[00:55.180 --> 01:00.780]  Morning after day two of CypherCon is a difficult morning for most of us.
[01:00.780 --> 01:06.380]  But this is a good conference.
[01:06.380 --> 01:14.960]  Last year I had the privilege of doing keynote today, starting this morning.
[01:15.460 --> 01:22.280]  And as a speaker, I do a lot of different presentations throughout the year.
[01:22.280 --> 01:31.720]  I speak at about 40 events, do about 10-12 different presentations each year.
[01:31.760 --> 01:37.820]  And I've been doing this for now a decade and a half full-time.
[01:38.120 --> 01:46.200]  This is perhaps the most personal presentation that I ever did.
[01:46.200 --> 01:53.040]  I've done this at a couple of closed events, but in my hometown Milwaukee.
[01:53.560 --> 01:57.940]  And besides the accent, it's been my hometown for 35 years.
[01:57.940 --> 02:05.320]  I'm doing it for the first time, so it's an absolute privilege for me to do this presentation here.
[02:05.480 --> 02:09.660]  And again, this is a technical story.
[02:09.660 --> 02:14.800]  It's a cybersecurity story, but it's an extremely personal story for me.
[02:14.800 --> 02:21.140]  Today we're going to be talking about the Russian collective called Kilnet.
[02:21.140 --> 02:38.140]  And this is an important thing in our overall Internet community, our cybersecurity community, because this is something that changed the world.
[02:38.140 --> 02:53.440]  If we take ourselves 10 years in the past, or even 5 years in the past, when a cybercrime occurs, we all look at how many people are impacted.
[02:53.440 --> 02:56.260]  We look at who are the victims.
[02:56.260 --> 03:13.380]  And if this is a nation-state attack, we will try to pay back this nation-state that attacked us, sanctions, different international penalties.
[03:13.380 --> 03:26.400]  What has happened over the past 3 years with the Russian invasion into Ukraine, we've seen an unprecedented amount of hacktivism that has emerged.
[03:26.400 --> 03:42.800]  And all these things became possible because no matter how bad the attacks are, no matter what is impacted, we always turn the other cheek.
[03:42.800 --> 03:50.680]  We're no longer able to render threats, because a lot of those are not useful.
[03:50.680 --> 03:57.280]  Sanctions against Russia, for example, they're not really stopping the bad guys.
[03:57.280 --> 04:00.520]  And Russia is doing everything to encourage this.
[04:00.520 --> 04:11.030]  So we are in the world where another nation, if angry at us, can launch cyberattacks against us or other different nations.
[04:11.030 --> 04:15.750]  This is not a single event.
[04:15.750 --> 04:23.160]  We're not only going to be mentioning today Russian hacktivism, but look at Middle East, how quickly this weaponization is happening.
[04:23.550 --> 04:35.300]  And also this normalization of cybercrime and hacktivism is greatly harmful, because nothing is sacred anymore.
[04:35.300 --> 04:42.180]  So this is a preface of why this is important to all of us and it's important today.
[04:42.180 --> 04:50.780]  But I want to give you a background story of what this group Kilnet is and what they are about.
[04:50.780 --> 04:53.080]  So let's meet Kilnet.
[04:53.080 --> 04:57.260]  Kilnet was established on November 13th of 2021.
[04:57.480 --> 05:01.340]  It was one of the Russian DDoS servers.
[05:01.980 --> 05:07.340]  And they just called themselves Kilnet, like kill your network, Kilnet.
[05:07.760 --> 05:12.820]  The reason why this emerged was very simple.
[05:12.820 --> 05:15.440]  DDoS attacks are popular.
[05:15.440 --> 05:18.400]  They've been popular for many decades.
[05:18.400 --> 05:26.740]  My close friend Brian Krebs has been on the DDoS side of many, many different types of attacks.
[05:26.940 --> 05:34.140]  And from that perspective, the attacks are getting much more significant.
[05:34.140 --> 05:37.760]  They are exceeding all kinds of expectations.
[05:37.940 --> 05:42.580]  And the DDoS services are actually profitable services.
[05:42.580 --> 05:44.640]  These are services for hire.
[05:44.640 --> 05:48.980]  And all they need is to command enough devices.
[05:49.440 --> 05:52.540]  These don't have to be sophisticated devices.
[05:52.540 --> 05:54.360]  They don't need to contain data.
[05:54.360 --> 06:02.780]  They just need to be able to be weaponized and use available bandwidth to use various DDoS techniques to attack things.
[06:02.980 --> 06:11.440]  And this was established about three months before the beginning of the war in Ukraine.
[06:11.440 --> 06:15.900]  And it was just another DDoS service.
[06:15.900 --> 06:23.520]  This DDoS service in Russia was one of at least 11 that I know of.
[06:23.520 --> 06:31.660]  And they started making their name by picking different types of targets.
[06:31.660 --> 06:47.720]  Kilnet, who later became a big arm of Russian military organization, set its first targets not at anything but really at Russian systems.
[06:47.720 --> 06:59.800]  So if you look closely on these logos, this is pretty much most of the most prominent Russian government organizations.
[06:59.800 --> 07:06.240]  From their government and law enforcement to their health systems to everything.
[07:06.300 --> 07:12.580]  As you can see, Russian government shops with their logos in one place.
[07:12.580 --> 07:15.220]  All of them have this two-headed chicken.
[07:15.760 --> 07:20.680]  And they pretty much just put something in the middle that's different.
[07:20.680 --> 07:33.160]  But Kilnet began its campaigns really by attacking Russian government and trying to get their name known.
[07:33.160 --> 07:36.900]  Russian government didn't really react to them.
[07:36.900 --> 07:47.880]  I don't think Russian government does a lot of business on their main sites, their law enforcement sites.
[07:47.880 --> 07:57.020]  But for what it was, Kilnet was actually making a difference and making some splashes.
[07:57.500 --> 08:06.360]  A day before the war began in Ukraine on February 23rd, 2022, Kilnet officially rebranded itself.
[08:06.360 --> 08:10.480]  So three months into the beginning, like, okay, now we need to do something else.
[08:10.480 --> 08:20.240]  And they made themselves known as a politically affiliated organization fully supporting Russian Federation.
[08:20.240 --> 08:25.620]  So this was a very turmoilous time around the world.
[08:25.760 --> 08:33.060]  But Kilnet decided to change its directions for reasons of patriotism.
[08:33.060 --> 08:50.040]  And from that perspective, Kilnet was one of the first DDoS services and one of the first DDoS services that supported, actually, Russian government.
[08:50.040 --> 08:58.480]  That started working not towards financial goals, not towards extortion goals, but actually for the political reasons.
[08:58.480 --> 09:02.140]  Kilnet changed hacktivism as we know it.
[09:02.140 --> 09:11.420]  As I mentioned, they made it normal for a nation state to do a DDoS attack against another country.
[09:11.420 --> 09:20.710]  They made it normal to use information and use social media as a means of propaganda.
[09:20.710 --> 09:34.070]  The big component of this is not only that Kilnet actually became a group of hackers, threat actors, who've done this.
[09:34.070 --> 09:38.930]  But Kilnet attracted in its ranks the most unusual people.
[09:38.970 --> 09:40.330]  Think about this.
[09:40.330 --> 09:53.010]  Before the war in Ukraine, Russian IT specialists were well-desired assistants from overseas.
[09:53.010 --> 10:03.650]  Many Russian IT specialists would work for foreign companies, including for United States companies, just doing normal IT jobs.
[10:03.650 --> 10:13.130]  In a single week or so, when the war in Ukraine had started, a lot of companies did the right thing.
[10:13.130 --> 10:19.070]  They fired all their Russian-based employees.
[10:19.270 --> 10:27.110]  And a lot of people in Russia, overnight, literally, became unemployed.
[10:27.110 --> 10:30.190]  So this was a big change in the Russian society.
[10:30.190 --> 10:37.850]  Not only their war, but their economy had changed, their personnel had changed.
[10:37.850 --> 10:48.570]  So from one perspective, the hacktivist movement was driven by threat actors, like the ones that started Kilnet.
[10:48.570 --> 10:59.690]  But the other moment, we got IT personnel who is angry at the West, who was wronged by the West.
[10:59.690 --> 11:05.690]  They lost their jobs, and they did absolutely nothing wrong in their heads about this.
[11:05.690 --> 11:09.390]  And all of a sudden, they need some outlet.
[11:09.390 --> 11:16.950]  They need to have an attack or some retribution for those who wronged them.
[11:16.950 --> 11:27.110]  So imagine that most of Kilnet, at its height, were not hackers, but IT personnel.
[11:27.570 --> 11:36.510]  And these were some capable people, very intelligent people who knew much about networking, about system administration, about development.
[11:36.510 --> 11:46.150]  All these individuals decided to join this hacktivist movement because they wanted some kind of retribution.
[11:46.150 --> 11:54.190]  And even if it's a DDoS service, some of DDoS attacks can be happening on the network layer.
[11:54.770 --> 12:00.370]  And there have been a lot of folks who lost their jobs, and there were network technicians.
[12:00.390 --> 12:03.810]  Some of the components were for developers.
[12:03.810 --> 12:09.750]  Developers don't understand much about network, but they understand much about applications.
[12:09.750 --> 12:21.880]  And Layer 7 attacks, exhausting SQL Server because of expensive queries, fell in the hands of these type of developers.
[12:22.470 --> 12:35.090]  So Kilnet Collective, at its height, counted over 100,000 individuals who were ready to attack any target that they were given.
[12:35.090 --> 13:00.260]  This was an unprecedented event in our time, in our society, where we faced not a small group of threat actors who were closely knit, but this was really a horde of Russians who would throw their capabilities against any enemy that they want.
[13:00.260 --> 13:08.500]  Where capable individuals actually joined this activist movement, there have been a lot of comical situations as well.
[13:08.500 --> 13:16.620]  So one threat actor writes in Kilnet Channel that Kilnet had been also joined by his grandma.
[13:16.620 --> 13:32.240]  Grandma does not know much about DDoS or anything like that, so she just opens a site that was listed in the channel as a target of the day, and she clicks on reload as quickly as she can.
[13:33.440 --> 13:38.740]  DDoS attack from grandma is something that we don't anticipate.
[13:40.780 --> 13:42.400]  Arthritis, tendinitis...
[13:45.780 --> 13:55.380]  But the big thing is that the threat group actually has been doing a lot of damage.
[13:55.380 --> 14:28.640]  What triggered me the most, because Kilnet made over 10,000 posts in their channel over its existence, this particular post, you probably can't see it well, but this is a list of countries, some in Europe, some in the United States, and the statement here reads that these countries have been aiding Ukraine.
[14:28.880 --> 14:39.600]  They've been aiding Ukrainian efforts to fight Russians, and therefore they're going to be targeted primarily by Kilnet.
[14:39.600 --> 14:48.760]  Not only that, this particular post is actually calling for attacks not just against businesses, but against hospitals.
[14:49.140 --> 15:03.840]  Particularly in a number of countries, including USA, Portugal, Spain, Germany, Poland, Finland, Norway, Netherlands, and Great Britain, this is a call to attack the hospitals.
[15:03.840 --> 15:15.340]  On the bottom, as a postscript in Russian and translated into English, you see the statement from the leader of Kilnet, the guy named Kilmilk, kill them first.
[15:18.060 --> 15:21.700]  DDoS attacks won't do much against most hospitals.
[15:21.700 --> 15:35.560]  In fact, one of the targets listed in consequent posts for DDoS attacks were actually components of a hospital that not many people would think about.
[15:35.660 --> 15:42.300]  For one of our clients, there was a target of a gift shop inside the hospital that's listed.
[15:42.360 --> 15:44.540]  I've been to that particular gift shop.
[15:44.540 --> 16:00.660]  You can buy flowers, you can buy candy, you can buy a stuffed animal, but it's on its own internet connection, and the website for the gift shop can be DDoS, but I don't know what kind of damage you can do.
[16:00.800 --> 16:03.780]  Mostly, somebody can't buy a teddy bear.
[16:03.780 --> 16:27.220]  But think about the rural hospitals that don't have five, six different ISPs coming in, don't have much of a backup bandwidth, and through the main circuits, they may be running 911 components, emergency communications, the connections to EPIC, and many other things.
[16:27.220 --> 16:36.460]  We've seen instances of systems become unavailable, including information about emergency wait times and others.
[16:36.460 --> 16:45.100]  So this is comical about the gift shop, but how low can you get to attack a hospital?
[16:46.100 --> 17:03.500]  So this was one of the big things that we've seen, and we decided to figure out what's going on, what this thing is, and who are people behind it.
[17:04.480 --> 17:18.620]  Killnet is a large collective, but there are leaders, there are speaking heads that have been posting all these things in Telegram channels, and the guy who is in charge of Killnet, the guy called Killmilk.
[17:19.800 --> 17:32.840]  Killmilk is an interesting name, unusual, but some research that we've done consequently was actually very interesting.
[17:32.840 --> 17:40.920]  So let's meet the real Killmilk, the guy called Nikolai Serafimov, born May 16, 1993.
[17:41.200 --> 17:56.780]  This person was not even 30 years old at the time the attacks from Killnet began, and he seemed to be just a normal guy.
[17:56.780 --> 17:59.380]  He is a husband and musician.
[17:59.380 --> 18:07.220]  In his earlier days, he recorded a number of, not terrible, but kind of okay soundtracks.
[18:07.240 --> 18:16.340]  He got married, he has a lot of components, used to have a lot of things on social media.
[18:16.340 --> 18:22.140]  He obviously cleaned things up, but some of the history on the internet you can traverse.
[18:22.240 --> 18:25.180]  Plus, his wife loves to post pictures.
[18:26.820 --> 18:30.280]  He also deemed himself a patriot.
[18:30.480 --> 18:35.620]  This is him when he was serving in Russian military.
[18:38.220 --> 18:48.040]  The conscription did not exist in Russia, but he actually had to serve, I think, for two years when he was much younger.
[18:48.040 --> 18:59.200]  And he shows himself, not with his face, but the fact that he had served, showing himself as a patriot.
[19:00.420 --> 19:08.020]  Deeper investigation into his identity and who was behind him showed that Killmilk is not a patriot.
[19:08.020 --> 19:11.280]  He is a racist and fascist.
[19:11.280 --> 19:24.240]  I really don't care to show the visual proofs, but believe me, some of the statements, some of the behaviors that he had would be properly described by these statements.
[19:24.620 --> 19:31.400]  He also grew up a very disenfranchised young person.
[19:31.400 --> 19:41.820]  He talks heavily in his social media in his early days about people that he would exert revenge for.
[19:41.820 --> 19:54.650]  He actually says in a number of different posts that when he rises to the top, the people who wronged him in his past will pay.
[19:54.650 --> 20:03.390]  This is a person that is actually leading a collective, the one that holds vendetta, the one that hates people.
[20:04.270 --> 20:14.570]  And the real Killmilk actually turns out to be a very normal person that you would expect to run this type of organization.
[20:14.590 --> 20:18.670]  He is a drug user, a heavy drug user.
[20:18.670 --> 20:32.710]  In fact, again, on his social media when he was much younger and was filling out those questionnaires, like 20 questions about yourself, he actually fills in lots of interesting information.
[20:33.170 --> 20:37.970]  What kind of hobbies do you have?
[20:38.390 --> 20:42.110]  And he's like, oh, my hobby is drugs.
[20:42.450 --> 20:45.030]  What controls your mood?
[20:45.030 --> 20:50.390]  Well, my mood is controlled by the amount of illegal drugs in my body.
[20:50.390 --> 20:56.510]  So that's kind of a person that he deemed himself.
[20:56.510 --> 21:05.290]  But he also actually found his match and in 2017 he gets arrested.
[21:05.290 --> 21:18.490]  He gets arrested for trafficking drugs and there is article 228.1 part 5 of Russian criminal code that he gets convicted on.
[21:18.490 --> 21:37.940]  The interesting reason, the reason why I'm bringing up this saying that I'm sure nobody here knows about is that if you read this carefully, there is a minimum eight-year sentence that is required by Russian criminal code.
[21:38.250 --> 21:48.150]  And the judge, based on legal considerations, can only cut this sentence by half.
[21:48.150 --> 21:56.390]  And there is no other leeway, even if he would cooperate with the investigation.
[21:56.390 --> 22:06.010]  And there is evidence in the legal documents that we were able to find that Seren Fimov actually fully cooperated with this investigation.
[22:06.410 --> 22:28.230]  But at the same time, within a year, almost less than a year, 11 months later, we're actually seeing that he has left Russian GULAG and he's actually taking out credit and doing other normal life things in normal areas of Russia.
[22:28.270 --> 22:31.110]  The implications of it is very simple.
[22:31.150 --> 22:40.530]  You can't cooperate with the government in their investigation just on this because your sentence should be at least four years.
[22:40.530 --> 22:50.270]  And if he would be convicted in 2017 and get the full sentence of eight years, he would be still in prison.
[22:50.290 --> 22:54.250]  But we definitely see activities within a year.
[22:54.290 --> 23:09.990]  This simply means that Seren Fimov didn't only flip on his partners in crime, drug trafficking that is, but also became some kind of asset for the Russian law enforcement.
[23:09.990 --> 23:23.250]  That's the only way that we can explain his activities and really getting out from a very stiff sentence in that condition.
[23:23.250 --> 23:29.380]  That's an interesting component that actually connects him to the Russian government.
[23:30.380 --> 23:47.240]  Then we'll move several years forward to October 9th of 2022, where Kilmilk, at the top of his fame, was giving interviews left and right.
[23:47.240 --> 23:57.300]  Six months after the beginning of the war or more, we have seen Kilnet becoming a brand name in the Russian society.
[23:57.300 --> 24:06.540]  In fact, the Russian government started endorsing Kilnet and groups like that, saying that these people are patriots.
[24:07.060 --> 24:22.680]  So Kilmilk, still maintaining his shroud of anonymity, was actually talking to a Russian publication called Arte, Russian television, which is Russian propaganda.
[24:23.280 --> 24:32.580]  He actually made this particular statement in response to questions.
[24:32.580 --> 24:45.680]  The question was about if he has any aid from abroad, meaning that if there are entities outside of Russia that are supporting Kilnet.
[24:45.680 --> 24:48.280]  He makes a very interesting statement.
[24:49.060 --> 24:57.780]  He actually talks about Solaris, a group called Solaris, that is responsible for Kilnet's well-being.
[24:57.780 --> 25:03.620]  He says, if not for Solaris, Kilnet would not exist.
[25:04.680 --> 25:08.940]  As part of my job, I read a lot of Russian propaganda.
[25:08.940 --> 25:16.860]  And I read this, and I got a good idea of how to deal with groups like this.
[25:16.860 --> 25:19.000]  Because he gave us a clue.
[25:19.000 --> 25:24.840]  If Solaris doesn't exist, then Kilnet wouldn't exist.
[25:25.260 --> 25:27.940]  So we decided to look at Solaris.
[25:27.940 --> 25:33.580]  But before I start talking about this, I kind of want to do a bit of introductions.
[25:33.720 --> 25:42.180]  Because I need to explain who we are and why we decided to take this type of task.
[25:42.180 --> 25:43.420]  So first of all, my name is Alex.
[25:43.420 --> 25:44.060]  Hello.
[25:44.800 --> 25:48.200]  Probably the latest introduction I've done in any of my presentations.
[25:49.380 --> 25:54.620]  But I was born in Ukraine many, many, many years ago.
[25:54.620 --> 25:59.940]  I don't have a lot of family, before you ask, in Ukraine.
[26:00.040 --> 26:04.160]  But I have very deep ties to Ukraine.
[26:04.160 --> 26:08.560]  My family immigrated to the US, to Milwaukee, in 1989.
[26:08.560 --> 26:11.780]  And I've been calling Milwaukee home ever since.
[26:12.680 --> 26:15.840]  I started my career in IT.
[26:15.840 --> 26:17.480]  I went to Shorewood High School.
[26:17.480 --> 26:19.460]  Went to UWM.
[26:19.840 --> 26:23.520]  Worked in IT initially, and then moved to cybersecurity.
[26:23.520 --> 26:32.440]  Over the past 15 years, I've been doing something called Cyber Threat Intelligence.
[26:32.660 --> 26:40.120]  And we pick a lot of different things in CTI, in Cyber Threat Intelligence.
[26:40.120 --> 26:42.700]  We are trying to safeguard our clients.
[26:42.700 --> 26:48.800]  We are trying to safeguard our society from cybercriminals, before the attacks start.
[26:48.800 --> 26:59.680]  And one of the big directions that we have is that we can't always sustain this race for technology.
[26:59.680 --> 27:04.940]  And the weakest link in our enemies are the cybercriminals themselves.
[27:04.940 --> 27:09.840]  So we try to understand the minds of cybercriminals in order to stop them.
[27:09.840 --> 27:13.060]  And then we use their own technology against them.
[27:13.540 --> 27:16.040]  I've done a lot of fun things.
[27:16.040 --> 27:20.720]  And if you Google my name, I think there are 20 million hits on it.
[27:20.720 --> 27:24.920]  But the number one thing on my resume is this.
[27:25.140 --> 27:26.760]  I've been making Mr.
[27:26.760 --> 27:30.960]  Putin mad since 2024, and I'm proud of it.
[27:34.060 --> 27:35.340]  Thank you.
[27:36.200 --> 27:39.600]  In 2014, I'm sorry.
[27:39.700 --> 27:54.960]  So the past 11 years, on August 6th of 2014, we published this little thing on the left, on the front page of the New York Times, saying that we found the biggest breach in the world perpetrated by Russians.
[27:54.960 --> 28:05.200]  Over 1.2 billion stolen credentials from about half a million companies that have been breached by Russians.
[28:05.860 --> 28:11.800]  And the next day, there was a notification sent that Mr.
[28:11.800 --> 28:15.800]  Putin actually put me on his naughty list.
[28:16.120 --> 28:17.360]  You don't get a plug.
[28:17.360 --> 28:20.500]  You don't get a notification or anything like that.
[28:20.500 --> 28:25.380]  You just get a call saying, hey, you are on Russia's naughty list.
[28:25.380 --> 28:26.700]  Don't go to Russia.
[28:26.860 --> 28:27.800]  I'm not from Russia.
[28:27.800 --> 28:30.180]  I'm from Ukraine, so I was not planning for it.
[28:30.400 --> 28:35.360]  But as a payback, I put in sanctions against Putin myself.
[28:35.360 --> 28:36.840]  He's not welcome in my house.
[28:36.840 --> 28:43.540]  He can stay in the garage, but he's not allowed in there.
[28:43.540 --> 28:56.580]  From that perspective, I've been working against Russian cybercrime, against Russian nation-state groups for nearly my entire career.
[28:56.580 --> 28:59.680]  And this is definitely a highlight.
[28:59.980 --> 29:05.820]  Dealing with Skylnet possibly comes second close to this.
[29:05.820 --> 29:09.160]  So back to the actual story.
[29:09.160 --> 29:14.240]  So we started going after Solaris.
[29:14.240 --> 29:16.860]  Solaris is a drug marketplace.
[29:16.860 --> 29:23.140]  Why Skylnet would actually sink a Russian illegal drug marketplace, I don't know.
[29:23.820 --> 29:26.720]  So we came up with a plan.
[29:26.720 --> 29:32.900]  We were trying to take down the Skylnet and other groups.
[29:32.900 --> 29:36.640]  But how do you stop a horde of 100,000 people?
[29:36.960 --> 29:43.060]  You can stand and try to stop them, but this doesn't work, especially against DDoS.
[29:43.120 --> 29:45.500]  So how do you do this?
[29:45.700 --> 29:50.180]  And the step one of our plan was to make a splash.
[29:50.180 --> 29:51.620]  The splash we did.
[29:51.620 --> 29:59.960]  We actually knocked down Solaris on the front pages of Forbes magazine, telling a story about how we did this.
[29:59.960 --> 30:02.940]  And this is a story of what has actually happened.
[30:02.940 --> 30:07.340]  Solaris has been an illegal drug marketplace for many years.
[30:07.960 --> 30:25.160]  The guy named Zanzi, a Russian threat actor who established a number of different illegal drug marketplaces, including Ramp, has been building different components, but Solaris he deemed to be his number one masterpiece.
[30:26.160 --> 30:40.720]  Operating illegal drug marketplace, he built this into a drug empire where a number of different illegal drug marketplaces have been generating a small amount of money.
[30:40.720 --> 30:51.340]  This was at the time number two Russian dark web drug marketplace with daily volumes over about four bitcoins.
[30:51.340 --> 30:55.740]  That's quite a bit of drugs in Russia.
[30:56.200 --> 31:12.520]  And one of the questions I asked immediately was why Kilmilk is talking about Solaris and why he is mentioning that in the context of helpers abroad.
[31:12.520 --> 31:24.800]  We actually keep tabs on this and we can actually track movements of the guy named Zanzi by seeing pings from his phone.
[31:25.240 --> 31:32.600]  And he is traveling around Moscow and general area rather than being somewhere abroad.
[31:33.180 --> 31:41.320]  Let me explain why a company in Milwaukee would care about illegal Russian drug market.
[31:41.320 --> 31:44.800]  We don't really work with the DEA.
[31:44.800 --> 31:48.440]  We don't work with Russian anti-drug authorities.
[31:48.520 --> 31:58.760]  But this is a really cool place to track cyber threat actors because a lot of them are very computer savvy and a lot of them use drugs.
[31:58.760 --> 32:02.740]  A lot of them buy drugs on these illegal drug marketplaces.
[32:02.940 --> 32:03.860]  And guess what?
[32:03.860 --> 32:09.620]  Most threat actors go and buy these drugs nearby near their home.
[32:09.620 --> 32:17.480]  So if somebody wants to buy drugs in Milwaukee, they don't drive all the way up to Tulsa to buy the drugs.
[32:17.480 --> 32:22.240]  They are going to be going into neighborhoods by their home.
[32:22.740 --> 32:35.340]  And if you start triangulating the places where they bought their drugs, you actually start seeing that things are not the way they are.
[32:35.340 --> 32:40.960]  So if a threat actor says, hey, I'm in Ukraine, but no, you're buying your drugs in Moscow, so you're here in Russia.
[32:41.200 --> 32:48.220]  And that's what we've been doing, tracking illegal Russian marketplaces for the past decade.
[32:48.400 --> 32:52.200]  Trying to get other cyber threat actors identified.
[32:52.420 --> 32:55.020]  But here, that was easy.
[32:55.020 --> 32:56.720]  We have access to Solaris.
[32:56.720 --> 33:07.460]  We actually got asked back in 2018 to work with Solaris IT support because they had a technical problem.
[33:07.640 --> 33:10.900]  And we left a little backdoor, maybe.
[33:13.680 --> 33:17.540]  So we decided to do step one.
[33:17.540 --> 33:23.400]  Step one is to reach out to Forbes magazine and do a story about this.
[33:23.400 --> 33:24.840]  And think about this.
[33:24.840 --> 33:35.740]  Most successful cybersecurity researchers, they want to finish their research and get published with Forbes.
[33:35.740 --> 33:37.740]  This was step one for us.
[33:38.020 --> 33:49.800]  And we used our access into Solaris network to highlight that this is a legal drug network.
[33:49.800 --> 33:52.800]  And we will be publishing much information about it.
[33:52.800 --> 34:00.640]  Forbes does a story, and to confirm this, we do something really nice.
[34:00.640 --> 34:03.960]  We find a charity in Ukraine.
[34:04.320 --> 34:12.640]  We found a charity that was giving 100% of proceeds to elderly people impacted by the war.
[34:12.640 --> 34:18.680]  Displaced by the war, especially in the wintertime, because this was December of 22.
[34:18.680 --> 34:33.900]  So we set up Solaris network for the bad guys themselves to transfer their bitcoins into the fund of their charity instead of transferring the money to themselves.
[34:34.320 --> 34:41.180]  So for about a day, they've been pumping their cryptocurrency into Ukrainian charity.
[34:41.180 --> 34:44.160]  Russian drug lords helping Ukraine.
[34:45.120 --> 34:50.380]  So when we published the story, it was Forbes.
[34:50.480 --> 34:52.520]  Solaris response, breach?
[34:52.520 --> 34:53.160]  What breach?
[34:53.160 --> 34:54.540]  Nothing had happened.
[34:54.540 --> 35:07.220]  They obviously had been reeling from a loss, but having some components that they could restore, they said there was no breach.
[35:07.220 --> 35:14.140]  It was some kind of unfortunate event that we have remediated, and that's it.
[35:14.140 --> 35:28.400]  Meanwhile, some cryptocurrency got moved, and this Ukrainian charity, when they cashed out crypto, put $47,000 towards a really noble cause.
[35:28.800 --> 35:39.880]  But since Solaris was saying that nothing is breached, we looked at their systems and their GitLab, because they fixed everything.
[35:39.880 --> 35:52.240]  And all they did, they changed the bitcoin address where they're depositing money back from what we changed to others, changed a couple passwords, and they changed the logo.
[35:52.240 --> 35:54.740]  That's a security fix for you.
[35:56.220 --> 36:02.920]  So, you know, this obviously not impresses us, and we log into their servers.
[36:02.920 --> 36:07.180]  Thank you very much for Ansible to be a gateway for all the systems.
[36:07.180 --> 36:18.400]  And SSH that they use so they don't have to remember passwords, so authentication keys gets you everywhere.
[36:18.940 --> 36:32.160]  So we make an unprecedented move in our history of a company, and two and a half weeks later, after Forbes publication, we go step two.
[36:32.160 --> 36:54.340]  On our side, we actually publish a full exposure of Solaris network, including compressed files with their GitLab code, with their forum chats, with their entire crypto exchange, identifying tens of thousands of Russians as drug users.
[36:54.680 --> 36:58.600]  This actually didn't go well with Russians.
[36:59.540 --> 37:03.860]  Solaris said, this is a fluke, we've been breached.
[37:03.860 --> 37:18.640]  Their closest competitor, a drug marketplace called Kraken, actually sees the day they redirect all the Tor nodes from Solaris to their systems, and there is a huge, huge issue inside of Russia.
[37:18.900 --> 37:22.600]  Plus, a whole bunch of Russian drug users ended up without drugs.
[37:22.600 --> 37:23.760]  Terrible.
[37:24.680 --> 37:37.160]  On the serious side, after doing all this, especially with a very loud splash, we were standing to weather a huge storm.
[37:37.160 --> 37:40.280]  There have been a number of cyber threats toward myself.
[37:40.280 --> 37:44.960]  KillMilk posts in his channel a number of bad things about me.
[37:45.220 --> 37:48.500]  He considers me, personally, his number one enemy.
[37:50.360 --> 37:52.420]  Maybe that's right.
[37:52.980 --> 37:59.740]  He keeps posting just mean racist things here, I don't even get to translate.
[38:00.060 --> 38:05.100]  It comes with doxing and other unpleasant things that may happen to you.
[38:05.100 --> 38:14.380]  My security is relatively good, but other companies leak information, so not much you can do.
[38:14.660 --> 38:16.360]  And it gets down to targeting.
[38:16.360 --> 38:17.440]  Very unpleasant.
[38:17.440 --> 38:24.480]  And I want to use this opportunity to thank MacOne PD for preventing several very unpleasant situations.
[38:24.480 --> 38:46.460]  There have been swatting attempts, and MacOne PD behaved very honorably and very understandably, coming in and having a civil conversation and not listening to idle threats and whatever comes with swatting.
[38:46.460 --> 38:57.180]  So, they've been pretty good about keeping tabs and actually helping, not only me, but family and the office.
[38:57.180 --> 39:12.000]  So, not particularly pleasant, but I can tell you that I don't have the opportunity or skills to support the Ukrainian military.
[39:12.000 --> 39:13.560]  Not my war, I'm a U.S.
[39:13.560 --> 39:21.800]  citizen for over 30 years, but this is my cyber weapon that I can pick up and do something about it.
[39:22.340 --> 39:33.280]  Nevertheless, with everything that's going on, Solaris told its users, we fixed everything, everything is fixed.
[39:33.800 --> 39:38.020]  December was a fluke, January was a wake-up call.
[39:38.020 --> 39:40.940]  February comes, we still have access.
[39:43.820 --> 39:49.780]  They should really not only change their passwords, but do more things.
[39:49.780 --> 40:13.120]  But this is something, a comic strip that was posted on one of the shops on Solaris, showing that, hey, Ronald McDonald, which was the mascot for that particular shop, he is mourning the loss of RAMP, the drug marketplace, in 2017.
[40:13.120 --> 40:19.420]  Hydra lost, they went out of business in 2022.
[40:20.220 --> 40:27.080]  And at the time, this Ronald McDonald was happy to be on Solaris.
[40:27.080 --> 40:31.100]  Solaris struggled and lost most of its customers.
[40:31.220 --> 40:40.580]  Finally, just last year, it made a public post, closing its doors, saying that they cannot sustain its customers, they give up.
[40:40.580 --> 40:49.780]  And this marketplace that hosted over 100 drug shops, and had more than 100,000 customers, closed its doors forever.
[40:55.240 --> 41:01.080]  Thank you, we fight drug crime in Russia.
[41:02.600 --> 41:08.720]  I want to say that this operation was run by a team of nine people.
[41:08.720 --> 41:17.200]  So this was not a huge operation, most of them were Ukrainians, folks in our Ukrainian office that contributed their time to do this.
[41:18.280 --> 41:21.540]  But this was step three.
[41:22.320 --> 41:23.780]  There are a couple more.
[41:23.800 --> 41:25.800]  What's happening now with Killnet.
[41:25.800 --> 41:44.260]  Killnet, during 2023, after all these news unraveling, what is happening in the background is that the Russian government that was supporting Killnet said, hold on a second, Killnet is also being supported by drug lords.
[41:44.260 --> 41:49.320]  And that's not cool, because the Russian government wants to control everything, including illegal drug trade.
[41:49.320 --> 41:56.420]  So when they figured out that their money was going to the drug lords, they said, well, no, that's not cool.
[41:56.420 --> 41:58.840]  We want to pay drug lords ourselves.
[41:58.860 --> 42:00.900]  We don't need a middle person.
[42:00.900 --> 42:24.680]  So Killnet, this splash that was planned by us in the beginning, it was Forbes article with this wave of anger from Russians, was really our way to get Russian government to pay attention for illegal activities or stupid activities of one of their own.
[42:24.680 --> 42:31.140]  So Russian government lost confidence in Killmilk and in Killnet.
[42:31.140 --> 42:35.160]  That was the goal of our task.
[42:35.160 --> 42:37.860]  That was the final step that we were doing.
[42:37.860 --> 42:47.680]  And the rest of it is just getting this huge avalanche down the mountains, burying everything.
[42:48.660 --> 42:53.240]  Killmilk starts posting things like this, altruism is over.
[42:54.000 --> 43:01.820]  From this point on, Killnet becomes a for-profit military organization.
[43:02.400 --> 43:03.740]  And this doesn't work.
[43:03.740 --> 43:07.780]  I mean, 100,000 people and only one guy is getting paid?
[43:07.780 --> 43:09.020]  It doesn't work like that.
[43:09.020 --> 43:13.880]  And how much money you want to pay for DDoS to enrich 100,000 people and grandma?
[43:13.880 --> 43:15.120]  Not much.
[43:15.120 --> 43:20.020]  So at one point, Killnet dispensed itself.
[43:20.020 --> 43:25.240]  And Killmilk says, now I'm working alone, everybody's fired.
[43:27.000 --> 43:29.500]  So not many people love the channel.
[43:29.660 --> 43:38.780]  Then Killmilk actually tries to give information or give controls of Killnet to the guy called Blackside.
[43:38.780 --> 43:43.820]  And a couple of people on the channel said, hey, did you just call yourself Blackside a couple of years ago?
[43:43.860 --> 43:45.860]  Oh yeah, that's me, sorry.
[43:48.000 --> 44:00.140]  So the other interesting thing that's happening, on October 6th of 2023, Killmilk actually makes this post.
[44:00.360 --> 44:05.400]  And it's actually a surprise hackathon to me.
[44:05.400 --> 44:13.920]  So this was greatly unusual because the post actually said in Russian, but I'm translating.
[44:13.920 --> 44:17.960]  Today, Killnet takes the first step toward the peace.
[44:18.220 --> 44:22.600]  It's actually in his manifesto, which is lengthy, as you can see.
[44:22.600 --> 44:34.880]  He is saying that they're going to be listening to the guidelines from Red Cross, not attacking civilian targets, not attacking anything that may actually cause life loss.
[44:34.880 --> 44:39.160]  And ultimately, they're only going to be concentrating on military targets.
[44:40.400 --> 44:42.120]  This actually made sense.
[44:42.120 --> 44:44.440]  That's kind of like, okay, that's cool.
[44:44.640 --> 44:46.260]  That's what's happening.
[44:46.320 --> 44:50.380]  But on October 6th of 2023, lots of things were still good.
[44:50.380 --> 44:56.160]  Because the next day, unfortunately, there was this devastating attack by Hamas in Israel.
[44:56.520 --> 45:12.040]  And almost immediately, Killmilk changes his tune from, we want peace, to Israel deserves this, they never supported Russia.
[45:12.040 --> 45:15.520]  Hamas did the right thing, and so on and so forth.
[45:15.520 --> 45:20.380]  And now calls for violence in the Middle East from Russian threat actors.
[45:20.440 --> 45:26.280]  And also continued attacks against Ukraine and its supporters.
[45:27.320 --> 45:30.280]  That's kind of scary.
[45:30.300 --> 45:33.840]  And that peaceful thing didn't last that long.
[45:33.840 --> 45:42.480]  So Killnet in 2044 comes to final unravel.
[45:42.480 --> 45:52.500]  So 2024 starts, and Killmilk is no longer able to sustain everything.
[45:52.500 --> 45:55.960]  He is not doing well financially.
[45:55.960 --> 46:05.030]  And he actually sells even the channel Killnet to a group called DNN.
[46:05.560 --> 46:10.090]  The supposed selling price is about $10,000.
[46:10.980 --> 46:23.780]  But that was highly anticipated because by that time, end of 2023, Killnet lost most of its followers.
[46:23.780 --> 46:36.020]  The sell to group DNN shrank the membership in the channel from well over 100,000 people to just 3,000 individuals.
[46:36.200 --> 46:45.460]  And guess what, DNN was using the Killnet channel from 2024 forward.
[46:45.460 --> 46:50.860]  They actually started fighting illegal drug trade in Russia.
[46:52.020 --> 46:54.340]  I can explain why it's happening.
[46:54.340 --> 46:58.600]  So we didn't only set a good bad example for them.
[46:58.600 --> 47:11.640]  But in order for Killnet to get back in good graces with Russian government, it needs to right the only wrong they did in the eyes of the Russian government.
[47:11.640 --> 47:17.700]  So they became a doxing machine for Russian illegal drug trade.
[47:17.700 --> 47:23.970]  Actually identifying a number of individuals, high-ranked individuals, who are behind the Russian drug trade.
[47:32.380 --> 47:40.550]  The last thing of update is Killmilk and what Serafimov was doing over that time.
[47:40.550 --> 47:45.290]  His identity was publicly exposed by Russians themselves.
[47:45.290 --> 47:57.510]  Meaning that Russian government was so fed up with his antics and his connection to the illegal drug trade, that they decided to turn their media against him.
[47:58.850 --> 48:04.410]  In 2022, we see Killmilk owning four different cars.
[48:04.410 --> 48:10.750]  All used, but two of them were Porsches Panamera for him and his wife.
[48:10.750 --> 48:14.970]  And a couple of BMWs.
[48:15.130 --> 48:18.790]  In 2023, he owns all these cars.
[48:19.150 --> 48:30.270]  And from that perspective, he actually takes micro-loans, which are popular apparently in Russia, for doing a whole bunch of things.
[48:30.270 --> 48:34.050]  His wife is taking micro-loans to do her nails.
[48:34.110 --> 48:39.610]  So that's... no credit cards or anything like that for them.
[48:39.610 --> 48:47.510]  But that's how financially strapped these folks are.
[48:48.590 --> 48:53.230]  And Killmilk becomes a drama queen.
[48:53.230 --> 49:03.850]  He leaves the Killnet, joins a different group, don't get traction there or gets in a fight, and goes elsewhere.
[49:03.850 --> 49:13.690]  Today, if you want to talk to Killmilk, he actually sells on some of his Telegram groups, something called School for Darknet.
[49:13.690 --> 49:19.630]  You can pay from $300,000 to $29,000 if you have extra money.
[49:19.630 --> 49:33.730]  But based on reviews, he is just googling information on the Internet and pretty much cutting and pasting into a chat and says, hey, now you owe me money.
[49:33.810 --> 49:35.450]  That's pretty much what the review said.
[49:35.450 --> 49:36.510]  I didn't try.
[49:37.170 --> 49:39.750]  And then he gets into flame wars.
[49:39.750 --> 49:51.610]  Flame wars, he basically yells at people and gets in trouble, and they reveal more information about him.
[49:51.610 --> 49:52.870]  He yells at them.
[49:52.890 --> 49:54.510]  That was the thing.
[49:54.610 --> 50:01.350]  The only good thing I think that came out, or funny thing, because he came back to his music career, he actually released a couple singles.
[50:03.830 --> 50:10.290]  I mean, he's not tone deaf like me, so that's only a positive thing.
[50:10.290 --> 50:17.870]  But it's profanity-laced songs.
[50:17.870 --> 50:24.910]  One of the latest things that's not on the slides, he actually spread the rumor he died.
[50:24.910 --> 50:27.750]  There was a media story about this.
[50:27.750 --> 50:32.010]  And then later on, within a week, he came back like, I'm alive, don't worry about it.
[50:32.010 --> 50:33.470]  Nobody worried about it.
[50:36.750 --> 50:41.570]  But on a serious note, Killnet has its legacy.
[50:41.570 --> 50:47.250]  It's left its legacy, I think, forever in cyber security community.
[50:47.250 --> 50:56.390]  It was the first wave of activism that was okay to attack any target they wish without any repercussions.
[50:56.790 --> 51:13.050]  In their attacks against Lockheed Martin, they were photoshopping the leaders of Lockheed Martin in caskets, and sending death threats to employees of Lockheed Martin, saying that this will happen to you if your company still supports Ukraine.
[51:13.050 --> 51:23.990]  It was a driving wave that is moving far beyond the normal circumstances.
[51:24.090 --> 51:31.350]  Just a year and a half ago, there was a conflict of words between India and Canada.
[51:31.370 --> 51:44.930]  And using examples and technology used by Killnet, Indian threat actors started attacking against the nation of Canada in cyberspace without much prompting, just within 24 hours.
[51:44.930 --> 51:47.730]  It normalizes this activity.
[51:48.170 --> 51:52.230]  And activism went beyond the dark web.
[51:52.230 --> 52:03.730]  It took IT personnel, it took somebody's grandma, it took politicians to okay and normalize cyber attacks from one nation to the other.
[52:03.730 --> 52:11.650]  And that's a great injustice and a great step forward in cyber crime.
[52:11.970 --> 52:17.090]  And this also shows how much propaganda can be harmful.
[52:17.090 --> 52:26.450]  Because if you turn on cyber news in 2022 and much of 2023, you would hear about DDoS attacks against U.S.
[52:26.450 --> 52:32.430]  airports, against financial institutions, against hospitals, against other things.
[52:32.430 --> 52:39.790]  And this was much more propaganda and fear tactics, more than actual harm it did.
[52:39.790 --> 52:42.670]  Yet it still hit the spot.
[52:42.670 --> 52:45.790]  It still causes fear and uncertainty.
[52:45.790 --> 52:51.230]  And there were no repercussions to Russia or its citizens.
[52:51.230 --> 53:03.830]  And the last thing I want to tell you, our power in this as a cybersecurity community is in our innovation and our ingenuity.
[53:04.490 --> 53:14.330]  From cold security, we took a group of nine people who devised this plan that was maybe what if, but this should work.
[53:14.330 --> 53:25.710]  To do a couple steps to start this little rock rolling from the top of the mountains, turning into avalanche on the bottom.
[53:25.710 --> 53:30.630]  And we found the Achilles heel of a group that had 100,000 people against nine.
[53:31.190 --> 53:38.650]  And we executed this attack, social engineering and technology attack, to take out the group.
[53:39.230 --> 53:41.550]  Killnet does not exist anymore.
[53:41.550 --> 53:52.550]  Unfortunately, to their change came a whole bunch of other groups, much tightly controlled, much better vetted, and the Russian government learned its lesson.
[53:52.550 --> 54:14.770]  But I'm proud to say that there is our contribution in finding this vulnerability within this horde of people to take down their infrastructure, to take down their organization, and make them simply a footnote in dark web history.
[54:15.290 --> 54:17.710]  That's pretty much my presentation for today.
[54:17.710 --> 54:19.150]  Thank you very much.
[54:26.580 --> 54:29.540]  We may have a minute or two for questions.
[54:29.540 --> 54:30.240]  Well
[54:44.760 --> 54:58.440]  , we do threat intelligence, so we have presence on dark web, we have reputation on dark web, and we are gathering not only information, but also contacts.
[54:58.440 --> 55:03.540]  So at some point when Solaris was being built, they actually reached out to us.
[55:03.540 --> 55:07.080]  Zanzi reached out to us for some technical assistance.
[55:07.080 --> 55:10.680]  Something with PHP was not working, and it still didn't work.
[55:10.680 --> 55:19.280]  We said that you have to rewrite the code, but in doing so, when he was showing us a problem, he just gave us access to one of the servers.
[55:19.660 --> 55:24.340]  And we patched the server, just not the way he asked us to.
[55:24.680 --> 55:29.560]  From a legal perspective, he invited us to the server so we did not trespass.
[55:29.560 --> 55:41.640]  From a technical perspective, he can take us to court, for example, in the state of New York, for not fulfilling a verbal contract of fixing his PHP code.
[55:41.880 --> 55:43.500]  I would like to see that.
[55:44.080 --> 55:48.680]  But to answer your question, we were invited onto his servers.
[55:48.980 --> 55:52.880]  We just stuck around longer than he thought we would.
[55:58.780 --> 56:06.620]  So just to repeat the question, how much money we were able to send to charity.
[56:06.920 --> 56:10.800]  At the time, it was a little bit more than 1.5 bitcoins.
[56:11.140 --> 56:21.320]  Bitcoin was at its lowest, not at the current rate, but as I said, when they cashed out bitcoins, it was $47,000 US.
[56:22.580 --> 56:23.780]  Yes.
[56:31.860 --> 56:36.570]  So the question is if KillMilk is a technology person or...
[56:37.720 --> 56:39.400]  He was a mouthpiece.
[56:39.400 --> 56:42.940]  He was a charismatic leader.
[56:42.940 --> 56:50.240]  He wrote a lot of technical posts, but he did not have anything to do with technology.
[56:50.240 --> 56:58.240]  He was a drug user, drug dealer, and then a drug-driven leader of a collective.
[56:58.240 --> 57:04.480]  And the good thing is that he was not technical at all, just a lot of hype.
[57:11.820 --> 57:14.460]  Telegram was actually a public channel.
[57:14.460 --> 57:24.920]  So KillMilk had a lot of public channels that they maintained for communication, for announcements, for others.
[57:24.920 --> 57:27.900]  Some of them, we got invited into these channels.
[57:27.900 --> 57:32.160]  But when you have a group of 100,000 people, you don't particularly vet every member.
[57:32.160 --> 57:34.040]  You don't say, hey, who are you?
[57:34.040 --> 57:35.360]  You just let them in.
[57:35.360 --> 57:38.040]  So this is something that was very fortunate.
[57:38.040 --> 57:43.700]  Anybody can become a member of KillNet, and that's what made fighting them extremely difficult.
[57:43.700 --> 57:47.220]  But in this particular way, it was easy to get in.
[57:49.680 --> 57:50.500]  All right.
[57:50.520 --> 57:51.880]  Thank you guys again.