While financially motivated threat actors are clearly in the cybercrime business to make money, their supposedly ideologically driven hacktivist counterparts often find it harder to make ends meet.
A new brand of hacktivism has grown in prominence since the start of Russia’s war on Ukraine, with several pro-Russian threat actors gaining notoriety for high profile attacks carried out over the past 18 months.
A report (PDF, registration required) authored by researchers at KELA describe how five hacktivist groups are trading in stolen data, offering hack-for-hire and training services as a way to fund cyberattacks. Researchers add that so-called hacktivists they are tracking are also seeking investor funding and selling advertising to fund activities.
(See related report: Hacktivism: is it fashionable again or just a sly cover?)
“Despite the apparent effort to explore new income sources, it remains evident that finding alternative funding is not the primary objective of these groups. Instead, the focus remains on activism and spreading their message,” KELA said in its report.
“It appears that the groups are attempting, sometimes chaotically, to test every possible way for funding their activities, with at least some of these efforts appearing to have been unsuccessful or not gaining the desired attention.”
Killnet: short of cash, not ideas
Of the hacktivist groups KELA studied, pro-Russian threat actor Killnet displayed the most entrepreneurial spirit, branching out into a diverse range of moneymaking activities this year.
Killnet’s fundraising enterprises included attempting to set up a private military hacking company, selling goods and services, launching a hacking forum, sourcing funding from investors, demanding ransoms from attack victims, and setting up a cryptocurrency exchange.
The wide range of ventures, many of which were not successful, appeared to be driven by necessity. Although Killnet is believed to be aligned with the Russian government, KELA said there was no evidence it, or other pro-Russian hacktivist groups, received any significant financial support from the Kremlin.
In a September 2022 post, Killnet’s founder, Killmilk, said the group had to suspend its attacks because it had run out of money.
Phoenix: streaming ad-sponsored hacks
Another group identified by KELA as hacktivists, called Phoenix, was primarily involved in distributed denial of service (DDoS) attacks, defacing websites, leaking stolen data and sharing compromised credentials to its Telegram channel.
In April this year, Phoenix announced one of the cybercrime ecosystem’s more unusual fundraising initiatives: streaming its attacks on Telegram and YouTube. To monetize its videos, the group announced an auction where the highest bidder would appear on the stream. It said it welcomed sponsors for the stream and would also sell advertising.
Anonymous Sudan: making big ransom demands
Anonymous Sudan claims its purpose is “proving to all countries that Sudan has people who will protect it on the Internet” and to “attack anyone who opposes Islam” but researchers have described it as “a smokescreen for Russian interests” likely to have no connection to Sudan.
The group is affiliated to Killnet and monetizes its operations by selling stolen data and demanding ransom payments from its victims.
Anonymous Sudan’s recent targets have included Scandinavian Airlines and Microsoft. Last month it claimed to have stolen 30 million credentials belonging to Microsoft account holders. The group advertised the sale of the database for $50,000 while Microsoft denied the data had been stolen.
Another hacktivist group stopped asking for donations. Instead it focused on selling access to the Tesla-Botnet via the group’s Telegram channel.
