- InformNapalm.org (English) - https://informnapalm.org/en -

Young IDP from Donetsk created Android app, which hacked 2500 phones of aggressor

In this publication we will tell about the experience of Ukrainians (not state structures, but active citizens) in countering new military challenges of the Russian hybrid aggression. Ukraine faced the new type of warfare at the beginning of the 21st century. The information and cyber component of it consolidated the active part of the Ukrainian society in a response effort. Just as in 2014, thousands of volunteers went to the front to defend the territorial integrity and sovereignty of Ukraine, the cyber front received its own volunteers. The acquired competencies are not governmental, sometimes they are very local, but these initiatives show that small groups or even individuals can play a role, if they do not look up to intelligence agencies or government bodies, do not expect any action from them, but rather take the initiative and act according to the sense of their own civic duty, teaming up with like-minded people on the way.

The first “combat startup” of a youth from Donbas

In 2014, when Alexander was only 16 and still at school, he and his parents had to flee their home in Donetsk occupied by the militants. So they became IDPs, having moved to Lviv Oblast. Being professionally interested in programming, he applied his skills to the fight against the militants who occupied his native Donetsk.

Alexander’s first volunteer startup, which subsequently led him to the Ukrainian Cyber Alliance (UCA) [1], was the creation of the Army of Novorossia, a spoof web site for hacking the Russian militants and mercenaries. After the success of this initiative, he was admitted to the UCA. The site, for a long time imitated a closed social network for the Russian world adherents, collecting personal data, postal addresses and telephone numbers of terrorists, which were subsequently transferred to the database of the Myrotvorets Center, to the experts of InformNapalm volunteer intelligence community and to Ukrainian hacktivists for further processing.

The primary data collected through this initiative allowed the UCA hacktivists to conduct a number of successful hacks [2], including the Union of Donbas Volunteers organization, military commandant’s offices of the Russian occupation administration as well as Russian propagandists and their supervisors from the Kremlin.

Russian propagandists, having realized how elegantly the mercenaries and militants were fooled into giving away their personal data, rushed to look for the “trace of the State Department”, attributing the results of the operation not only to intelligence agencies of Ukraine, but even to the USA.

Here, for example, is an excerpt from the post in the social group Veterans of the Militia of Donbas Community (Содружество Ветеранов Ополчения Донбасса/СВОД) dated February 5, 2016(full text here [3]):

“THE APPEAL of the Head of the
Commonwealth of the Veterans of the Militia of Donbas to all militiamen and servicemen of the DPR and LPR 

Dear comrades-in-arms!

The intelligence agencies of the USA and Ukraine spare no effort to conduct reconnaissance and subversive activities against Russia, Novorossia and their defenders.

One of the enemy‘s objectives is to collect the information about the fighters and commanders of the military units of the DPR and LPR, their relatives, connections, location, etc. <…>

In this regard, I draw your attention, in particular, to the mass e-mailings, coming, among other ways, through the personal contacts of militiamen, with the invitation to register on the anonymous Army of Novorossia website, actively collecting information about combatants of Novorossia and about volunteer helpers: http: //novoross-army.com/.

The anonymous (!) creators of the site Army of Novorossia declare that this resource has been organized “to improve communications of the fighters between themselves and volunteer helpers, for arranging the collection of targeted aid to wounded fighters, etc.”

The full text of the message contains even more absurd turns of the propagandists’ amateurish logic, regarding the use of Gmail and website hosting in the US, which in their opinion clearly indicates the “trace of the American intelligence agencies”. But let us keep parsing of these gems out of this publication, not to delay the climax of the story too much. We will have to disappoint the Russians. This operation did not use a single penny from the budget of Ukrainian intelligence agencies and even less from the budget of the USA. It was pulled off by a very young IT specialist from Donetsk with almost frightening efficiency.

Blowing smoke from Lviv Underground

The Ukrainian Cyber Alliance’s viral “videos from Lviv Underground” calling for consolidation and concerted action, contributed to the development and expansion of the hacktivists’ movement in Ukraine (Ed.: Lviv Underground is a popular meme in Ukraine, mocking the scare mongering myths of the Russian media, there is no subway in Lviv).

Video with English subtitles

In 2016, Alexander caught on the spirit of the Lviv Underground and joined the Ukrainian Cyber Alliance. Already as a community member, he implemented another interesting initiative code named CropUkrop [4]. This application for Android played on the aggressive urge of the Russian world adherents to wreak havoc on the pro-Ukrainian web by conducting DDos-attacks on the sites of InformNapalm community, Myrotvorets Center etc.

The app imitated participation in a DDos attack, meanwhile extracting all the useful information from the smartphone of the attacker (archive [5]).


UCA hacktivists prepared the target audiences for the CropUkrop application was through dozens of the Russian propagandists’ and bloggers’ sites, to which the they hadgained access. Here are some examples and links like this: “Russian hackers have created an app that can block InformNapalm and Myrotvorets web sites (archive 1 [6]2 [7]3 [8] etc.)

When the activity monitor of the CropUkrop DDos attack simulator showed significant audience numbers, the hacktivists asked the volunteers of InformNapalm and Myrotvorets to write relevant lamenting posts about being under a DDos attack, to encourage the “attackers” and make the game look even more convincing. Thus, there appeared reports like the one in the screenshot above.

Within 7 days, more than 2500 phones were infected and hacked, among which there were those belonging not only to the ordinary fans of the Russian world from the occupied territory of Donbas, but also to active militants, Russian servicemen and propagandists from Russia. Here is a sample of notification stream from the hacked phones, which the hacktivists received from the infected gadgets.

On the 8th day, alert Ukrainian patriots completely blocked the app by swamping the host of the relevant *.apk file with complaints, thinking that it was a product of the terrorists, so the project had to be abandoned. The militants themselves did not suspect that all this time their phones were under control of the UCA. Although the experience was quite positive, it showed that there was no way such initiatives could be synchronized with socially active users, which means these operations can only be short-term. Nevertheless, more than 2500 phones with all the data remained under control of the hacktivists for 7 days. Not bad. This can be considered a response to the Russian operation described in CrowdStrike report, which we have presented earlier [9].

The example of this young IDP from Donbas and his effective hacktivist projects shows that Ukraine has a lot of creative talent and many active patriots ready to defend their land.

Disclaimer: The materials were exclusively provided to InformNapalm by the representatives of the Ukrainian Cyber Alliance. InformNapalm community bears no responsibility for the sources and origins of the retrieved data.

This publication was prepared by Andrew Lysytskiy [10]translated by InformNapalm English [11]

[12](CC BY) Information specially prepared for InformNapalm.org [13] site, an active link to the authors and our project is obligatory for any reprint or further use of the material.

Share our publications and investigations on social networks.