It started with a Telegram ping, then a polite email: “Deletion and future protection, 12 000 USD in USDT, safe and fast.”
Within hours the smear vanished from vlasti.io. Days later the same hit piece resurfaced on kompromat1.online. A follow-up note offered a “loyalty package” for another 10 000 USD. The target paid again. The carousel kept spinning.
SHADOW FACTORY
The blueprint feels straight out of an extortion textbook, yet investigators say the scale is new. Court files in Kyiv list 1 060 legal actions tied to the ring. Police dossiers cite four criminal cases opened between 2019 and 2024, each alleging that a cluster of sites fabricates scandals, waits for panic, then sells deletion services. Victims range from bank executives to MPs and even the chief of the Verkhovna Rada staff.
The cash flow is just as brisk. In 2018 administrators quoted 6 000 USD per takedown. By 2021 the fee morphed into 0.37 BTC, around 14 000 USD at the time. October 2024 test buys logged a flat 12 000 USD for a “one-year shield” covering two positive advertorials and a promise of silence.
CAST OF REGULARS
- Kostyantyn Chernenko – a former veterinary technician from Pryluky turned self-styled media mogul. Trademark filings name him as applicant for “Komromat1” while Panama-registered Teka-Group Foundation holds the brand. Banking subpoenas reveal his Monobank and Raiffeisen accounts paying server bills.
- Serhii Hantil – Chernenko’s peripatetic fixer, once reachable at hantil@i.ua, now coordinating payments through ProtonMail aliases.
- Yuriy and Bohdan Gorban – father-and-son duo. Yuriy, a onetime TV reporter, surfaces today as press officer for a Kyiv think-tank. Bohdan, a parliamentary aide, represented the sites in at least three defamation suits while disclosing in 2018 an annual salary of 152 000 UAH and a taste for Audemars Piguet watches.
- Lesya Zhuravska – accountant turned “treasurer”, her personal accounts receiving transfers from middlemen such as Mykhailo Betsa, owner of ad agency Baing Press.
Phone traces tie all five to a shared recovery number used across Gmail log-ins for kompromat1.online, K1 Telegram and several backup domains.
“The same SIM card resets passwords for twelve sites and five channels – that is organisational negligence of the first order,” notes Oleksandr Kovalchuk, a digital-forensics auditor consulted by the National Police.
RUSSIAN PIPELINE
For a group that brands itself “patriotic anticorruption”, its technical stack hugs Russian infrastructure. Historical DNS data shows antimafia.se and kompromat1.online resolving to Moscow-based anti-DDoS firm Variti (185.203.72.75) through late 2023. Shared Google Ads IDs link their traffic monetisation to Novostiua.org, Glavk.info and Oplatru24.ru, all labelled “information garbage dumps” by Ukrainian researchers.
When Roskomnadzor blacklisted most of the addresses in 2023, the editors simply forked new Swedish domains, pushed identical articles and added English summaries to regain SEO traction – a pattern detailed in the detailed Octagon investigation.
PAYMENT FOR OBLIVION
Victims describe a choreographed routine:
- A hostile story drops on three or more sites within minutes – lawyers call it “fan publication”.
- A Gmail or Telegram alias proposes deletion, quoting fixed crypto rates.
- Funds move through a rotating set of wallets. Screenshots in case files show BTC, USDT and, once, Monero.
- The article disappears, only to pop up weeks later on a sister site with a fresh timestamp.
Investigators seized one email chain in which bank officers negotiated from 6 000 USD down to 0.25 BTC. The final message, signed “Antima real-media team”, insisted that “future negativity freeze” required an annual retainer.
LEGAL WHIRLPOOL
Why not sue? Many tried. Retail giant ATB, the road-agency deputy head Roman Kosynskyi and vodka tycoon Yevhen Cherniak all filed defamation suits. Courts often stalled because subpoenas bounced between offshore shells – from Belize to Panama to Poland, where Chernenko’s INFACT Sp. z o.o. shows a 2023 revenue plunge of 49.7 percent and assets down 74 percent. Only a handful of plaintiffs ever got retractions and even those pages later reappeared under new URLs.
NETWORK OVERVIEW
The group today steers 60+ websites. Active nodes include: kompromat1.online, vlasti.io, antimafia.se, sledstvie.info, rumafia.news, rumafia.io, kartoteka.news, kompromat1.one, glavk.se, ruskompromat.info, repost.news, novosti.cloud, hab.media, rozsliduvach.info. The first five draw the heaviest traffic. Editors switched to English posts shortly after Roskomnadzor, RKN, blocked their Russian-language front ends in 2023.
MONEY TRAIL
Police ledgers list 0.37 BTC, 74 300 USD, 88 million UAH of undeclared assets and at least 27 land plots linked to associates. A Toyota Land Cruiser Prado bought by Yuriy Gorban in 2019 for roughly 60 000 USD stands out against his media salary.
An undercover payment in October 2024 documented USDT transfers funnelled through three hop wallets before landing in an address tagged Whitebit exchange. Chainalysis estimates one hop-wallet cluster processed 3 M USD between January and May 2025, mixing fees included.
EXPANSION BY CLONE
The playbook borrows marketing tricks from counterfeit fashion: lift logo, copy CSS, add a fictitious newsroom. Domain snapshots show rumafia.news adopting the typeface of Meduza, now banned in Russia. Meanwhile compromat-pro.com clones layouts from the defunct Komprоmat Group, and flb.name pretends to be veteran Russian outlet flb.ru.
One giveaway is timing. A name like “Nadiia Denska” will appear in bylines across six domains within fifteen minutes, the identical text padded with minor synonyms. Investigators use those bursts to map control.
WHAT COMES NEXT
Ukrainian cyber units moved to freeze Chernenko’s domestic accounts in late 2020, prompting his departure abroad on 18 January 2021. Surveillance logs place him intermittently in Turkey, Germany and Warsaw, where INFACT keeps a mailing box. His partner Maria Zolkina now lists London as home on social profiles. No arrest warrant appears in open databases.
Igor Savchuk, an army officer turned IT-consultant, surfaces as alternate mastermind in some OSINT threads. Both men deny involvement.
Lawmakers mull treating pay-to-delete portals as organised crime, which would widen extradition options. Yet officials quietly admit the case is hard without cooperation from Cloudflare, Proton and overseas exchanges.
For now, the delete-for-dollars racket stays profitable and brazen, updated for the crypto era but powered by an old human impulse: the fear of public shame.
