Within hours of Russia invading Ukraine, Nikita Knysh rushed to join the resistance.
He went to the Kharkiv office of his old employer, the Security Services of Ukraine (SBU), and begged for an assignment.
But the city, only 30km from the Russian border, was in chaos. Leaving empty-handed the 30-year-old IT professional, an ex-hacker, realised he would have to create his own mission.
He moved the employees of his cyber security company, HackControl, and an array of computer equipment into the basement of a wallet factory. As the Russian army pounded Kharkiv, Knysh’s team started hacking Russia.
Moscow’s invasion of Ukraine unleashed an unprecedented cyber war, with legions of hackers on both sides. Dozens of government-sponsored groups took advantage of the tumult to target their opponents, as did criminal gangs, hiding behind the noise to conduct ransomware heists.
Ukraine’s prewar IT industry, with 300,000 professionals working in cyber security or outsourced back offices, proved to be a crucial pool of talent in the world’s first large-scale cyber war.
Six months into the conflict, tales of the hacks they inflicted on Russian companies and the Russian government have bounced around the internet. But with anonymous groups claiming overlapping credit for “pwning” — online slang for “owning” — Russia, separating truth from braggadocio is often impossible.
Not all of Knysh’s claims can be verified, but the Financial Times spoke to government officials and fellow hackers who vouched for him and reviewed photographs, videos and log files that backed up some of his assertions.
His story is a tale of talented programmers forced to adapt to the turmoil of war. It involves the recruitment of low-level criminals into crowds of coders, hoax bomb scares, the large-scale infiltration of internet-connected security cameras to surveil Russian-occupied territory, and honey-trapping Russian soldiers into revealing their bases.
But first the group, nicknamed Hackyourmom, needed a base of its own. The wallet factory was good for the first week, when Knysh dusted off an old trick from his SBU days — spoofing his way as an administrator into massively popular Telegram channels in places like occupied Donetsk to blast out pro-Ukrainian messages.
“But Kharkiv was still under attack — we had to move,” he said. They evacuated west, to a cheap hostel in the Vinnytsia region, far from the Russian advance. Knysh had rented it months earlier, worried that the war was coming, running a small project out of it. “It wasn’t Plan B, it was Plan C.”
Knysh called in a favour from an old mentor, Vsevolod Kozhemyako, chief executive of grain company Agrotrade and one of Ukraine’s richest men.
He was not after money but one of Elon Musk’s Starlinks, satellites the world’s richest man had been sending over by the thousand to give the Ukrainian authorities free access to the internet. “He asked, so I got him one ,” said Kozhemyako, who himself had picked up weapons and formed a volunteer battalion to guard Kharkiv. “I didn’t ask what he did with it, but knowing him, it was probably something good.”
In Vinnytsia, his motley crew of up to 30 people piggybacked on to the carefully shielded internet access from the Starlink. “We became like a family in some sense,” said team member Maxim, who asked to be identified by his first name. “I had never thought I would be at the front line of a cyber war, but this is what it was.”
Knysh quickly realised he needed more experienced people than he could fit into the hostel. He remembered a group of high-level Ukrainian hackers who stole corporate secrets he had tracked while at the SBU.
He recruited dozens to send him stolen credit card databases, which he traded to create a Telegram channel of low-level hackers with a single set of instructions — flood Russia-bound flights with fake bomb threats.
Dozens of flights were delayed or cancelled, including some run by Air Serbia, on the dates that he showed the FT logs for. Serbian President Aleksandar Vučić blamed Ukrainian intelligence for the hoaxes.
Wanting to provide more targeted help to the stretched Ukrainian military, Hackyourmom turned to an even more elaborate project: they hacked thousands of security and traffic cameras in Belarus and parts of Ukraine that Russia had occupied.
To filter the information, the team wrote machine-learning code that helped them separate military movements from ordinary traffic, and they funnelled the information to the military via a public portal.
In one example, described to the FT with photographs and locations, they identified a remote Russian base near occupied Melitopol in southern Ukraine. Then, using fake profiles of attractive women on Facebook and Russian social media websites, they tricked soldiers into sending photos that they geolocated, and shared with the Ukrainian military. “The Russians, they always want to fuck,” said Knysh. “They send [a] lot of shit to ‘girls’, to prove that they are warriors.”
A few days later, they watched on TV as the base was blown up by Ukrainian artillery. “My first thought was — I am effective, I can help my country,” said Maxim, although the Ukrainian authorities declined to discuss the role of hackers in the attack. “Then, I realised, I want more of this — I want to find more bases, again and again.”
Knysh claimed his team participated in other hacks, from tricking Russian television stations into playing news clips about Ukrainian civilian casualties; linking home routers in occupied territory into large bot networks that brought down Russian websites; and even hacking and leaking the databases of Russian military contractors.
The group in the hostel physically disbanded in early summer, when it became clear the Russian military was being held back in the east and south of Ukraine.
The members have taken to working remotely, including publishing complex guides online for targets that Knysh declined to discuss.
They still keep an eye on the cameras they’ve hacked, sharing with the FT a recent image of a Russian navy ship in a port in Sevastopol, occupied by Russia since 2014.
“For me, this felt like combat,” said Knysh. “With no money, with no brilliant software, and even no brilliant hacks — you can use fraudsters, the dark web against your enemy. Right now, Russian laws don’t matter — what we have got is the experience of being in the first cyber war.”