Advisory June 15, 2023

Threat Intelligence Report about hacker groups targeting the European banking system

According to Obrela’s threat intelligence, various hacker groups are currently collaborating to plan a significant attack on the European banking system. These groups include Killnet activists, REvil and Anonymous Sudan.

A representative from Killnet issued a statement, saying, “I’m not warning you, but rather informing you that nothing can save you. You haven’t encountered problems of this magnitude before.”

There is also obtained an unreleased promotional video related to the attack, where an unnamed Killnet representative urged all active groups to engage in destructive activities against the European banking system.

threat intelligence post

The leader of Killnet, known as Killmilk, who is operating under a pseudonym, confirmed that preparations for the attack are already underway and expected to commence within the next 48 hours.

This cyberattack has the potential to become the largest in history according to them. A representative from REvil expressed his belief that “the world has gone mad” due to money, claiming that the European banking system controls the EU.

An Anonymous Sudan member warned that European financial institutions would face “the most powerful cyber attack in modern world history.” They called for preparations and stated that once the strike is executed, it will be too late to rectify anything. Their primary target is the Society for Worldwide Interbank Financial Telecommunication (SWIFT) system, which powers most international money and security transfers, failure of which could potentially cripple the Western financial system.

Killnet is a pro-Russia threat group that has been active since at least January 2022. The group initially emerged as a distributed denial of service (DDoS) tool provider but evolved into a hacktivist group in response to the Russia-Ukraine war and pro-Ukraine hacktivism. Killnet targets the websites of organizations in critical sectors with DDoS attacks, aiming to cause disruptions. Killnet victims are typically organizations in North Atlantic Treaty Organization (NATO) countries, as well as other countries offering military support to Ukraine. They often use brute force to compromise credentials and after the attack they use defacement to promote their propaganda.

threat intelligence post

Killnet has been the subject of significant disinformation since its emergence. Researchers have scrutinized the reliability of their claimed attacks and have found that their attribution is unreliable and their impact is minimal. However, they do succeed in their attacks and if they combine their forces with the group mentioned below “Anonymous Sudan”, a potential attack could be more powerful if conducted correctly.


Anonymous Sudan is a hacktivist group that was formed in January 2023 and is known to conduct widespread distributed denial of service (DDoS) attacks. The group became an official member of the “Killnet” collective in February 2023, and has been highly active throughout this year launching politically motivated attacks. Anonymous Sudan has also started to conduct financially motivated attacks in mid-2023, including extortion DDoS and the sale of stolen data.

anonymous sudan

The group focuses its attacks on the critical sectors of organizations in North America, Europe, and the Middle East. Although Anonymous Sudan is considered to be relatively unsophisticated, the group has demonstrated that its attacks have been successful, often taking down websites for multiple days. The group has also joined the Killnet collective, which is likely to add resources and improve the credibility of the group’s attack claims.

REvil is a globally recognized hacker group suspected of conducting major attacks on critical infrastructure in the US and several prominent companies worldwide. They have demanded ransoms reaching up to $50 million. While the FSB announced the defeat of this group in January 2022 at the request of the US, doubts emerged among high-level leaders in cybercrime regarding the arrests made.

At present, it remains uncertain if this announcement is a real threat or it is just a part of a fame seeking and terror spread attempt. The TTPs used by Killnet and Anonymous Sudan are mainly related to DDoS and, as of now, no real and credible confirmation of the association with these groups exist from the REvil side.

anonymous sudan

REvil is a ransomware group and it is unusual for such groups to be engaged in such attacks, as also to pre-announce them.

The Threat Intelligence and SOC teams of OBRELA remain vigilant and are closely monitoring their activities, and clients’ infrastructure.