance from open sources, social engineering (fraud and deception - editor's note), DDoS attacks, and the use of spyware and not only. The courses were sold in Russian, Hindi, English and Spanish for $250.
Hacktivist NET-WORKER told Gazeta.Ru that about 150 people purchased the courses. However, not everyone was satisfied with the content: “students” received materials once every few weeks. They were of no practical value, since in most cases the information they contained was outdated and available for free. At least one buyer tried to get a refund for Dark School, but was unsuccessful.
“The problem with Dark School is that it was originally conceived by another Killnet member, not Killmilk. But it was advertised and promoted on behalf of Killmilk. The training started well. Then the group member responsible for the school was arrested and Killmilk had to deal with the problem. It turned out how it turned out,” added hacktivist Abbadon, another opponent of Killmilk, who positions himself as an open data intelligence (OSINT) expert, in a conversation with Gazeta.Ru.
Killmilk’s offenses also include cyberattacks on the infrastructure of the Russian Federation, which he carried out before the start of the SVO. Killmilk initially became active in late 2021. This happened on the RuTor forum. Killmilk's first project was called Universal Dark Service and was focused on carrying out DDoS attacks. The Universal Dark Service project became famous, at a minimum, for attacking the websites of the Federal Penitentiary Service and collaborating with the Gulagu.net project. On the wave of success, Killmilk began providing DDoS as a service, that is, carrying out attacks on specified targets for money.
In addition, Killmilk hinted in his Telegram channel about carrying out DDoS attacks on the Russian information security company Zecurion. The company's website stopped working after an expert from this company spoke unflatteringly about Killnet's activities in one of the media comments.
It also follows from NET-WORKER's words that KillMilk periodically deceives its own clients. This happens because the hacker convinces them to work on a postpaid basis: business first, money later. At least one colleague of KillMilk told Gazeta.Ru that the head of Killnet owed him $2 thousand for a custom hack.
Hacktivists against
Since the end of October 2023, Killmilk’s authority has been challenged by many of his colleagues in Telegram channels dedicated to hacktivism. An entire alliance has already formed that opposes Killmilk and is trying to destroy its reputation. Publicly speaking out against Killnet and Killmilk were such associations and individual hacktivists as Dark Femida (positions itself as a media outlet about cybercrime), Abbadon, NET-WORKER, ForceDDoS, CyberArmy_coordinator, Leader_russ, Stumer_Patriot, Legit_hubb, BTC and others.
From the words of some of them it follows that in fact there are many more dissatisfied with the activities of Killnet, but they are afraid to speak out against it openly.
“A lot of people are tired of Kilmilk. Behind the scenes, a significant portion of pro-Russian groups oppose him. But they are afraid to “have a bite” with him in public. First of all, they are afraid of de-anonymization - Kilmilk likes to reveal the identities of its competitors or blackmail them with this information,” hacktivist NET-WORKER told Gazeta.Ru.
According to him, under the threat of de-anonymization, hacker Chapaev, who led the Phoenix group, left hacktivism in 2023.
Opponents of Killmilk consider their main goal to be to destroy the hacker's reputation. To do this, they not only recall Killnet’s various mistakes, but also actively collect and publish information about the identity of the group’s leader. They believe that the publicity of this information will lead to destabilization of relations within Killnet and, possibly, Serafimov’s departure from hacktivist activities.
According to Igor Bederov , head of the information and analytical research department at T.Hunter , de-anonymization is unpleasant for a hacker primarily because cybercrimes committed under an anonymous username will be compared with his real identity. In addition, declassifying the name can expose the hacker to attack from enemies in the cybercriminal community.
“Deanonymizing a hacker dramatically increases the risk of bringing him to justice. Both in the legal field and in the extra-legal field,” he said.
In turn, Pavel Sitnikov, a hacker and founder of the information security company XPanamas , believes that for serious professionals, revealing one’s identity is not a death sentence. First of all, according to him, young hackers scare young and inexperienced competitors with Deanon.
“Real hackers work cleanly and conduct business in such a way that after deanon it is difficult to present anything to them,” said Sitnikov.
Screen of nobility
Igor Bederov from T.Hunter suggests that one of the reasons why there is now an active information attack on Killmilk may be the hacker’s careless and unprofessional actions as the leader of Killnet, which attracted the attention of competitors. By roaming cyberspace and considering himself a significant figure, Killmilk could have made powerful enemies.
“The reviews about him were quite harsh. Moreover, professional hackers criticized the entire group for unprofessionalism. On the part of the near-hacker party, scandalousness and unethical attitude towards the participants were noted,” Bederov said.
Meanwhile, Sitnikov is “almost sure” that Killmilk became a victim of “curatorship squabbles” against the backdrop of the possible formation of an official cyber army in Russia. This topic became especially relevant after on November 1, 2023, the head of the Ministry of Digital Development of the Russian Federation, Maksut Shadayev, supported the idea of creating cyber troops within the Ministry of Defense. By “curators,” Sitnikov means the security forces that coordinate the activities of some hacker and hacktivist groups.
“This showdown is related to the division of the budget for the cyber army. The budget, which, by the way, does not exist, is trying in vain. The worst thing in this situation is that ordinary people who turned to hacktivism out of patriotic feelings may suffer,” the hacker shared his opinion.
An expert on international politics in cyberspace, consultant to the Russian International Affairs Council, Oleg Shakirov, doubts that the cause of the showdown between hackers could be the prospect of forming a cyber army. According to him, conversations about its creation in Russia have been going on for a long time, and are being conducted exclusively within the framework of the political game of officials.
“There is no reason yet to consider these comments [about the cyber army] as a harbinger of the creation of any new structure. In most countries, cyberattacks carried out by hacktivists are illegal. There are no exceptions anywhere that would absolve civilians of responsibility for such actions, subject to patriotic motivation,” he said.
