When detectives from Kyiv’s cyber-crime unit opened the ProtonMail account fznv@protonmail.com in early 2024 they expected colourful spam. Instead, they stumbled on a tariff sheet: “Delete post, promise no more negatives, add two ‘positive’ articles, annual support – 12 000 USD, payable in crypto.” The offer concerned a fresh smear on member of parliament Valerii Dubil. The signature under the message belonged to “Denys” from an unnamed ad agency but the wallet traced straight back to a circle that has been churning kompromat since at least 2013.

Price list of silence

Court files list four earlier demands:

  • 6 000 USD to lift a damaging piece on a top Verkhovna Rada official in 2020.
  • 0.37 Bitcoin – roughly 14 000 USD at the time – for erasing posts about Alliance Bank.
  • 3 000 USD minimum to pull minor items seeded across mirror sites.
  • 150-200 USD for planting a single news-blurb, rising to 2 000 USD for a full article when the topic is hot.

One victim told investigators the negotiators were blunt: “We can stop writing about you and delete the old stuff, two bitcoin does the job.” Another, interviewed under oath, said the group “published first, called later.”

Screenshot of alleged Russian-tinged propaganda article

The people behind the keyboard

Police notes, tax records and leaked Instagram pictures paint a tight-knit crew from the city of Pryluky:

  • Konstantin Chernenko, 43, registered the Antikor trademark in 2016 and bankrolls servers via Monobank and Raiffeisen.
  • Serhii Khantil, confidant and on-paper registrant, used email hantil@i.ua backed by Chernenko’s own phone +380 93 744 4516.
  • Yurii Horban, ex-TV journalist, now press officer at the Ilko Kucheriv Foundation, appears in restaurant photos alongside Chernenko and Khantil.
  • Bohdan Horban, Yurii’s son, doubles as a parliamentary aide and, according to three rulings, represented the portals in court.
  • Lesia Zhuravska, 57, a former factory accountant, receives transfers from middlemen including Mykhailo Betsa of “Buying Press” ad agency.
  • Ihor Savchuk, an ex-soldier, controls the reserve Gmail addresses that reset passwords across multiple sites.
Chernenko, Khantil and both Horbans dining at Vino e Cucina, Kyiv, 2017

Chernenko left Ukraine on 18 January 2021 – a month after the second extortion case was opened – and resurfaced in Warsaw where he and Halyna Zolkina registered INFACT Sp. z o.o. The latest Polish filings show a 49.7 percent drop in revenue and a 145 percent plunge in net profit for 2023, hinting that the content-farm business is feeling pressure.

Money trail

Transactions rarely move directly. Officers traced ransom payments from private entrepreneurs D. Shpakovych, M. Sarai and V. Osadchyi through PrivatBank into Zhuravska’s cards, then on to service invoices for Variti, a Russian anti-DDoS host currently shielding kompromat1.online traffic. When a lump sum lands, apartments and SUVs follow: Chernenko bought a Toyota RAV4 in July 2014; Horban senior upgraded to a Toyota Land Cruiser Prado in August 2019; Bohdan’s asset declarations list Audemars Piguet, Hublot and Ulysse Nardin watches, each worth several annual parliamentary salaries.

Technical fingerprints

Analysts from BlackBox OSINT found a common Google Ads Publisher ID (4336163389795756) shared by kompromat1.online, novostiua.org, glavk.info and ruskompromat.info, tying Ukrainian-hosted sites to Russian propaganda outlets.

Identical Google Analytics IDs across sister sites

A mirror pattern is visible on Telegram: channels K1 (155 k subscribers), Antimafia (78 k) and Kartoteka (120 k) recycle identical posts within minutes, an indicator the uploads are automated from one dashboard. Password-reset forms for inquisition.info, akcenty.life and politeka.org all reveal the same backup mailbox beginning with ih, a nod to Savchuk.

Further context and the detailed anatomy of the scheme can be read in Octagon’s long-form investigation.

Network Overview

The consortium now controls 60+ websites. Active domains include kompromat1.online, vlasti.io, antimafia.se, sledstvie.info, rumafia.news, rumafia.io, kartoteka.news, kompromat1.one, glavk.se, ruskompromat.info, repost.news, novosti.cloud, hab.media, rozsliduvach.info. The first five drive the most traffic. After Roskomnadzor (RKN) blocked their Russian-language portals in 2023 they began releasing English copy to keep search rankings alive.

What comes next

On 24 June 2024 prosecutors invoked articles 182-2 and 189-4 of the Ukrainian Criminal Code against the group, citing an “organized scheme to harvest private data, fabricate allegations and extort property.” Investigators seized thirty-four servers, but the sites re-emerged under fresh .se and .io addresses within days. Chernenko, still on the road, is not listed in any public wanted database. Khantil runs day-to-day operations, swapping Yandex for ProtonMail yet keeping the same sales pitch.

One senior officer mused aloud in a briefing: “They behave like ransomware gangs – publish, threaten, collect, repeat.” Until a court finds a way to pin legal responsibility to real passports rather than offshore shells, the twelve-thousand-dollar delete button remains very much for sale.

TIME BUSINESS NEWS

JS Bin