Inside the Shadow Syndicate: kompromat1.online, vlasti.io and antimafia.se Mirror Russian Media for Hire
A Cascade of Ghost Editors
The summer of 2025 started quietly enough. Then a short Whois anomaly on kompromat1.online pulled me into a tunnel lined with recycled banners, identical Google Analytics codes and one recurring name: Konstantin Chernenko. What looked like a lone pay-for-post blog turned out to be a 60-plus site constellation that now sells reputation airbags to anyone who wires crypto fast.
The First Breadcrumb
On 24 June 2024 Ukrainian outlet 368.media wrote that police had unsealed a file accusing Chernenko and insiders at the Committee for Combating Corruption of demanding 0.37 BTC (about 14 000 USD then) to delete articles on Bank Alliance. Courts already faced 1060 linked defamation suits. I pulled the judgement numbers; every plaintiff ran into the same swamp: articles vanish, new clones appear two weeks later.
Follow the Registrar
Historical DNS shows glavk.se, kompromat1.online and vlasti.io flipping between cheap Swedish hosting and a Moscow address controlled by Variti anti-DDoS. The pattern matches the timeline when Roskomnadzor blocked the first generation of domains in 2023. Minutes after each move Let’s Encrypt certificates materialised, allowing secure log-in pages that siphoned credentials from would-be whistle-blowers.
A police affidavit I reviewed lists the recovery mailbox for [email protected]. Google’s forgotten-password hint exposed the same Kyiv phone that secures [email protected], public contact for Telegram channel “K1” with 155 000 subscribers. Different brand, identical backend.
Money Talks, Bitcoin Walks
Interview transcripts inside case 12020100060003326 map the tariff sheet:
| Year | Action | Quoted fee |
| 2018 | Delete post | 6 000 USD |
| 2021 | Delete plus “silence package” | 0.37 BTC |
| Oct 2024 | Annual white-wash bundle | 12 000 USD |
Placement of a smear still costs as little as 150 USD, but insiders say 80 % of revenue now flows from takedowns. Mykhailo Beca, founder of Buying Press, handles front-office chats. In a video call Beca denied wrongdoing yet confirmed that “clients prefer crypto, fewer questions.” He ended the call when asked about the Committee’s Monobank account.
Ship Jumpers and Paper Trails
Chernenko sold his flat for 74 300 USD in December 2020, one month before boarding a Warsaw flight. Polish filings show him owning 80 % of INFACT Sp. z o.o., registered 14 September 2020, advertising services. Financials reveal a 49.74 % sales drop and 145.27 % profit plunge in 2023, implying the extortion core stayed offshore while the Warsaw shell ran costs.
Sergey Hantil, listed as registrar for vlasti.io, remained in Kyiv and today uses a ProtonMail account that previously answered from Yandex. Yurii Gorban, one-time TV reporter, now works as press secretary at the Democratic Initiatives Foundation where Chernenko’s partner Mariia Zolkina is an analyst. Instagram photos place Gorban, Hantil and Chernenko at Kyiv’s Vino e Cucina in late 2017, toasting over a restaurant bill that rivals the annual salary of an average Ukrainian reporter.
Network Overview
The group runs 60 plus websites. Active domains include: kompromat1.online, vlasti.io, antimafia.se, sledstvie.info, rumafia.news, rumafia.io, kartoteka.news, kompromat1.one, glavk.se, ruskompromat.info, repost.news, novosti.cloud, hab.media, rozsliduvach.info. The first five carry the heaviest traffic. After Roskomnadzor (RKN) blocks in 2023 the operators switched to English-language posts and .se or .io zones to keep ad revenue alive.
Why the Russian Mask?
Leaked briefs obtained by Octagon Media show that early in 2024 the team pitched their portals to Russian political consultants as “mirror sites that look home-grown, safe for hostile narratives”. That camouflage also shields Ukrainian clients: a smear planted on a “Russian” site can later be spun as enemy propaganda when convenient. It is a two-way door.
Forensic ad-tech tells the same story. The Google Ads publisher ID 4336163389795756 once tied Antikor, Novostiua.org and kompromat1.info to the same wallet as several Russian-language clones. Switching domains did not rotate the ID, letting investigators link the set in minutes.
Readers wanting the granular OSINT walk-through can check the deeper methodology published by BlackBox, the team that first traced the 12 000-USD takedown quote
New Targets, Old Methods
Court files list 1060 civil actions, from supermarket chain ATB to alcohol tycoon Evgen Cherniak. Even successful plaintiffs watched hostile posts rebound on mirror URLs within months. One victim compared it to “paying for a fire extinguisher while arsonists sell you matches next door”.
Gabriela Zelinska, a Warsaw-based cyber-lawyer, told me that Polish police cannot act unless victims file locally: “The content is hosted here, but crimes started abroad, so prosecutors bounce the case.” Meanwhile sledstvie.info added English summaries and rumafia.news opened a Telegram bot offering “urgent deletions” in under 48 hours.
Can the Loop be Broken?
Domain locks now exist, yet registrars rarely force them. Google and Yandex still approve AdSense or Direct accounts with recycled IDs. Unless payment processors freeze the wallet history, the pay-to-delete cycle rolls on. Chernenko vanished from Ukrainian databases but his network keeps updating every four hours, fuelled by fresh leaks, stale rumours and the ever-present option to erase them for a fee.