How Russia rebuilt hacker gangs to attack the West, leading to a US indictment

Muleshoe, population 5,000, sits in the Texas Panhandle, next to the New Mexico state line, and about as far away from Ukraine as anywhere can be.

A small, arid town linked to the outside world by a patchwork of county roads and a smattering of private airports for single-engine planes, it’s about an hour's drive away from the nearest metropolises of Lubbock or Amarillo, and two hours away from Roswell, New Mexico.

One could say that Muleshoe is prime territory for cowboys looking to ranch, aliens looking to abduct, and, as it happens, Russians looking to hack.

On Jan. 18, 2024, the delicate water supply in this arid little town started overflowing, spilling over its tanks, unnoticed and in defiance of the automated industrial software that told the intake supply lines when to shut off.

Like removing the float from the back of a toilet tank, someone had remotely disabled the sensor that told Muleshoe's tanks that they were already full, allowing water to keep flowing. Local authorities only publicly acknowledged the incident after CNN broke the story three months later. City officials blamed "a third-party vendor’s remote log-in system."

A Telegram channel under the name "CyberArmyofRussia_Reborn," or CARR posted videos showing the interfaces it was using to direct the water in Muleshoe and elsewhere, in incidents the Environmental Protection Agency said involved hundreds of thousands of gallons of drinking water.

Since the full-scale invasion of Ukraine, Russia's "reborn" cyber activities have moved away from financially motivated hacking such as ransomware and towards purely destructive acts across the West —  a form of sabotage or digital terrorism targeting poorly guarded systems anywhere, threatening to flood even the deserts of West Texas.

On the other side of the world, somewhere between Nov. 8 and 9, 2024, 33-year-old Victoria Dubranova, a digital designer and, according to her social media an avid cat lover, vanished while traveling by bus from her hometown of Dnipro, Ukraine on the way to Poland, according to a post on her Instagram account purporting to be from her husband.

Dubranova would reappear just over a year later, the sole defendant in physical custody when the U.S. Justice Department unsealed charges of cybercrime and conspiracy against her and eight Russian coders and hacking organizers behind a series of attacks — including on Muleshoe.

"CARR, also known as Z-Pentest, was founded, funded, and directed by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU)," the Justice Department said in its announcement.

Dubranova will face the U.S. District Court in California for the first time in public on Feb. 3. The case is a major battle in the cyber war with Russia, in part because prosecutors have a person physically on hand for a U.S. federal evidence-gathering process.

Russia’s notorious hacker groups have caused plenty of international destruction since at least the 90s, long operating with at least the tacit consent of local law enforcement as long as they ponied up for periodic shakedowns. They were, however, primarily businesses, albeit extortionary.

The recent case exposes how the Russian government and its intelligence agencies have taken direct control of the domestic hacker ecosystem, coordinating "hacktivists" inside the West to target Russia's enemies.

"These are not simply patriotic volunteers operating independently, but actors that can receive support, protection, or direction from the state when it serves Moscow’s interests," Ari Redbord, a former advisor at the Treasury and assistant U.S. attorney for the District of Columbia, told the Kyiv Independent.

Courtroom decryption

The Kyiv Independent reached out to Dubranova for comment but received no reply. Her legal team has not been identified in the court docket as of publication time.

The initial investigation into the Muleshoe case quickly turned up the CARR Telegram channel gloating over a video post of the attack. While this was bad OpSec, it was important advertising.

Before CARR got into civil de-engineering, its members started off in wide-scale Distributed Denial of Service, or DDoS, attacks.

A DDoS attack at its most basic level overwhelms a website with too much traffic. Politically motivated groups are fond of DDoSing in particular because even clumsy DDoS code can shut down a public website or digital service if enough people are running it, a phenomenon that the Kyiv Independent has fallen victim to in the past.

CARR's members conducted at least two years of DDoS attacks starting, according to the Justice Department's timeline, hits on Swiss financial institutions in June 2023 to a series of strikes on the Netherlands amid the June 2025 NATO summit in The Hague.

Part of the administrators' work was guiding members on running the code that a separate but overlapping set of coders by the name of NoName057(16) maintained on a central GitHub repository.

In July, Europol searched homes, took a hundred servers offline, and arrested two alleged administrators of NoName057(16).

Dubranova, the Justice Department alleges, made digital content for these hacktivist channels, an "animated recruitment video showing that 'anyone can become a volunteer for DDoSia Project.'" These channels kept members well outside of Russia running their DDoS code, with digital content like Dubranova's as well as the promise of cryptocurrency rewards if they contributed their processing power to the most campaigns. That mass of public participation in these hacks also facilitated a degree of anonymity, or at least identity laundering for directed Russian operators within a horde of "activists."

Identifying the real people responsible is therefore complicated. Ukrainian intelligence and OSINT firm Molfar began investigating CARR out of self defense following a series of attacks on its site in early 2024. Their first task was simply identification.

"When it came to this attack on us, we revealed that it was precisely these hacker groups — CyberArmyofRussia_Reborn and NoName — who were involved," Viktoriia Samoilenko, a senior OSINT analyst at Molfar, told the Kyiv Independent.  "When we looked deeper into them, we revealed that these hackers had repeatedly been mentioned in different attacks on government and commercial sites of Ukraine, the U.S., Denmark, Poland, Great Britain, and several other European countries."

The combination of Telegram, Github, and VPNs let organizers stay anonymous. Fortunately for Molfar, CARR/NoName/DDoSia administrators shared useful bits of personal information and even photos on these public channels, which allowed Molfar to identify many of them well before any indictments. This oversharing was, Samoilenko said, partially due to the need to spread the word, proselytizing Kremlin ideology to these Telegram groups

"This distribution of Russian hacker software and the creation of these communities, in our opinion, is a way of spreading their hacking and generally their ideological network,” said Samoilenko. “It’s also a way of influencing and recruiting foreigners.”

Those attacks are alarming enough that the U.S. government has accelerated investigations.

"Critical infrastructure is a huge national security priority for us," a former U.S. government official who asked not to be named told the Kyiv Independent. "To the extent of the capacity of the USG (U.S. Government), attacks on U.S. critical infrastructure — that's at the very top of the list."

Investigating and prosecuting cybercriminals from anywhere is tricky. Russia, where almost all of CARR and NoName's administrators remain at large, is a black box, especially as groups like these have become critical to the Kremlin's gray power, especially intimidation, abroad.

The GRU connection

The U.S. indictment is unusually clear in calling these seemingly crowd-sourced cyber groups state-sponsored and organized.

"An individual operating as ‘Cyber_1ce_Killer,’ a moniker associated with at least one GRU officer instructed CARR leadership on what kinds of victims CARR should target, and his organization financed CARR’s access to various cybercriminal services, including subscriptions to DDoS-for-hire services," the Justice Department wrote.

"In Russia, there are no hacktivists, only agents,” Mykyta Knysh said. Knysh worked for the Security Bureau of Ukraine's digital defenses starting shortly before the Euromaidan and continuing through the end of the Poroshenko administration. Today he heads HackYourMom, which advises Ukrainians on cybersecurity and sometimes organizes its own DDoS attacks on Russian targets.

"NoName(0)16 has curators from Olgina, and bot creators," said Knysh, referring to the neighborhood in St. Petersburg that hosted the Internet Research Agency. "They are not scary, but they may be efficient in spreading propaganda because they get some real dummies from the European Union involved."

These hacking groups have no strict boundaries, letting them move from one name or modus operandi to another fluidly. The Justice Department is on the hunt for a CARR offshoot called Sector16, for one example.

Most are much less fearful — and competent — than the mental image that "Russian hacker" conjures up, Knysh said.

"My opinion is that Sector 16 is a group of idiots. Like, in university they create a training course for future hackers and they've got their own curator from the FSB," Knysh said. "Russian intelligence starts these departments in universities, and they say, ‘Who wants to get an A in cybersecurity? If you hack something in the European Union, we'll give you an A.'"

Far scarier than DDoSing is the newer industrial and infrastructural attacks, says Jake Dixon, an Irish cybersecurity specialist based in Estonia. Many Supervisory Control And Data Acquisition, or SCADA, systems that control physical processes are visible on the clearnet once you penetrate certain protocols, he explained.

A Russian intelligence group known as Sandworm is the most famous perpetrator, blowing up Ukrainian power transformers using code as far back as 2014.

CARR and its ilk are not in the same league, but they make up for it by identifying a vast range of industrial systems that may not even require a password to operate.

"I inspect these systems on almost a weekly basis," Dixon told the Kyiv Independent. "These systems are incredibly exposed to the Internet and the damage that they can do from remote connections — these systems should never be connected to the internet."

Online openings cut the digital distance between St. Petersburg and West Texas, but they do not help law enforcement reach through in the opposite direction. Barring extradition treaties with Russia, Western authorities looking to shut down hacker groups like CARR have to attack the networks of digital businesses surrounding them.

"The principle of the work is that by unmasking these folks and making it harder for them to move money, making it harder for them to recruit the key skill sets that they need in order to facilitate their operations within these networks, that causes them to things like have to go to Poland to meet with the specific person they need in order to continue to run the network," the former U.S. government official told the Kyiv Independent.

The range of industrial systems that today link to the internet and therefore need protecting is, however, daunting, as is the continued freedom of many of Dubranova's coworkers. Her first hearing in the NoName case begins on Feb. 3, with CARR prosecution beginning on April 7. She has pleaded guilty in both.

While Europol made arrests in the NoName case months ago, U.S. district courts publish much more case information. The discovery process promises to shine new light on the operations of these shadowy Russian state-backed cyber attackers.

"The thing that keeps me up most at night is 'how many of these systems are they going to find and how many people's lives are going to be damaged?'" said Dixon. "I have found barometric chambers they keep people in to control atmospheric and oxygen levels, which can be adjusted from the internet without authentication."