{ "id": "0a530017-66df-428d-ad5a-275f079b522e", "created_at": "2026-04-08T02:22:04.218594Z", "updated_at": "2026-04-10T03:30:43.138782Z", "deleted_at": null, "sha1_hash": "35101cfe72c5dbbbc8665c155edc5b958c2627ca", "title": "Hacktivists Call for Release of Telegram Founder with #FreeDurov DDoS Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 64810, "plain_text": "Hacktivists Call for Release of Telegram Founder with #FreeDurov\r\nDDoS Campaign\r\nBy gmcdouga\r\nPublished: 2024-09-04 · Archived: 2026-04-08 02:00:26 UTC\r\nIn recent weeks, a new hacktivist campaign has emerged to demand the release of Telegram CEO Pavel Durov,\r\nafter his arrest by French authorities. In this report, Check Point Research explores the most prominent and\r\ndominant hacking groups involved in the campaign.\r\nOn August 24, in response to the French authorities’ arrest of Telegram CEO Pavel Durov, hacktivist\r\ngroups started a hacking campaign called #FreeDurov or #OpDurov\r\nAmong the first groups to react were pro-Russian People’s Cyber Army of Russia and pro-Islamic\r\nRipperSec, with both groups posting on their channels on the day of the arrest to initiate the campaign\r\nIn the following days, dozens of hacktivists groups joined the effort, collaborating to attack more than 50\r\ntargets in France, primarily with distributed denial of service (DDoS) attacks.\r\nParticipating Groups\r\nCyber Army of Russia Reborn (CARR)\r\nThe CARR, Cyber Army of Russia Reborn AKA Russian Cyber Army Team, telegram channel was created in\r\nMarch 2022 shortly after the war between Russia and Ukraine began. The group primarily targets Ukraine and its\r\nallies with DDoS attacks. Previously, this group has performed significant attacks, such as compromising SCADA\r\nsystems of water utilities in the United States, Poland, and France. Most recently, CARR was sanctioned by the\r\nUS State Department for attacking US and Europe critical infrastructure. The group is affiliated to the Russia’s\r\nmilitary intelligence service and the Russian GRU-related Sandworm group.\r\nAs of September 3, 2024, CARR’s main telegram channel has 62,181 members.\r\nAfter announcing the operation #FreeDurov on August 24, AT 22:23 with a post on their channel, CARR began\r\ntargeting French organizations with DDoS attacks.\r\nThe list of targets that were published on CARR’s channel is following:\r\nsantre.fr (August 25)\r\naldo-carbonde.ademe.fr (August 25)\r\nsayne.fr (August 26)\r\ncoe.int (August 26) (Together with CyberDragon group)\r\ncnrs.fr (August 27)\r\nhttps://blog.checkpoint.com/security/hacktivists-call-for-release-of-telegram-founder-with-freedurov-ddos-campaign/\r\nPage 1 of 9\n\nNotably, the posts disclosing the attacks were removed from CARR’s channel after September 2nd\r\n.\r\nThe reason for the post removal is unclear given the group has a reputation of being “loud” and often boasts about\r\ntheir attacks, especially when mainstream media reports on their activity.\r\nRipperSec\r\nRipperSec is a pro-Islamic, likely Malaysian, hacktivist group that was created in June 2023. The Group’s\r\nprevious targets included various organizations in Israel, governmental entities in the US, and Indian banking\r\ninfrastructures. RipperSec claimed responsibility for attacking X (formerly Twitter) during the recent Donald\r\nTrump interview with Elon Musk. The group uses their own DDoS tool called MegaMedusa to launch attacks.\r\nThe group is believed to originate from Malaysia, although they claim that their founder has passed away and are\r\nnow led by a Singaporean leader. As of September 3, 2024, their Telegram channel has 3,083 members.\r\nhttps://blog.checkpoint.com/security/hacktivists-call-for-release-of-telegram-founder-with-freedurov-ddos-campaign/\r\nPage 2 of 9\n\nOn August 23rd\r\n, RipperSec published a post in their Telegram channel that they are shutting down their\r\noperations.\r\nHowever, on the day of Durov’s arrest they revealed their intent to target France.\r\nThe list of targets that were published on the RipperSec channel:\r\npricebank.fr (August 25)\r\nconfederationpaysanne.fr (August 25)\r\nhttps://blog.checkpoint.com/security/hacktivists-call-for-release-of-telegram-founder-with-freedurov-ddos-campaign/\r\nPage 3 of 9\n\namandes.gouv.fr (August 26)\r\nboursedeoaris.fr (August 26)\r\nlafrenchtech.gouv.fr (August 26)\r\nbonjourdefrance.com (August 26) (together with CGPLLNET group)\r\nuniv-lehavre.fr (August 26) (together with CGPLLNET group)\r\nuniv-ag.fr (August 26) (together with CGPLLNET group)\r\nutt.fr (August 26) (together with CGPLLNET group)\r\ncned.fr (August 26) (together with CGPLLNET group)\r\nauf.org (August 26) (together with CGPLLNET group)\r\nuniv-montp3.fr (August 26) (together with CGPLLNET group)\r\nmediasat-tv.fr (August 27)\r\ncampusfrance.org (August 27)\r\nasbv.fr (August 27)\r\nradiofrance.fr (August 27)\r\nfrancetelevisions.fr (August 27)\r\noddo-bhf.com (August 27)\r\ndinard.aerport.fr (August 28)\r\nbpifrance.fr (August 28)\r\npolice-nationale.interieur.gouv.fr (August 28)\r\nbig.bpifrance.fr (August 28)\r\ndexia.com (August 28)\r\ndegiro.fr (August 31)\r\nieseg.fr (September 2)\r\nants.gouv.fr (September 2)\r\npricebank.fr (September 2)\r\njustice.gouv.fr (September 2)\r\nsse.efopro.afpa.fr (September 2)\r\nEvilWeb\r\nEvilWeb is a pro-Russian hacktivist group that was created in March 2024. As part of the support of the Russian\r\nnarrative, the group targeted various American and European entities. EvilWeb operates in a hack-and-leak\r\nmethod, in parallel to leveraging traditional DDoS attacks. EvilWeb made claims to have allegedly obtained data\r\nfrom various high profile American organizations. As of September 3, 2024, the EvilWeb Telegram channel has\r\n1,146 members.\r\nEvilWeb announced their participation in #FreeDurov operation on August 25, 2024, and began executing DDoS\r\nand hacking attacks.\r\nhttps://blog.checkpoint.com/security/hacktivists-call-for-release-of-telegram-founder-with-freedurov-ddos-campaign/\r\nPage 4 of 9\n\nThe following is the list of targets published by EvilWeb:\r\nservice-public.fr (August 25)\r\nfr (August 25) (leaked DB)\r\ngouv.fr (August 25) (leaked part of DB)\r\naeroport.fr (August 26)\r\nbarseille-airport.com (August 26)\r\nfr (August 26) (leaked DB)\r\ngouv.fr (August 26)\r\nCyberDragon\r\nCyberDragon is a pro-Russian hacktivist group created in September 2023. The group sporadically targets various\r\nUkrainian organizations and NATO entities in support of Russia. Before engaging in #FreeDurov, CyberDragon\r\ncarried out a campaign called #OP404 in coordination with other pro-Russian hacktivists groups to target\r\nUkrainian hosting providers.\r\nOn August 26th, CyberDragon announced their participation in #FreeDurov. They posted in their Telegram\r\nchannel stating that European governments want to control Telegram. The group also indicated that the attack was\r\ncarried out together with the CARR group.\r\nhttps://blog.checkpoint.com/security/hacktivists-call-for-release-of-telegram-founder-with-freedurov-ddos-campaign/\r\nPage 5 of 9\n\nThe list of targets that were published on the CyberDragon channel:\r\ncoe.int (August 26)\r\nint (August 26)\r\ngouv.fr (August 26)\r\ncorsica-ferries.fr (August 26)\r\ngreffe-tc-paris.fr (August 26)\r\nUserSec\r\nUserSec is a pro-Russian hacktivist group that has been in operation since at least 2022. The current Telegram\r\nchannel of the group contains 8,124 members as of September 3, 2024, and mostly targets NATO member states.\r\nOn August 25, 2024, the group published a post supporting the operation #FreeDurov and announced that they\r\nwill target French entities in collaboration with CARR.\r\nhttps://blog.checkpoint.com/security/hacktivists-call-for-release-of-telegram-founder-with-freedurov-ddos-campaign/\r\nPage 6 of 9\n\nThe list of targets that were published on UserSec channel:\r\nfr (August 25)\r\ntribunal-administratif.fr (August 25)\r\ncom (August 27)\r\nhttps://blog.checkpoint.com/security/hacktivists-call-for-release-of-telegram-founder-with-freedurov-ddos-campaign/\r\nPage 7 of 9\n\nSTUCX Team\r\nStucx team is a Malaysian hacktivist group that has been operating since at least March 2023. Before October 7th,\r\nthe group targeted Indian entities with DDoS attacks. After the Israel-Hamas war began on October 7th, the Stucx\r\nteam began targeting Israeli organizations. Recently, the group targeted Argentina in a massive defacement and\r\nDDoS campaign.\r\nOn August 26th, the group published a post supporting #FreeDurov and began targeting France.\r\nThe list of targets that were published on Stucx team channel includes:\r\nreseau-chaleur-chalons.fr (August 26)\r\nmaster-transports-tte.fr (August 26)\r\nfr (August 27)\r\nConclusion\r\nThe arrest of Telegram founder Pavel Durov resonated with many hacktivists groups, mainly pro-Russian and pro-Islamic groups. The sentiment of the groups towards Durov varies. Many groups simply stated their support of\r\nDurov without engaging in any public activity, while other groups stated that their concern is the operational\r\nsafety of Telegram, and that NATO wants to coerce Durov into compliance. A few Russian groups have\r\nproclaimed that Durov is “one of ours” and engaged in cyberwarfare due to patriotic reasons. In addition,\r\nTelegram is currently one of the main facilitators of the hacktivist’s activity, so those groups will be the first one to\r\nsuffer from possible privacy setback in Telegram.\r\nWith Durov’s release  from police custody, it seems that the campaign #FreeDurov is in a dormant stage until the\r\nnext action by the French authorities.\r\nhttps://blog.checkpoint.com/security/hacktivists-call-for-release-of-telegram-founder-with-freedurov-ddos-campaign/\r\nPage 8 of 9\n\nSource: https://blog.checkpoint.com/security/hacktivists-call-for-release-of-telegram-founder-with-freedurov-ddos-campaign/\r\nhttps://blog.checkpoint.com/security/hacktivists-call-for-release-of-telegram-founder-with-freedurov-ddos-campaign/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://blog.checkpoint.com/security/hacktivists-call-for-release-of-telegram-founder-with-freedurov-ddos-campaign/" ], "report_names": [ "hacktivists-call-for-release-of-telegram-founder-with-freedurov-ddos-campaign" ], "threat_actors": [ { "id": "a3917c91-ec7d-485f-8784-bfb1b1a78359", "created_at": "2023-11-08T02:00:07.13872Z", "updated_at": "2026-04-10T02:00:03.424164Z", "deleted_at": null, "main_name": "UserSec", "aliases": [], "source_name": "MISPGALAXY:UserSec", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58f7d9f-abb3-4e78-a13a-b87399fc03e5", "created_at": "2024-04-20T02:00:03.559673Z", "updated_at": "2026-04-10T02:00:03.618525Z", "deleted_at": null, "main_name": "Cyber Army of Russia Reborn", "aliases": [], "source_name": "MISPGALAXY:Cyber Army of Russia Reborn", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ffc4eae6-3bb3-49f5-9db8-9a98e3bde1ab", "created_at": "2024-04-20T02:00:03.564963Z", "updated_at": "2026-04-10T02:00:03.61935Z", "deleted_at": null, "main_name": "People's Cyber Army of Russia", "aliases": [], "source_name": "MISPGALAXY:People's Cyber Army of Russia", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "5245f2ea-fd7e-4b43-ada3-d9eb41923dd2", "created_at": "2024-11-03T02:00:03.635546Z", "updated_at": "2026-04-10T02:00:03.731596Z", "deleted_at": null, "main_name": "RipperSec", "aliases": [], "source_name": "MISPGALAXY:RipperSec", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6eb51a44-43b9-46e6-be24-ca3dfb94e611", "created_at": "2024-11-13T13:15:31.095956Z", "updated_at": "2026-04-10T02:00:03.747167Z", "deleted_at": null, "main_name": "EvilWeb", "aliases": [], "source_name": "MISPGALAXY:EvilWeb", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775614924, "ts_updated_at": 1775791843, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/35101cfe72c5dbbbc8665c155edc5b958c2627ca.pdf", "text": "https://archive.orkl.eu/35101cfe72c5dbbbc8665c155edc5b958c2627ca.txt", "img": "https://archive.orkl.eu/35101cfe72c5dbbbc8665c155edc5b958c2627ca.jpg" } }