Killnet is back — but not as you remember it. The once-boisterous pro-Kremlin hacker group has returned from months of silence, reshaped and rebranded. 

Killnet recently asserted it breached Ukraine’s drone-tracking system, supposedly helping Russian forces strike radar stations. While Russian outlets widely circulated maps and videos, independent verification of the hack remains absent. 

Killnet resurfaced on Victory Day, a symbolic date in Russia tied to World War II celebrations and frequently exploited for propaganda and cyber influence operations. 

Cybersecurity analysts believe Killnet’s return is a strategic move to regain visibility and influence under a rebranded identity. 

Organizational Breakdown and Leadership Change  

Killnet disappeared from the spotlight in late 2023 after Russian media identified its founder, KillMilk, as a 30-year-old Russian national allegedly linked to drug trafficking and luxury cars, according to Pascal Geenens of Radware. 

In the aftermath of the founder’s exposure, Killnet’s operations were reportedly sold to Deanon Club — an anti-narcotics collective — with its admin “BTC” acquiring the assets for an estimated $10,000 to $50,000. 

The group’s disappearance may also be part of a broader strategy commonly employed by other hacker collectives, according to Rik Ferguson, vice president of security intelligence at cybersecurity firm Forescout. 

Transition from Mission-Driven to Revenue-Focused Strategy  

Killnet initially rose to prominence through the use of basic, low-cost DDoS attacks — so unsophisticated that other pro-Russian actors allegedly ridiculed founder KillMilk for depending on outsourced botnets, notes Radware’s Pascal Geenens. 

BTC’s takeover marked a strategic pivot for Killnet, according to TRM Labs. The group abandoned its patriotic roots to focus on financially motivated cybercrime, including darknet drug dealer exposure, hack-for-hire operations, and carefully chosen attacks to enhance its reputation in criminal circles. 

The group’s pivot to profit alienated its politically motivated core members, leading to the creation of breakaway factions such as KillNet 2.0 and Just Evil that remain focused on Russia-aligned hacktivism. Despite BTC’s efforts to preserve Killnet’s activist facade, TRM Labs researchers characterize the group as a financially driven cyber mercenary organization with a diversified target list. 

Killnet operates as a fluid, decentralized network with subgroups that frequently vanish, rebrand, or act independently, Flashpoint analysts report. Following the exposure of KillMilk’s identity, he may have relinquished control, or, as Radware’s Geenens theorizes, external actors could have hijacked the Killnet brand for rapid notoriety.