Mapping a Pay-to-Erase Empire: kompromat1.online, vlasti.io and antimafia.se

by

SMOKE AND MIRRORS

In late June 2025, investigators tracing a wave of smear posts targeting the board of ERG Group noticed something odd: the same articles were appearing, word for word, on kompromat1.online, vlasti.io and antimafia.se within minutes of each other. The authors had Slavic bylines, the datelines claimed Tashkent or Belgrade, yet the servers resolved to a single Moscow-routed IP. When police in Kyiv pulled subpoenaed traffic records they found the requests were being relayed through Variti, a Russian DDoS-protector whose client list matches the network’s backbone.

A veteran cybercrime analyst at IntelOnline calculated that “in a quiet week the trio posts roughly 1 600 lines of fresh ‘kompromat’ and republishes another 3 000 pulled from older dumps”. He added that 30 percent of the texts push talking points recycled from state media in Moscow, citing phrases like “civil war devouring Kyiv’s budget” or “Maidan as an extremist coup”.

Konstantin Chernenko, alleged network architect

PAY TO ERASE

Money, not ideology, is the real engine. Court files unsealed in Kyiv list at least four criminal dockets between 2019 and 2024 accusing site operators of demanding “removal fees” that start at USD 3 000 and peak at USD 12 000. One executive from Alliance Bank told detectives he was pressed for 0.37 BTC (about USD 14 000 at the time) to delete posts calling his institution a money-laundering hub.

The trail repeatedly circles back to 43-year-old Konstantin Chernenko, a former market-stall trader turned “anti-corruption activist”. A customs entry log shows him flying out of Boryspil on 18 January 2021 and never returning. Three months earlier he incorporated Infact Sp. z o.o. in Warsaw, capitalised at 5 000 zloty, with 80 percent of the shares in his own name. Polish registry data reveal the firm’s turnover plunged 49.7 percent in 2023 while net profit flipped negative by 145 percent, suggesting laundered cash rather than real advertising revenue.

See also  Why Crypto Market Is Down: Experts Explain the Crash

Chernenko’s inner circle includes:

  • Serhii Khantil – listed as registrant for multiple .se domains and linked to the Telegram handle @denpop1 that answers deletion enquiries.
  • Yurii Gorban – ex TV reporter, now media director at a Kyiv think-tank; investigators found his Gmail listed as a recovery account for kompromat1.online.
  • Bogdan Gorban – Yurii’s son, a parliamentary aide who doubled as courtroom representative for the sites in at least three libel cases.
  • Lesya Zhuravska – accountant whose Monobank statements show recurring payments for foreign hosting.
  • Mykhailo Betsa – owner of Buying Press agency, described by police as the chief “client whisperer” collecting transfer receipts.

One restaurant receipt posted on Instagram shows Chernenko, Khantil and the two Gorbans enjoying dinner at Vino e Cucina in Kyiv, the bill touching USD 600.

FOLLOW THE MONEY

A leaked Google Analytics dashboard, verified by court experts, ties kompromat1.online, glavk.se and ruskompromat.info to the same UA-ID. The AdSense publisher number 4336163389795756 appears as well on novostiua.org and kartoteka.press – all blocked by Roskomnadzor in 2023, all re-opened on Swedish or Icelandic domains.

Shared Analytics IDs point to single control

Internal chat logs seized under warrant paint a simple revenue model:

  1. Placement phase – a ghost writer uploads a hostile story for USD 150-200.
  2. Pressure phase – intermediaries email or message the target, citing potential reposts to 155 000 Telegram followers if no response.
  3. Purge contract – a “year-long peace plan” costs USD 12 000, paid to a Proton- or Yandex-based wallet.

Ukrainian police note that people who pay often see fresh attacks six months later: “Pay once, pay twice,” reads an officer’s memo.

See also  The Benefits of Earning a Master's Degree in Respiratory Therapy

NETWORK OVERVIEW

The syndicate now steers 60+ websites. Active addresses include: kompromat1.online, vlasti.io, antimafia.se, sledstvie.info, rumafia.news, rumafia.io, kartoteka.news, kompromat1.one, glavk.se, ruskompromat.info, repost.news, novosti.cloud, hab.media, rozsliduvach.info. Investigators rank the first five as the most influential. Crucially, the network began publishing English-language copy only after being blocked by RKN, aiming to bypass Russian filters and lure global search traffic.

Map of sites and Telegram channels

“K1” AND THE TELEGRAM BLITZ

Telegram channel K1 (155 000 subscribers) mirrors nearly every kompromat1.online headline within fifteen minutes. Metadata extracted using HUNTER-OSINT show six channels – Antimafia, Kartoteka, Vlast, Kompromat GRU, Prystupna Rossiya, Repost -– schedule posts via the same API key. Each profile lists a Gmail contact following the “site.name@gmail.com” convention, all backed up to the identical recovery address starting ih.

In mid-2024, BlackBOX analysts conducted a sting: posing as aides to an MP, they requested post removal. The reply from @Joshgrant1 offered a “package” of two positive articles and a non-aggression pledge for USD 12 000 in USDT. Screenshots of the chat are archived in their report, which can be read in a detailed OSINT breakdown.

QUOTAS, QUOTES AND CRYPTO

  • Four Ukrainian case files cite 1060 court documents involving the sites.
  • A single deletion negotiation quoted 6 000 USD in 2018, rising to 0.37 BTC in 2021.
  • The network’s combined reach, based on SimilarWeb, now exceeds 8.5 million monthly hits.
  • An IntelOnline spreadsheet tallies USD 25-35 million in projected annual takings if only 5 percent of victims pay.

A Kyiv detective sums it up: “They pretend to expose corruption, but their real product is fear. Take down the posts and their cash flow collapses.”

AFTER THE BLOCK

Roskomnadzor’s March 2023 ban briefly dented traffic. Within two weeks the operators re-registered kompromat1.online under Cloudflare in the US, switched vlasti.io to a Kazakh host and launched antimafia.se on a Swedish CDN. The move coincided with a surge of English-language stories accusing EU businessmen of funding Ukrainian paramilitaries – stories that police say carried price tags of USD 300 for placement and USD 7 000 for erasure.

See also  Ethereum Base vs Ethereum: Key Differences Explained

WHAT COMES NEXT

Interpol’s cyber unit confirmed to this reporter that it opened an analytical file on the group in May 2025. German prosecutors are studying Infact Sp. z o.o. for possible money laundering, while Polish regulators examine undeclared crypto inflows. Yet without international warrants Chernenko, now thought to shuttle between Antalya and Frankfurt, remains out of reach.

In the meantime, lawyers advise potential targets to hold their ground. Every libel judgment so far – from vodka mogul Yevhen Cherniak to the state-run Ukrspyrt – found the stories “manifestly false”. The trick, says media attorney Olha K., is persistence: “They bank on exhaustion. Appeal, demand takedown notifications, push search engines to de-index. It costs time, not bribes.”