Ukrainian Cyber Alliance


The Ukrainian Cyber Alliance is a community of cyberactivity from Ukraine and around the world. The UCA was formed in the spring of 2016 by the merger of two cyberactivity groups, and Trinity. It was later joined by the RUH8 group and individual activists from the CyberHunta group, hacktivists who joined together to counter Russian aggression in Ukraine.Origins and founding members
  • * Established in spring 2016 through the merger of Falcons Flame and Trinity
  • * Soon joined by RUH8 and individuals from CyberHunta These groups had been active since 2014, conducting small-scale cyber operations in the early stages of the Russo‑Ukrainian conflict.Motivation and purpose The UCA launched with a mission to safeguard Ukraine’s independence and territorial integrity, partly in line with constitutional principles emphasizing citizen defense in times of national threat.Notable operations
  • * May 9, 2016: #OpMay9 led to the defacement of nine Russian and separatist websites during Russian Victory Day commemorations.
  • * September 2016: Over 33 websites belonging to pro-Russian entities were defaced in a major day-long operation, and UCA obtained emails from 13 DPR “military commandant” offices for intelligence and law enforcement.
  • * October 2016: The group released the Surkov Leaks, a trove of emails from Vladislav Surkov’s office—Putin’s key adviser on Ukrainian affairs—shedding light on Russia’s influential role in Donbas separatism.Collaboration and strategy The UCA operates independently but shares intelligence with groups like Inform Napalm, the Ukrainian Security Service , and other domestic and international agencies. Their structure leverages swarm tactics—decentralized, volunteer-led actions—making their operations both agile and hard to trace hromada network.
FB UkrainianCyberAlliance

Participation in the Russia-Ukraine cyber war

The hacktivists began engaging in cyber activities aimed at protecting Ukraine's cyberspace in the spring of 2014. Over time, the hacktivists began to conduct joint operations with Ukraine's government. Gradually, some hacker groups united in the Ukrainian Cyber Alliance, in accordance with Article 17 of the Constitution of Ukraine, with an aim of defending the independence of their country and its territorial integrity. The Ukrainian Cyber Alliance exclusively transmits extracted data for analysis, reconnaissance, and publication to the international intelligence community, Inform Napalm, as well as to the law enforcement agencies of Ukraine.

Notable operations

Operation #opDonbasLeaks

In the spring of 2016, the Ukrainian Cyber Alliance conducted Operation #opDonbasLeaks. The UCA conducted approximately one hundred successful hacks of websites and mailboxes belonging to militants, propagandists, and their curators, operating in the occupied territories. Among the targets was the mailbox of the Russian organization, "Union of Volunteers of Donbas."
From this, they obtained passport data and photo documents of Spanish, Italian, Indian, and Finnish citizens, who were fighting in the Prizrak Brigade, for which Russia grants and, if necessary, extends visas. It was reported that Russians injured during the fighting in eastern Ukraine were treated in military hospitals operated by the Ministry of Defense.

Hacking of the ANNA News site

On 29 April 2016, the Inform Napalm website, in a call to the UCA, reported on the hacking and interface of the Abkhazian Network News Agency. As a result of the hacking, the site was non-functional for approximately 5 days. The hacktivists posted their first video message on the site's pages, stating that the website had been a Russian terrorist site and that they had removed all its confidential information and backups, transferring it to Inform Napalm and the Ukrainian special services. The message also called for solidarity for those from Georgia, Ukraine, and Syria, asking that they support each other in the face of aggression from the Russian Federation.

Operation #OpMay9

On May 9, 2016, the UCA conducted Operation #OpMay9. Nine sites of the Donetsk People's Republic and Russian private military companies were hacked. The broken sites were left with the hashtags #OpMay9 and #oп9Травня, along with three short videos about World War II and Ukrainian contributions to the victory over Nazism – something the UCA described as the "serum of truth". The hacktivists also posted their new video message on the pro-Russian sites they dubbed 'terrorist sites'. The message gave more details on the ANNA News attack, stating that ANNA spread lies against Georgia, Ukraine, and Syria. It also carried a patriotic message for Victory Day, comparing Russian aggression to past enemies, and promised that the information network of "Russian terrorists in Donbass will be paralyzed".

Operation #opMay18

On May 18, 2016, the day of remembrance of the deportation of the Crimean Tatars in 1944, the UCA conducted Operation #opMay18. It targeted the website of the head of the Republic of Crimea, Sergey Aksyonov, posting a fraudulent message pretending to be him:

Channel One hacking

The UCA hacked the website of Pervy Kanal as part of a project to force Russia to stop occupying the Donbass region and fulfill its obligations under the Minsk agreements. Details of Pervy Kanal propagandist Serhiy Zenin's cooperation with Russia Today, a Russian state-owned propaganda network, were also revealed, along with documentation of Zenin's salary and lavish lifestyle. Twenty-five videos of DNR members shooting in the settlement of Nikishine were found in Zenin's cloud storage.

Operation #opDay28

In 2016, on the eve of Constitution Day, the UCA conducted Operation #opDay28. 17 websites belonging to Russian terrorists were hacked to play another Lviv Metro video, which purported to be from the leader of the DNR, O. Zakharchenko:

Hacking of the Russian Ministry of Defense

In July 2016, the UCA hacked the document management server of the Department of the Ministry of Defense of the Russian Federation, and made defense contracts, which were executed during 2015, public. The negligence of Russian Rear Admiral Vernigora Andrei Petrovich largely determined the operation's success. At the end of November 2016, the UCA broke into the Ministry server a second time and obtained confidential data on the provision of the state defence order of 2015–2016. According to analysts at Inform Napalm, the documents indicate that Russia is developing a doctrine of air superiority in the event of full-scale hostilities with Ukraine, citing the amount allocated for maintenance, modernization, and the creation of new aircraft.

Operation #op256thDay

Before Programmer's Day, UCA conducted Operation #op256thDay, in which more than 30 sites of Russian foreign aggression were destroyed. On many propaganda resources, the hacktivists embedded an Inform Napalm video demonstrating evidence of Russia's military aggression against Ukraine.

Operation #OpKomendant

The activists gained access to the postal addresses of 13 regional branches of the "military commandant's office" of the DNR in Operation #OpKomendant. For six months, the data from the boxes was passed for analysis by Inform Napalm volunteers, employees of the Peacemaker Center, the Security Service of Ukraine, and the Special Operations Forces of Ukraine.

Hacking of Aleksey Mozgovoy

In October 2016, the UCA obtained 240 pages of e-mail correspondence of the leader of the Prizrak Brigade, Aleksey Mozgovoy. Judging by the correspondence, Mozgovoy was entirely under the control of an unknown agent with the codename "Diva".

Hacking of Arsen Pavlov

The UCA obtained data from the devices of Arsen "Motorola" Pavlov, leader of the Sparta Battalion, and his wife, Olena Pavlova. In the weeks leading up to his death, Pavlov was alarmed by the conflict with Russian curators.

Surkov Leaks operation

In October 2016, the UCA accessed the mailboxes of Vladislav Surkov, the political advisor of Vladimir Putin, regarding relations with Ukraine. Inform Napalm published the leaked emails in late October to early November. The emails revealed plans to destabilize and federalize Ukraine, and demonstrated high-level Russian involvement from the start of the war in eastern Ukraine. A US official told NBC News that the emails corroborated information the US had previously provided. The authenticity of the emails was confirmed by the Atlantic Council and Bellingcat, and was published by numerous Western news sources. In the aftermath of the leaks, Surkov's chief of staff resigned. Additional emails belonging to people in Surkov's circle were published in early November, detailing Russia's financing of the "soft federalization" of Ukraine, recruiting in the Odesa region, and evidence of funding election campaigns in the Kharkiv region. The emails stated that Yuriy Rabotin, the head of the Odesa branch of the Union of Journalists of Ukraine, received payment from the Kremlin for his anti-Ukrainian activities. On April 19, 2018, the British newspaper The Times published an article stating that the SurkovLeaks documents exposed Russia's use of misinformation about the downing of Malaysia Airlines Flight 17 in order to accuse Ukraine.

Hacking of the DNR Ministry of Coal and Energy

In November 2016, the UCA obtained emails from the DNR's "Ministry of Coal and Energy", including a certificate prepared by the Ministry of Energy of the Russian Federation in January 2016, which detailed the plans of the occupiers for the Donbas coal industry.

FrolovLeaks

Operation FrolovLeaks was conducted in December 2016 and revealed correspondence from Kyrylo Frolov, the Deputy Director of the CIS Institute and Press Secretary of the Union of Orthodox Citizens, spanning the period from 1997 to 2016. The correspondence contains evidence of Russia's preparation for aggression against Ukraine. It also revealed Frolov's close ties with Sergey Glazyev, the Russian president's advisor on regional economic integration, Moscow Patriarch Vladimir Gundyaev, and Konstantin Zatulin, a member of the Foreign and Defense Policy Council, an illegitimate member of the Russian State Duma, and director of the CIS Institute. The letters mention hundreds of others connected with the subversive activities of Russia's fifth column organizations in Ukraine.

Hacking of Luhansk intelligence chief

For some time, UCA activists monitored the computer of the Chief of Intelligence 2 AK of the Russian Armed Forces. This officer sent reports with intelligence obtained from regular Russian unmanned aerial vehicles – Orlan, Forpost, and Takhion – which were also used to adjust fire artillery. Documents have also been published proving the existence of the Russian ground reconnaissance station PSNR-8 "Credo-M1" in the occupied territory. In July 2017, based on the obtained data, additional reconnaissance was conducted on social networks and the Russian UAV Takhion. The surveillance provided evidence of troop movements to the Ukraine border in August 2014. A list of these soldiers, their personal numbers, ranks, exact job titles, and information on awards for military service in peacetime was published. The operation also determined the timeline of the Russian artillery unit of the 136th OMSBR's invasion in the summer of 2014, from the moment of loading equipment to fortifying in the occupied territory of Ukraine in Novosvitlivka, Samsonivka, and Sorokine.

Hacking of Alexander Usovsky

In February and March 2017, the UCA exposed correspondence between Belarus citizen Alexander Usovsky, a publicist whose articles were often published on the website of Ukrainian Choice, and an anti-Ukrainian backed by oligarch Viktor Medvedchuk. Inform Napalm analysts conducted a study of the emails and published two articles on how the Kremlin financed anti-Ukrainian actions in Poland and other Eastern European countries. The published materials caused outrage in Poland, the Czech Republic, and Ukraine. In an interview with Fronda.pl, Polish General Roman Polko, the founder of the Polish Special Operations Forces, stated his conviction that the anti-Ukrainian actions in Poland and the desecration of Polish monuments in Ukraine were inspired by the Kremlin. Polko said that the information war posed a threat to the whole of Europe and that Russia manipulated the Polish radicals.

Hacking of CIS Institute

An analysis of hacked emails from CIS Institute revealed that the NGO is financed by the Russian state company Gazprom. Gazprom allocated $2 million annually to fund the anti-Ukrainian activities of the CIS Institute. The head of the institute, State Duma deputy Konstantin Zatulin, helped terrorists and former Berkut members who fled to Russia to obtain Russian passports.

Hacking of Russian Foundation for Public Diplomacy

Access to O. M. Gorchakovan's mailbox, an employee of the Russian Foundation for Public Diplomacy, provided insight into the forms of Russia's foreign policy strategy. On the eve of the war, funding for a six-month propaganda plan in Ukraine reached a quarter of a million dollars. Under the guise of humanitarian projects, subversive activities were carried out in Ukraine, Serbia, Bosnia and Herzegovina, Bulgaria, Moldova, and the Baltic States.

Hacking of Oleksandr Aksinenko

UCA activists gained access to the mailbox of Oleksandr Aksineko, a Russian-Israeli citizen and telephone miner. The correspondence indicates that Aksinenko's terrorist activities are supported by the Russian Federal Security Service, which advised him to "work in the same spirit". Aksinenko also sent anonymous letters to the Security Service of Ukraine and other Ukrainian institutions.

#FuckResponsibleDisclosure flash mob

At the end of 2017, the UCA and other IT specialists conducted a two-month action to assess the level of protection of Ukrainian public resources and to verify whether officials were responsible for information security. Many vulnerabilities were uncovered in the information systems of government agencies. The activists identified and reported these vulnerabilities openly to those who could influence the situation. The activists noted the effectiveness of publicly shaming government agencies. For example, it was discovered that the computer of the Main Directorate of the National Police in the Kyiv region could be accessed without a password, and that 150 GB of information was found on a network drive, including passwords, plans, protocols, and personal data of police officers. It was also discovered that the Bila Tserkva police website had been compromised for an extended period, and only after the volunteers became aware of the issue did the situation improve. The State Service for Financial Monitoring had not updated their servers for 10 years. Activists also found that the website of the Judiciary of Ukraine kept reports of the courts in the public domain. The Kherson Regional Council has opened access to the joint disk. The CERT-UA website posted a password from one of their email accounts. One of the capital's taxi services was found to keep open information about clients, including dates, phone numbers, and departure and destination addresses. Vulnerabilities were also revealed in Kropyvnytskyi's Vodokanal, Energoatom, Kyivenerhoremont, NAPC, Kropyvnytskyi Employment Center, Nikopol Pension Fund, and the Ministry of Internal Affairs.
The police opened a criminal case against "Dmitry Orlov", the pseudonym of the activist who publicized the vulnerabilities in a flash mob. They also allegedly tried to hack the Orlov website, leaving a message which threatened physical violence if he continued his activities. The activist deleted the website as it had fulfilled its function.

List-1097

UCA activists obtained records of orders to provide food for servicemen of 18 separate motorized rifle brigades of the Russian Armed Forces, who were sent on combat missions during the Russian occupation of Crimea. Inform Napalm volunteers searched open sources of information for the social network profiles of servicemen named in the orders, and discovered photo evidence of their participation in the occupation of Crimea. Records also revealed how troops had been transferred to Crimea, at Voinka.
On January 31, 2017, the central German state TV channel ARD aired a story about the cyber war between Ukraine and Russia. The story documented the repeated cyber attacks by Russian hackers on the civilian infrastructure of Ukraine, and efforts to counter Russian aggression in cyberspace, in particular the Surkov leaks. Representatives of the UCA were portrayed as the heroes of the story.
Former State Duma deputy Denis Voronenkov made statements that Surkov was categorically against the annexation of Crimea. In response, the UCA released photos and audio recordings of the congress of the Union of Donbas Volunteers, from May 2016 in annexed Crimea and November 2016 in Moscow, at which Surkov was the guest of honor.
Volunteers of the Inform Napalm community created a film about UCA's activities called Cyberwar: a review of successful operations of the Ukrainian Cyber Alliance in 2016.

Hacking of the Trigona Ransomware Gang

On October 12, 2023, UCA hacktivist herm1t posted screenshots of a Russian Confluence page, claiming it to be a ransomware group. The page ended up belonging to the Trigona ransomware gang, and the UCA exfiltrated data from the threat actor's website. This included the administrator and victim panels, their blog, their leak site, cryptocurrency hot wallets, and data from the development environment, including source code and database records. UCA also managed to map out the group's entire network infrastructure. By the time Trigona noticed and attempted to change their passwords and take their public facing infrastructure offline, the data had already been exfiltrated. Following exfiltration, UCA deleted all information and defaced Trigona's public facing websites on October 17.
Three backups of data presumed to be stolen from victims of the Trigona gang were recovered, and UCA pledged to release any decryption keys should they be discovered.