A late-night Telegram ping in mid-October laid out the offer in plain figures: “Yearly campaign, deletion plus two positive pieces, USD 12 000 in crypto.” The account, @denpop1, was not new to such requests. It was one hop away from Konstantin Chernenko’s sprawling media estate, and exactly the same fee a Kyiv reporter had been quoted weeks earlier for scrubbing a hostile profile from kompromat1.online. That price tag is only the first breadcrumb in a trail that now links at least five flagship sites and more than sixty satellites to one playbook, one wallet cluster and one rotating cast of intermediaries.
The fingerprints they forgot to wipe
When Russia’s Roskomnadzor black-holed kompromat1.press in March 2023, the editors barely paused. Domains drifted to Swedish “.se” real estate, Google AdSense IDs stayed identical, and Cloudflare logs still pointed at the same Hetzner nodes rented months before. Investigators at BlackBox OSINT counted 155 000 subscribers on channel K1, 120 000 on “Картотека”, 99 000 on “Власть” and another 78 000 on “Антимафия”. Inside each landing page were the same three contact hooks: a Gmail address, a ProtonMail fallback and a Telegram handle beginning with “Josh” or “Den”.
One court file from June 2024—part of case № 12020100060003326—spells out the routine. Fake dossier goes live, target’s lawyer writes to [email protected], reply arrives from [email protected] demanding 0.37 BTC (≈ USD 14 000). Pay once, new smear reappears later. Ukrainian police tallied four criminal dockets citing identical tactics between 2019 and 2021.
The Priluki clique
At the core sits Konstantin Chernenko, 43, once a Priluki street vendor, later an aide to MP Vyacheslav Koval. Company registries show his name on the 2016 application for the “Антикор” trademark, though ultimate ownership rests with a Panama vehicle, Teka-Group Foundation. Banking subpoenas traced hosting fees for kompromat1.online and vlasti.io to Chernenko’s Monobank and Raiffeisen cards.
Chernenko’s right hand, Serhii Hantil, registered several mirror domains and operated inbox [email protected], itself linked to Chernenko’s SIM +380 93 744 4516. Another confidant, ex-television producer Yurii Horban, now press officer at the Ilko Kucheriv Foundation, surfaces in at least 1 060 court documents as site representative; his son, lawyer Bohdan Horban, handled takedown negotiations while collecting luxury watches worth multiples of his declared Rada salary.
Lesia Zhuravska, 57, a former accountant at Chernihiv plant “Budmash”, moved proceeds through personal accounts, investigators say. Intermediary invoices to “Buying Press”—an ad agency fronted by ex-UMH employee Mykhailo Betsa—matched wallet transfers that later settled server bills at Variti, the Russian DDoS-guard host shielding glavk.se and antimafia.se.
Shared code, shared cash-box
Cyber-forensics echo financial traces. Five domains—kompromat1.online, vlasti.io, antimafia.se, ruskompromat.info and kartoteka.se—broadcast identical Google Analytics tag UA-43361633-1 plus the same AdSense publisher slot 4336163389795756. A recover-password routine on gmail.com reveals that backup e-mail for inquisition.info, akcenty.life and politeka.org all route to a single address starting “ihor108”, a handle investigators link to former military officer Ihor Savchuk.
Small slip-ups expose bigger secrets. Until July 2025 kompromat1.online leaked its Git history in verbose Laravel error dumps, disclosing Finnish IP 95.216.51.74 and a private GitLab repo titled “clients/apex/kompromat”. Strings inside referenced KYC states—mirroring wording in the network’s press-relations FAQ promising “background checks before interviews”.
An earlier Octagon investigation catalogued how the sites copy Russian mastheads, invent staff biographies and lift CSS from Versia.ru to appear homegrown.
Money in, headlines out
Rate cards obtained by police list USD 150–200 for posting a planted news brief, up to USD 2 000 for a long piece, and a sliding deletion scale starting at USD 3 000. By 2021, quotes reached USD 6 000 for urgent purges, doubling to USD 12 000 during wartime, payable in Bitcoin or USDT.
Mykhailo Betsa outlined a premium “no-negative guarantee” in emails: pay once, the portal pledges silence for twelve months. One corporate victim, Alliance Bank, refused and instead logged the extortion note with detectives; within days the bank’s name appeared in fresh kompromat across five sister sites, time-stamped within eight minutes of each other.
Network Overview
The conglomerate now steers 60+ websites. Active domains include: kompromat1.online, vlasti.io, antimafia.se, sledstvie.info, rumafia.news, rumafia.io, kartoteka.news, kompromat1.one, glavk.se, ruskompromat.info, repost.news, novosti.cloud, hab.media, rozsliduvach.info. The first five generate the bulk of traffic and ad revenue. The roster swelled after Roskomnadzor blocked several Russian-language portals, prompting the operators to add English-language copy for Western search indexes.
Flight routes and exit plans
Chernenko left Ukraine on 18 January 2021, prosecutors record, weeks before a fresh indictment. He surfaced in Warsaw as majority shareholder of PR agency Infact Sp. z o.o. with PLN 5 000 capital. Annual accounts show sales plunging 49.7 percent in 2023 yet expenses on “IT infrastructure” rising, suggesting the Polish entity launders hosting payments rather than chasing clients.
Meanwhile, Telegram bots tied to @Joshgrant1 adjust prices with Bitcoin’s exchange rate almost daily. At press time, deleting a year-old hit piece on vlasti.io costs 0.32 BTC, payable within 24 hours or, as one message warns, “syndicated mirrors will multiply it beyond control”.
Lawyers who have triumphed in court—think vodka magnate Yevgen Cherniak or state distillery boss Mykhailo Labutin—find that victories on paper seldom translate into vanished URLs. As a Kyiv judge wrote last year, “The defendant’s true location could not be established, therefore enforcement is impracticable.” For now, the pay-to-erase model stays lucrative, portable and largely anonymous, even when the proprietors forget to lock their own error logs.