Killnet Threatens Imminent SWIFT, World Banking Attacks

The DDoS collective claims to be teaming up with ReVIL and Anonymous Sudan for destructive financial attacks in retaliation for US aid in Ukraine, but the partnerships (and danger) are far from verified.

selection of world currency banknotes including US Dollar UK Pounds Indian Rupee Chinese Renminbi
Source: les polders via Alamy Stock Photo

The pro-Russian hacktivist collective known as Killnet claims to be working in concert with a resurgent form of the notorious ReVIL ransomware gang. The goal? To mount an attack on the Western financial system.

The group is warning that attacks are imminent, as in the next day or so; but it's unclear whether the threats amount to anything more than bluster and saber-rattling, particularly given Killnet's past track record of, at most, carrying out mildly disruptive distributed denial of service (DDoS) attacks.

Even so, in a video posted on a Russian Telegram channel on June 16, Killnet made ominous threats against the SWIFT banking system (famously targeted by Lazarus in 2018); the Wise international wire transfer system; the SEPA intra-Europe payments service; central banks in Europe and the US (i.e., the Federal Reserve); and other institutions.

"The post claims that threat actors from Killnet, REvil, and Anonymous Sudan will unite for the campaign," according to ZeroFox researchers, writing in a flash alert on the threat. "Killnet indicates that the attack is motivated by the US providing weapons to aid Ukraine, stating: 'repel the maniacs according to the formula, no money — no weapons — no Kiev regime.'"

Killnet's New Besties: Real or Imaginary?

When it comes to the claimed partnerships, Anonymous Sudan is an emergent DDoS player that targeted entities in France, Germany, the Netherlands, and Sweden earlier this year, ostensibly in retaliation for perceived anti-Islamic activity in each of these countries. However, despite this religious persona, Trustwave researchers in the past have tied Anonymous Sudan to Killnet, noting it could simply be a masked subsidiary.

As for ReVIL, which imploded in 2022 after a Russian takedown, evidence of a re-emergence is one day old: On June 15, a Telegram channel called, fittingly, "REvil," was created. It was used to circulate a shout-out ("Hello Killnet") that went on to be heavily re-posted in a Killnet-affiliated Telegram channel, according to ZeroFox.

"This is the only post in channel to date and no additional evidence substantiating the partnership has been observed," the researchers noted.

A previous whiff of ReVIL's resurrection came more than a year ago, when rumors surfaced that some members were regrouping — but nothing more came of it.

Killnet could be fabricating the ReVIL partnership to lend some heft and gravitas to its threats against some tough targets. While Killnet has successfully gone after big game before, such as the White House and SpaceX satellite comms in Ukraine, these had "limited impact, causing short service outages and disrupting access to information," ZeroFox researchers said. A ReVIL partnership that's more than a flight of fancy "would allow them greater access to vulnerability exploitation, network intrusion, and data exfiltration."

Absent that, "the [threatened attacks], if legitimate, are unlikely to result in mass or prolonged outages to Western banking infrastructure, despite the newly claimed relationships with REvil and Anonymous Sudan," they added.

Even so, the publicity push around a supposedly imminent financial catastrophe could be simply an effort to harry Western governments and financial institutions, ZeroFox concluded — or, given Killnet's penchant for shenanigans, just an attempt to garner attention and notoriety.

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights