Pro-Russian hacktivism: Shifting alliances, new groups… | Intel 471 Skip to content

Pro-Russian hacktivism: Shifting alliances, new groups and risks

Jul 02, 2025
Background MFT

The outbreak of the Russia-Ukraine war in 2022 had a profound and lasting effect on the cybercrime landscape that caused a dramatic rise in hacktivism aimed at influencing the conflict. Just as the two parties participate in hostilities on the battlefield, pro-Russian and pro-Ukrainian hacktivists continue to fight in cyberspace by conducting distributed denial-of-service (DDoS) attacks, website defacements and breaching and leaking stolen data.

Since the start of 2025, hacktivism campaigns connected with Russia’s war against Ukraine continue to be driven by the changing geopolitical landscape. One of those triggers has been questions over the U.S. commitment for military support for Ukraine since President Donald Trump assumed office in January 2025. Fears over the withdrawal of U.S. support has caused European nations to commit to higher defense spending to deter Russia, discuss stronger sanctions against Russia and increase Ukraine defense support. Leaders from France and the U.K. have been vocal in the need to commit more of their gross domestic product (GDP) to defense and have taken steps to provide Ukraine with additional military aid. This wider rearmament of Europe has the potential to reshape regional security, which had been underpinned since the end of World War II by a steady U.S. commitment and an expanding NATO. 

These moves have spurred online action by pro-Russian hacktivists. One example of this occurred after Lithuania’s call for more aid for Ukraine and tougher sanctions against Russia. In May 2025, Lithuanian Foreign Minister Kestutis Budrys accused Russian President Vladimir Putin of using delaying tactics to avoid sanctions during ceasefire discussions and called for a response that was “stronger than Russian aggression.” As a result, seven pro-Russian hacktivist groups launched #OpLithuania, including Dark Storm TeamMr HamzaNoName057(16) aka NNM057(16)Russian BearsServerKillers and Z-PENTEST ALLIANCE. The ServerKillers group targeted the Lithuanian financial sector and the Dark Storm Team targeted Lithuanian government institutions. Other groups that attacked European targets in May 2025 included AnonSec and Keymous+.

While the provision of aid to Ukraine continued to be the key determinant for pro-Russian hacktivist attacks, the underlying European political picture was a close second. 

On June 1, 2025, Poland held presidential elections that prompted interest and attacks as pro-Russian groups often use attacks as a means of spreading propaganda. Polish officials also signaled they were conducting deeper conflict planning for possible future engagement with Russia, which was met with DDoS attacks against entities in the country. 

Pro-Russian groups have been active in other campaigns based on geopolitical events. Israel launched a full-scale military operation inside Iran June 12, 2025, under the pretense that Iran had become closer to developing a nuclear weapon, with the U.S. following up with deep airstrikes against three Iranian nuclear facilities. As a result, numerous pro-Iranian hacktivist groups and other Middle Eastern hacktivists launched cyberattacks in support of Iran. Iran also has supported Russia with arms, supplying drones and drone production knowledge. Two pro-Russian hacktivist groups, TwoNet and Server Killers, subsequently claimed responsibility for DDoS attacks on Israeli websites.

This post will examine one of the top pro-Russian hacktivist groups, new ones that have entered the scene and the impact of these groups. This intelligence is drawn from Intel 471’s Cyber Geopolitical Intelligence, which monitors for geopolitical drivers of digital risk, and Adversary Intelligence, which tracks threat actors and groups using automated collection and on-the-ground human intelligence (HUMINT).

This image depicts a link diagram of new alliances allegedly formed between the monitored hacktivist groups between March 31, 2025, and May 4, 2025.

Top group: NoName057(16) 

For more than two years, the KillNet pro-Russian hacktivist group, which was led by the actor KillMilk, dominated the scene. The actor entered the hacktivism space in part by seeing financial opportunity with a DDoS for-hire service. However, the group’s hacktivist activity faded as it pivoted into more financially motivated cybercrime. Taking KillNet’s lead spot is NoName057(16), which first emerged in March 2022. The group has since collaborated with other groups that have the same political motivations, some of which are no longer active, including Cyber Army of Russia Reborn (CARR) aka Народная Cyberармия (Eng. People’s CyberArmy), CyberArmyRussiaDeaDNetFuckNetKillNetRoot Sploit; and XakNet Team.

NoName057(16) tends to target at least one or two targets a week but sometimes many more, usually NATO countries or other entities in or supporting Ukraine. Targets may be selected on a preset, rotating basis. The group will often cite a recent event — military activity, a political state or aid announcements — as a trigger for the attack in order to draw attention to it and encourage other like-minded groups to join in.

The NoName057(16) group published this screenshot after claiming responsibility for the defacement of the Lithuania-based freight company ExpressTrip July 4, 2022.

The hacktivists operate the DDoSia project, a tool NoName057(16) members developed in the Go programming language used to crowdsource DDoS attacks. Group members provide builds of the tool to volunteers who run them in their own environments and launch attacks. Volunteers are marked by a client identifier aka client_id to track their contributions. Rewards in cryptocurrency are promised to the project's top performers. 

Directed by the state?

There have been questions if pro-Russian hacktivists are directed or funded by the Russian state and the identities of the individuals who may be behind the groups. On July 19, 2024, the U.S. Treasury Department sanctioned two prominent members of CARR. The press statement specifically accused Yuliya Pankratova of being its leader and Denis Degtyarenko of being its primary hacker allegedly responsible for conducting cyber operations against U.S. critical infrastructure organizations. Amid Russia’s war in Ukraine, CARR became a prolific pro-Russian hacktivist group that initially conducted low-sophistication DDoS attacks against organizations in Ukraine and several of its Western allies. But in late 2023, the group repeatedly claimed responsibility for carrying out attacks against industrial control systems (ICSs) of European and U.S. energy and water-related utility service providers. In January 2024, the group claimed responsibility for causing the overflow of water storage tanks at a facility in Texas, U.S., and posted an accompanying video showing the manipulation of control systems. In response to this and similar attacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and allied partners released a joint cybersecurity advisory outlining the threat pro-Russian hacktivist groups pose to operational technology (OT) and ICS environments.

Photos of Russian nationals Denis Degtyarenko, 35, and Yuliya Pankratova, 41, who were sanctioned by the U.S. Treasury for alleged participation in the Cyber Army of Russia Reborn hacktivist group. (Source: U.S. Treasury)

Although no connection was mentioned in the Treasury Department’s statement, Google’s Mandiant forensics unit previously presented evidence indicating a close operational overlap between several pro-Russian hacktivist groups — particularly CARR and Russia’s General Staff Main Intelligence Directorate aka GRU-attributed group Seashell Blizzard aka APT44Sandworm. In its report, Mandiant alleged the group is able to direct and influence activities of CARR, who often is responsible for publicly leaking information acquired during Seashell Blizzard’s operations. In a compelling example, CARR inadvertently revealed details of an operation in advance of it being executed by Seashell Blizzard, reinforcing Mandiant’s assessment that CARR likely was created and served as a front to provide a degree of plausible deniability to GRU cyber operations. 

In January 2025, a Ukrainian open source intelligence provider called Molfar released research into what it claims were the identities of both Russians and Ukrainians involved in running NoName057(16) and CARR. Molfar is composed of analysts, volunteers and Ukrainian hackers who have previously conducted multiple investigations against Russian law enforcement officers, military personnel and other individuals who supported the Russia-Ukraine war. The data published included personally identifiable information (PII) and photos of more than 10 alleged group members. Molfar contends some of the individuals, who include Ukrainians who have sided with Russia, are “connected to Russian state structures and received funding from them.” These conclusions have not been substantiated by Intel 471. However, in one instance, a threat actor involved in hacktivist activity alleged they were approached by state authorities after being prosecuted for a cybercriminal offense.

New group: IT Army of Russia

One new pro-Russian hacktivist group, IT Army of Russia, conducts data theft operations and DDoS attacks against Ukraine. The group first emerged in late March 2025 and started broadcasting operations via the Duty-Free underground forum and the t.me/itarmyofrussianews Telegram channel, which has more than 800 members and a motto that reads “We are recruiting bright minds to help the Motherland!” Group members use the channel to chronicle alleged DDoS attacks primarily against Ukrainian digital infrastructure, post databases from breached websites and recruit insiders in Ukrainian critical infrastructure, telecommunications and other key positions. However, most of the targets reported were small Ukraine-based businesses. The group often exploits structured query language-injection (SQLi) vulnerabilities to steal data and then leak those databases. The group also solicits insider information that could benefit Russian forces in the ongoing war in Ukraine.

The hacktivists also launched the t.me/itarmyrussia_bot Telegram bot to obtain relevant information about Ukraine’s critical infrastructure, government or status of forces and recruit insiders. Users also were asked to suggest targets for cyberattacks via the bot. The group claims to have used the PanicBotnet DDoS attack utility to conduct attacks. The actor holynet has advertised the PanicBotnet utility on several hacker forums since March 2025. The service claims to be a tool to test a website or service and features monthly subscription plans. The IT Army of Russia group members’ Telegram channel included multiple reposts from the DutyNews Telegram channel at t.me/DutyFreeForum, which is associated with the Duty-Free cybercrime forum.

New group: TwoNet

The TwoNet hacktivist group surfaced in January 2025. In February 2025, a channel operator claimed TwoNet was composed of about 40 members involved in hacking, software development and open source intelligence (OSINT) research. However, no proof was provided at that time. The group initially used the t.me/TwoNetOfficial Telegram channel, which was suspended March 7, 2025. On March 8, 2025, the hacktivists launched a new Telegram channel.

The group uses DDoS as a primary attack vector and provides links to connectivity reports on the check-host.net platform as proof of claims. However, it is not always possible to verify the claims. The group primarily attacked digital infrastructure in Spain, Ukraine and the U.K. Entities targeted have been in the aviation; government; and technology, media and telecommunications sectors. This activity is usually broadcast on a dedicated Telegram channel. The group appears to use the MegaMedusa Machine DDoS utility for attacks, purportedly created by the RipperSec hacktivist group and publicly available on GitHub. The TwoNet group apparently chooses potential targets based on media reports in which high-level politicians demonstrate support for the Ukrainian people, working with other like-minded pro-Russian hacktivist actors and groups. Team members claimed to collaborate with the BLOCKWEBКиберVойска (Eng. CyberArmy), Dark StormDiplomatMr HamzaOverFlameRussian PartisanSector091 and Sector 16 hacktivist actors and groups.

The group’s Telegram channel has revealed some information about the gang’s possible members, partners and tools. In January 2025, a channel operator reported the death of the alleged gang member Коля (Eng. Kolya aka Nikolai), who used the Сакура (Eng. Sakura) military nickname. The operator claimed Sakura was killed during a combat mission in Ukraine. This would not necessarily be unique, as there have been other credible reports of Russian underground actors participating as combatants in the Russian military campaign in Ukraine.

Conclusion

The hacktivist scene supporting Russia is fluid. While the tactics, techniques and procedures (TTPs) of most of these groups can seem rather basic, there is risk. First, DDoS tools and services are readily available in underground markets, which means that no group has to start from scratch. DDoS attacks also continue to reach new levels of intensity, with Cloudflare recording an attack consisting of mostly user datagram protocol (UDP) packets against an IP address belonging to one of its customers in mid-May 2025 that reached 7.3 terabits per second (Tbps) — the largest ever recorded. Service providers deflect or filter these attacks, but temporary disruptions are possible, which could bring negative economic impacts. Even if an attack isn’t impactful, the claim of conducting an attack can draw attention, which is what many of these groups crave.

As mentioned before, there have been credible reports of groups targeting ICSs. While most hacktivist activity may be unsophisticated, the groups can and have recruited or had access to people with skills required to hunt down and tamper with ICSs. For example, last year we covered the pro-Russian hacktivist group Z-Pentest that emerged on Telegram in September 2024. The group announced a partnership with CARR, which has been accused of targeting ICSs, and NoName057(16). The Z-Pentest group claimed to have targeted a water treatment facility in Arkansas, U.S. The plant’s hydraulic systems allegedly were reduced to manual control as a result of the attack, which disrupted the operation. City representatives released a statement acknowledging the attack, and FBI and U.S. Department of Homeland Security officials were reportedly dispatched to investigate. These kinds of hacking exercises can have an outsize impact, particularly as many Western nations recognize and have sought to remediate long-standing security issues around critical infrastructure.

While hacktivists groups pale in skill compared to advanced persistent threat (APT) groups as far as technical attack acumen, there are suspicions that the Russian state or state APTs may be providing support or using hacktivists as cover. There are many advantages to this, such as muddling attribution and allowing for plausible deniability if the hacktivists’ real-world identifications become public. It is possible TwoNet and IT Army of Russia are rebrands done by existing actors who have been in the pro-Russian hacktivist space before, although it remains to be seen how these two new groups may or may not be related to past ones.

Intel 471’s Adversary Intelligence and Cyber Geopolitical Intelligence analysts closely follow the activities and participants in the hacktivism space alongside technical tracking of DDoS tools, including collecting real-time indicators of their targets. For information about how this could help prepare and protect your organization, please contact us.

Featured Resource
Intel 471 Logo 2024

AresLoader is a new loader malware-as-a-service (MaaS) offered by threat actors with links to Russian hacktivism that was spotted recently in the wild.