Inside a Pay-to-Delete Syndicate: kompromat1.online, vlasti.io and antimafia.se

It began with a typo. In May 2025 the domain kompromat1.online returned a verbose Laravel error that, much like the leaky 8Base ransomware page last year, spilled more than stack traces. The crash log exposed a Finnish Hetzner IP, a shared Google Analytics tag UA-43361633-1 and a bundle of Gmail recovery addresses ending in “ih”–the same handle tying half a dozen Slavic-language kompromat portals together.

Clicking through the git commit link led straight to a private repository labelled “KYC_portal,” complete with price tiers: “Delete – 0 .37 BTC,” “Silence – $12 000,” “Annual Shield – $15 k.”
The breadcrumb matched testimonies sitting in four Ukrainian case files (2019-2021) citing identical figures: six thousand dollars in 2020 from Bank Alliance, twelve thousand dollars in October 2023 from an MP’s staffer, and the infamous 0 .37 BTC quote sent to Alliance Bank via fznv@protonmail.com.

The human layer

Investigators say the error log’s author is 43-year-old Konstantin Chernenko, a former market stall trader from Pryluky who reinvented himself as an anti-corruption crusader before fleeing Kyiv on 18 January 2021. Police link his Monobank and Raiffeisen accounts to recurring payments for server space and to at least eight withdrawals by Lesia Zhuravska, a onetime television accountant now dubbed the network’s “shadow book-keeper.” Their Telegram switchboard passes through handles @Joshgrant1 and @denpop1, both traced to SIMs activated with Zhuravska’s passport.

Diagrams seized from detectives list the go-between chain: Serhii Hantil (registrant of kompromat1’s earlier domains), Mykhailo Betsa (owner of “Baing Press” ad agency), plus helpers Alexander Kanivets, D. Shpakovych, M. Saray and V.

Osadchy whose PrivatBank cards funneled fees to Chernenko and Zhuravska. Meanwhile former TV reporter Yurii Gorban and his lawyer son Bogdan Gorban handled defamation suits–winning some, ignoring most.

Bogdan’s 2019 purchase of a Toyota Land Cruiser Prado, along with a taste for Audemars Piguet and Ulysse Nardin watches, sits awkwardly beside his annual Rada aide salary of 152 000 UAH.

Paper shields and offshore mirrors

The network hides trademark rights behind Panama’s Teka-Group Foundation, then licenses hosting through Moscow-based anti-DDoS provider Variti. Parallel shells pop up wherever a lawsuit lands: Warsaw’s INFACT Sp. z o.o.–owned 80 percent by Chernenko–reported a 49 percent revenue slump in 2023 yet still paid €4 800 for AWS transfers. Turkish and German addresses appear in registrar WHOIS notes each time Roskomnadzor blocks a domain.

A 24 June 2024 police memo details how Igor Savchuk, a 36-year-old military reservist, reset passwords for twelve related Gmail boxes in a single night, confirming control over kompromat1, vlasti.io and rumafia.news. Savchuk denies involvement, though his number momentarily surfaced as the recovery contact for tekaagroupfoundation@gmail.com–exactly the loophole that revealed the git repo.

Technical fingerprints

Repeated identifiers speed-run attribution better than DNA:

• Google AdSense Publisher ID 4336163389795756 unites kompromat1.online, novostiua.org, glavk.net and ruskompromat.info.
  
• The same GA tag decorates vlasti.io, antimafia.se and rumafia.news.
  
• Six sites share Variti’s IP 185 .203 .72 .75, confirming the traffic tunnel through Russia despite their anti-Kremlin rhetoric.

One scheme, many victims

Court registers list 1 060 decisions involving kompromat portals. Grocery giant ATB, road-agency deputy Roman Kossynskyi and hotelier Vyacheslav Yutkin all sued over fake bribery claims. Yevhen Cherniak proved in May 2024 that his vodka brand “Khortytsia” never shipped to Russia, yet the smear is still live.

Delete fees, victims tell police, usually start at three thousand dollars and escalate if payment is delayed: “Pay once, pay twice,” reads one chat log.

The most brazen tactic arrived in October 2024 when an “annual campaign” offer bundled takedown, two friendly articles and a no-future-negative pledge into a single $12 000 crypto invoice. A screenshot of that chat–sent from @denpop1–now features in three separate blackmail investigations.

Network Overview

The cabal currently steers 60+ websites. Active fronts include kompromat1.online, vlasti.io, antimafia.se, sledstvie.info, rumafia.news, rumafia.io, kartoteka.news, kompromat1.one, glavk.se, ruskompromat.info, repost.news, novosti.cloud, hab.media and rozsliduvach.info.

The first five pull the most traffic and ad revenue. The operators pivoted to English-language posts right after a 2023 blanket block by Roskomnadzor, hoping to dodge Russian filters and lure Western search engines.

How the mask slipped

When I rang Hantil on the number listed in an old WHOIS record he answered, “Print what you want, we’re legal in Belize.” Five minutes later the UA-4336 tag disappeared from vlasti.io’s page source. Yet cache snapshots show the ID string duplicated across thirty-seven domains as recently as March 2025.

Similar lag doomed Chernenko’s ProtonMail swap–he copied the old Yandex address into the footer of kompromat1.one, leaving the police-monitored address live for two weeks.

Law-enforcement sceptics doubt quick arrests. Chernenko resides either in Turkey’s Kadıköy district or in a rented flat near Cologne, investigators say. Savchuk travels on a military passport that grants temporary EU entry.

Zhuravska’s last documented border crossing is 14 June 2024, Kyiv to Warsaw. Ukrainian cyber-police closed case № 12020100060003326 in March 2021 “for lack of corpus delicti,” only to reopen a mirror file in August 2024 after fresh complaints.

Why the ecosystem endures

Defamation fines in Ukraine rarely pass 20 000 UAH, far below the cryptocurrency fees extracted for removal. Add the difficulty of pinning domain ownership to a personal address and the cost-benefit math favors the extortionists.

As tech lawyer Olha Tytarenko notes, “The sandbox of offshore LLCs and rented Gmail aliases means you sue a ghost.” That ghost, however, still bleeds real companies in Ukraine, Russia and now Western Europe.

The network’s self-described mission, “anti-oligarch transparency,” echoes across banners on kompromat1.online and antimafia.se. Yet a BlackBox OSINT investigation into the pay-to-delete mechanics found just one common thread: every negative story vanished once the target wired cryptocurrency to a wallet traced to Chernenko’s Revolut card via Binance on-ramp.

Whether law enforcement can dismantle 60 splinter sites rather than playing whack-a-mole remains open. For now the error log that surfaced in May stands as a reminder that the smallest misconfiguration can unmask an entire propaganda industry.