Beyond Hacktivism: Deanon Club, KillNet, and the Russian Dark Web Market Wars

In recent years, the Russian Dark Web has become a fierce battleground, particularly following the shutdown of Hydra, the largest Dark Web drug market. This event in April 2022 triggered a competition among various groups vying for dominance in the illegal narcotics trade. Two prominent groups are now central to this unfolding drama: Deanon Club and KillNet. Their actions, ranging from aggressive international cyberattacks to strategic partnerships, have significantly influenced the dynamics of the Russian Dark Web; but remember that the Dark Web is a Russian territory in some sense. In other words, we are witnessing a chain of events that might affect almost the entire Dark Web.

Their evolving tactics, public declarations, and ambitious plans reflect not just a quest for market control but also a broader trend in the digital underworld, intertwining cybercrime with political and financial objectives. This landscape offers a complex and concerning view into the future of cyber warfare, hacktivism, digital crime, and more.

Hydra’s Shutdown and the Russian Dark Web Market Wars

The fall of Hydra in April 2022, a pivotal moment in the Russian Dark Web, marked the beginning of a new era in the illegal online narcotics trade, and cybercrime.

Hydra Market before it was taken down.

Hydra’s closure, executed by German and the U.S. authorities, created a significant power vacuum. Various emerging darknet markets and cyber groups, notably Kraken and Solaris, swiftly moved to fill the gap. This period was marked by intense rivalry and aggressive strategies, including mutual cyberattacks and bold advertising campaigns in Moscow.

The competition escalated further with incidents like the cyberattacks on RuTor by Kraken and Solaris, and RuTor’s subsequent retaliation against WayAway. This unfolding chaos in the dark web market highlighted a vicious struggle for dominance among these clandestine entities.

We tried to examine this landscape in our blog post last year, where we reviewed Hydra Aftermath; however, it looks like the cards will be redistributed again this year.

Top DWMs by Market Share after Hydra’s shutdown (TRM)

KillNet and Deanon Club

KillNet and Deanon Club, two formidable entities in the Russian Dark Web, have played roles in shaping the post-Hydra landscape. KillNet, known for its pro-Russian stance and cyberattacks, gained notoriety for targeting entities in NATO-backed countries. Deanon Club, on the other hand, emerged as a significant force with a focus on DDoS attacks and the dark web drug market.

Their collaboration led to the creation of the short-lived Infinity Forum in 2023, which we also discussed in our Hydra Aftermath post, a darknet marketplace/forum offering a range of hacking services and resources. This partnership was not without its complexities, as evidenced by fluctuating relations and public criticisms.

Complex structure of Infinity Forum visualized by Yarix

Both groups have been involved in high-profile cyberattacks and have made public statements asserting their dominance and future plans, which reflected their ambitions to reshape the dark web’s power dynamics in 2023. But the real events seem to emerge in 2024.

KillMilk’s Downfall

Recent developments within KillNet revealed internal conflict and criticism towards its leader, KillMilk. Several members have publicly accused KillMilk of unethical actions and lacking technical skills. Additionally, Gazeta.ru identified Nikolai Nikolaevich Serafimov, allegedly associated with KillMilk, as having a controversial background.

This internal strife highlighted significant challenges within KillNet. Shortly after these events, KillMilk left the de-facto leadership of KillNet, leaving the group in the hands of its former partner, Deanon Club.

Telegram post about the leadership change

Despite KillMilk’s retirement and earlier claims of reshaping hacktivism, the group’s future direction under Deanon Club’s leadership remains somewhat uncertain.

Before the whole leadership situation, KillNet’s focus was still towards larger-scale operations, including significant DDoS attacks on high-profile targets such as Microsoft’s Azure, Outlook, and OneDrive.

A subsidiary group called KillNet Palestine was also opened in the Israel-Hamas conflict, but KillNet could not play an active role in this conflict due to internal struggles, but its close collaboration, Anonymous Sudan, continues its activities to this day.

KillNet Palestine’s Telegram post, there has never been an update after

And then KillNet’s fate changed completely. And although KillNet still keeps its name, the new main Russian threat group appears to be Deanon Club.

Judging based on Deanon Club’s current actions, it seems that KillNet will move away from the hacktivist/patriotic stance that came with the Russia-Ukraine war for now and will continue illegal activities for more financial purposes.

One Black Market to Rule Them All

In late 2023 and early 2024, Deanon Club threatened the major Dark Web Markets like Kraken and Black Sprut, asserting their emerging dominance. They also signaled a partnership with Moriarty, hinting at strategic expansions and new initiatives in the dark web community.

Deanon Club’s post in January 10, 2024. As translated by Google Translate: “Calling all Darknet users and dealers! – Dear friends and colleagues! I, the owner of the hacker group “Deanon Club”, officially declare it! The Kraken platform will cease to exist within 2 months! You may not believe me now, but so that no questions arise in the future, we have warned you… After Kraken, we will end the existence of Black Sprut…”

On the one hand, Deanon Club conducts active recruitment, sells dark web hacker training, threatens other markets while advertising its own upcoming market Mega 2.0, and even underlines that these threats will be physical.

Another threat post. As translated by Google Translate: “Also, I say hello to the sons of wh*res – Black Sprut. The owner of which is anonymous. The administration of which is buying out deanon for me and my colleagues (it’s a pity that it’s just all over). After Kraken they will disappear…”

These developments were accompanied by bold public statements and claims, painting a picture of an increasingly assertive and confident dark web landscape driven by these groups.

Monopolistic Dreams and Future Plans

Deanon Club’s recent assertions depict a bold strategy to monopolize the Russian dark web market. Their claim of impending dominance over major competitors like Kraken and Black Sprut, coupled with their collaboration with Moriarty, suggests a strategic consolidation and expansion.

Deanon Club’s market announcement, Translated by Google Translate: “Conferences? Hello, dear friends! I’m not lost, and I continue to work hard! Soon, my colleague Moriarty and I will provide you with a new place to spend time, as well as “secret knowledge”… And I can also say it directly. In 2024, we will become a monopolist, and no other project will physically be able to continue to exist (our two main competitors are exactly that)”

Meanwhile, KillNet has been diversifying its targets and refining its cyberattack strategies, with a clear focus on financial gain. These moves by both groups signal a potential shift towards a more centralized and potent Dark Web ecosystem, driven by a few powerful players. The implications of this potential monopoly extend beyond the dark web, posing new challenges for cybersecurity and law enforcement globally.

An Interview with Deanon Club

In a revealing interview with Gazeta.ru; Deanon Club, discussed their evolving strategy and objectives. Just as we stated before, the new owner of KillNet stated that, moving beyond their initial role in supporting Russia in cyberspace, KillNet is now engaging in more commercial activities, including attacks on drug cartels and executing commissioned hacks.

KillNet’s shifting focus, translated to English from Russian by Google Translate

Despite this commercial shift, the group plans to maintain its hacktivist roots, albeit with a more professional approach.

The interview also delved into the personal motivations of the new leader and the controversial nature of their operations, providing a unique insight into the plans for both KillNet and Deanon Club.

Attack vector beyond the cyberspace, translated to English from Russian by Google Translate

Although he/she makes a statement that one of their goals is to fight drug dealers, they do not neglect to intimidate their rivals by mentioning the existence of methods such as mercenaries as well as cyber-attack techniques such as DDoS to attack.

Claiming responsibility for Kyivstar attack ,translated to English from Russian by Google Translate

Another important statement in the interview, in which they stated that he/she bought KillNet for between $ 10,000 and $ 50,000, and they had a leading role in the Kyivstar attack.

For more detailed information, please refer to the original interview on Gazeta.ru.

Conclusion

The evolving dynamics within the Russian Dark Web, particularly post-Hydra, highlight a significant shift in the landscape of cybercrime and hacktivism. The aggressive maneuvers by groups like Deanon Club and KillNet, their strategic alliances, and ambitious declarations of market control underscore a trend towards consolidation and increased sophistication in cyber operations. This evolution presents new challenges in cybersecurity, necessitating a reevaluation of digital defense strategies. As these groups continue to adapt and expand their reach, the global implications of their actions are likely to become increasingly significant, both in the realms of cybercrime and international cyber warfare.

And it should be remembered that many of the threat groups are fueled by drug money and emerge from this ecosystem; In this context, the sale of illegal goods paves the way for many other crimes, and cyber security threats such as stolen credit cards, unauthorized access and, zero-day exploit sales may also be present in such markets.

SOCRadar offers an extensive monitoring solution for the Dark and Deep Web, helping organizations detect and address threats across various web layers. Their approach combines advanced reconnaissance capabilities and thorough threat analysis to provide actionable intelligence, enhancing proactive security measures. This solution merges automated external cyber intelligence with a team of dedicated analysts, empowering Security Operations Center (SOC) teams to effectively manage external threats beyond their traditional boundaries.

SOCRadar Extended Threat Intelligence platform automatically detects organization or employee data in black markets and alerts relevant users.