Getting bored of cyberwar: Exploring the role of civilian participation in the Russia-Ukraine cyber conflict


There has been substantial commentary on the role of cyberattacks, hacktivists, and civilian participation in the Russia-Ukraine cyber conflict. Drawing on a range of data sources, we argue that the widely-held narrative of a cyberwar fought by committed civilians and volunteer ‘hacktivists’ linked to cybercrime groups is misleading. We collected 281k web defacement attacks, 1.7M reflected DDoS attacks, and 441 announcements (with 58k replies) of a volunteer hacking discussion group for two months before and four months after the invasion. To enrich our quantitative understanding, we conducted interviews with website defacers who were active in attacking sites in Russia and Ukraine during the period. Our findings indicate that the conflict briefly but significantly caught the attention of the low-level cybercrime community, with notable shifts in the geographical distribution of both defacement and DDoS attacks. However, the role of these players in so-called cyberwarfare is minor, and they do not resemble the ‘hacktivists’ imagined in popular criminological accounts. Initial waves of interest led to more defacers participating in attack campaigns, but rather than targeting critical infrastructure, there were mass attacks against random websites within ‘.ru’ and ‘.ua’. We can find no evidence of high-profile actions of the kind hypothesised by the prevalent narrative. The much-vaunted role of the ‘IT Army of Ukraine’ co-ordination group is mixed; the targets they promoted were seldom defaced although they were often subjected to DDoS attacks. Our main finding is that there was a clear loss of interest in carrying out defacements and DDoS attacks after just a few weeks. Contrary to some expert predictions, the involvement of civilian and volunteer `hacktivists’ in the conflict appears to have been minor and short-lived; it is unlikely to escalate further.