Fact-checked by Grok 2 weeks ago

IT Army of Ukraine


The IT Army of is a crowdsourced volunteer cyber force formed on February 26, 2022, by Ukraine's Minister of Digital Transformation to conduct offensive operations against Russian digital infrastructure amid Russia's full-scale invasion of . Comprising IT professionals and hackers from and abroad, the group operates primarily through coordinated distributed denial-of-service (DDoS) attacks, website defacements, and disruptions to state, , financial, and targets in . The initiative began with Fedorov's public call via for cyber specialists to join a Telegram channel, rapidly mobilizing thousands of participants who receive operational tasks such as targeting specific domains. While initially open to amateurs via user-friendly tools, it evolved into a hybrid structure blending global volunteers with professional units collaborating with Ukrainian intelligence for higher-impact actions, including strikes on systems and occupied territories' networks. Notable successes include temporarily disabling for over 200,000 Russian residents, halting banking services, and knocking offline dozens of sites, contributing to Ukraine's asymmetric without relying on scarce state resources. Despite its effectiveness in democratizing cyber operations and imposing costs on Russian entities, the IT Army faces criticism for targeting civilian infrastructure like banks and delivery services, raising questions of proportionality under , and exposing international volunteers to potential prosecution for unauthorized hacks. Western officials have cautioned amateurs against participation due to legal risks in their home countries, while labels the group a criminal entity; nonetheless, its model represents a novel state-augmented volunteer approach to cyber conflict, blending with official coordination.

Historical Context and Formation

Pre-Invasion Cyber Landscape

Prior to Russia's full-scale invasion of Ukraine on February 24, 2022, the cyber domain featured persistent Russian offensive operations against Ukrainian infrastructure, dating back to the 2014 annexation of Crimea. These efforts, often attributed to state-sponsored groups like Sandworm (linked to Russia's GRU), aimed at disruption, espionage, and hybrid warfare support, with limited strategic concessions achieved despite tactical successes. Ukrainian responses emphasized defensive resilience, including attribution via CERT-UA and regulatory frameworks, amid escalating threats from 2021 onward. Early incidents included a March 13, 2014, DDoS attack lasting 8 minutes to undermine networks ahead of the referendum, and a May 2014 operation by pro-Russian CyberBerkut hackers targeting the , which deleted files but failed to alter results, merely delaying vote counts. In December 2015, Sandworm's malware caused power outages affecting over 230,000 consumers in for 1-6 hours, marking one of the first confirmed cyber-induced . A 2016 attack disrupted a Kyiv substation, resulting in a 1-hour . The June 2017 NotPetya wiper malware, deployed via Ukrainian accounting software, infected 13,000 devices including the Chornobyl nuclear plant's systems, causing $10 billion in global damages across 65 countries while originating in Ukraine; Russian military intelligence was widely attributed as the perpetrator. Later efforts included a 2018 attempt to compromise a chlorine distillation station serving 23 provinces, and 2021 attacks damaging the State Security Service's electronic systems and websites. Pre-invasion escalation featured destructive malware like HermeticWiper targeting government and financial entities for data wiping, alongside January 2022 WhisperGate attacks defacing approximately 70 government websites. These operations prioritized infiltration over physical destruction, rarely exceeding moderate severity on impact scales. Ukraine's cyber defenses evolved reactively post-2015 BlackEnergy, establishing the National Cybersecurity Coordination Centre under the National Security and Defence Council, alongside the State Service of Special Communications and Information Protection (SSSCIP) managing CERT-UA for incident response. The 2016 National Cybersecurity Strategy and 2017 Law formalized coordination across entities like the Security Service of Ukraine (SBU) for counter-espionage and the Ministry of Defence for military integration. Key enhancements included the SBU's Cybersecurity Situational Centre, SSSCIP's sensor network, and the 2018 MISP platform for threat sharing; the National Bank's CSIRT-NBU bolstered financial sector protections. A 2021 National Security and Defence Council decision initiated formal cyber forces within the armed services, complemented by a December 2021 national cyber readiness exercise and January 2022 emergency planning, with NATO and private sector support aiding resilience against anticipated aggression.

Establishment and Initial Mobilization

The IT Army of Ukraine was officially launched on February 26, 2022, two days after Russia's full-scale of commenced on February 24. , serving as Ukraine's Vice Prime Minister and Minister of Digital Transformation, announced the initiative via Telegram, urging IT specialists, developers, cyber experts, and hackers to enlist in a volunteer force aimed at conducting offensive cyberattacks against Russian targets and defending digital infrastructure. This call to action built on prior discussions between Fedorov and IT entrepreneur Aushev, who helped coordinate the early assembly of approximately 1,000 to 1,500 domestic IT professionals. Mobilization occurred primarily through a public Telegram channel (@itarmyofukraine2022), where subscribers could join by simply tapping the link shared in Fedorov's announcement. The channel served as the central hub for recruitment and task distribution, attracting a rapid influx of volunteers that exceeded 175,000 subscribers within days of launch. By early March 2022, membership had swelled to around 300,000, encompassing Ukrainian IT workers, international supporters, and amateur participants alongside professionals. The ad-hoc structure emphasized crowdsourced participation, with initial tasks focusing on distributed denial-of-service (DDoS) operations against listed entities, such as websites and firms, to disrupt enemy capabilities without requiring advanced technical vetting for entry-level roles. Supported by the Ukrainian and defense entities, this volunteer framework marked a novel government-endorsed cyber approach, prioritizing speed and scale over formal military integration.

Organizational Structure

Leadership and Governance

The IT Army of Ukraine was publicly established on February 26, 2022, by , then Ukraine's Vice Prime Minister and Minister of Digital Transformation, who issued a call via Telegram for global IT specialists and hackers to volunteer for cyber operations against Russian targets in response to the full-scale invasion. This initiative positioned the group as a government-coordinated but volunteer-driven entity, with tasks disseminated through an official Telegram channel (@itarmyofukraine2022) and an ([email protected]) for operational directives. Lacking a conventional hierarchical command structure, the IT Army functions as a decentralized of autonomous cells comprising both volunteers and hackers, enabling rapid task execution but complicating formal and oversight. Coordination relies on crowdsourced participation, where volunteers self-select targets from prioritized lists—often focusing on financial, , and governmental —and report outcomes via gamified leaderboards on Telegram to incentivize engagement. This ad-hoc model blends elements of state direction with civilian initiative, forming a hybrid entity that operates outside traditional chains while aligning with Ukrainian national , though it raises legal questions regarding volunteer status under international armed conflict norms. Public representation of the group has been handled by spokespersons such as "," who in a 2024 interview described its evolution from DDoS-focused efforts to supporting physical operations like drone strikes on Russian oil refineries, underscoring operational adaptability without revealing centralized decision-making. Zhora, head of Ukraine's Service of Special Communications and Information Protection, has referenced the group's offensive activities in official statements, indicating informal ties to state cyber entities but no direct . Governance transparency remains limited, prioritizing security amid ongoing hostilities, with volunteers operating under implied government sanction rather than explicit enlistment protocols.

Volunteer Recruitment and Composition

The IT Army of Ukraine recruits volunteers through an open, decentralized process initiated by Ukraine's on February 27, 2022, when Vice Prime Minister issued a public call via Telegram and for IT specialists worldwide to join cyber operations against Russian targets. Prospective members are directed to subscribe to the group's primary Telegram channel (@itarmyofukraine2022), where operational tasks—such as launching DDoS attacks—are posted with step-by-step instructions and downloadable tools like specialized botnets or scripts. No formal application, background checks, or eligibility screening is required, enabling immediate participation but relying on self-selection among those with basic technical aptitude. The composition of the IT Army consists primarily of civilian volunteers possessing varying degrees of IT and cybersecurity expertise, including professional developers, ethical hackers, students, and self-taught amateurs motivated by opposition to the . While rooted in Ukraine's domestic tech sector, the group draws international participants from , , and select individuals from and , reflecting a crowdsourced model that has attracted subscribers from countries despite potential legal risks in their home jurisdictions. Estimates of total involvement vary, with the Telegram channel reaching over 311,000 subscribers by March 2022 and Ukrainian officials citing around 215,000 members by November 2022, though active operational contributors number in the thousands due to the informal structure. Volunteers are loosely organized into offensive units focused on disruptive attacks and defensive units aiding in cyber protection, with participation often part-time alongside regular employment or studies. The decentralized nature accommodates a broad skill spectrum, from advanced coders contributing to novices executing pre-configured DDoS scripts, though this has led to critiques of inconsistent effectiveness and coordination challenges in scaling beyond basic operations.

Objectives and Operational Framework

Stated Goals

The IT Army of Ukraine was established on February 26, 2022, by Ukraine's Vice Prime Minister and Minister of Digital Transformation , who publicly called for "digital talents" worldwide to join in forming a aimed at countering Russian digital intrusions into Ukrainian . Fedorov emphasized continuing the "fight on the cyber front," positioning the group as a mechanism to hold the digital frontline while Ukraine's regular cyber defense units focused on immediate national protection. The group's explicitly stated objectives center on offensive cyber operations against Russian targets, including disrupting access to , military, financial, and propagandistic websites deemed supportive of 's . Tasks distributed via the official Telegram channel prioritize denial-of-service attacks to impair operational continuity of these resources, alongside where feasible, with the intent of imposing economic and informational costs on equivalent to battlefield disruptions. Fedorov framed these efforts as integral to national defense, asserting that " is a frontline of the , and victories there are as important as in actual battlefields." No broader ideological or non-cyber aims, such as in , have been officially articulated by the initiators.

Target Prioritization and Strategy

The IT Army of Ukraine prioritizes targets based on their perceived contribution to Russia's , focusing on entities that facilitate economic support, dissemination, or logistical operations. Selection is coordinated by an in-house team, potentially involving government ministries and intelligence, with input from community curators who assess strategic impact such as disrupting financial flows or capabilities. Early prioritization employed a tiered system documented in internal , designating Tier 1 for high-value financial infrastructure like Russian banks (e.g., ) and payment processors (e.g., Mirconnect), while Tier 2 included ancillary online services such as tellers (e.g., cse.ru). Target announcements occur via the group's Telegram channel, which initially listed 31 Russian state and business websites on February 26, 2022, and has since expanded to hundreds, including ad hoc selections like the EGAIS system for blocking alcohol distribution to Russian forces. Sectoral distribution reflects this focus: public administration sites comprised 43% of attacks, followed by information and media outlets at 21% (e.g., TASS, RuTube for propaganda), and finance at 14% (e.g., Gazprombank). Criteria emphasize dual-use civilian infrastructure—such as utilities (e.g., Loesk electrical grid, targeted October 2022) and stock exchanges (Moscow Stock Exchange, February 2022)—deemed to indirectly sustain military logistics, though Ukrainian officials assert attacks are limited to military-linked objectives. Strategically, the group employs crowdsourced distributed denial-of-service (DDoS) attacks as the core tactic, leveraging volunteer "sofa hackers" (approximately 65,000 active in May 2022) equipped with open-source tools like db1000n and Liberator to overwhelm targets persistently. This approach aims to achieve psychological and economic by diverting Russian cybersecurity resources and eroding public confidence, rather than kinetic destruction, with leaderboards on the group's site incentivizing participation through . By June 2022, operations evolved into a dual structure: public volunteer DDoS campaigns alongside a private, state-managed unit for advanced tactics, narrowing focus exclusively to Russian targets post-initial Belarusian diversions. Verified disruptions from 58 of 151 attacks between 2022 and 2023 underscore the strategy's emphasis on volume over sophistication to amplify non-kinetic pressure.

Key Operations and Tactics

Initial DDoS Campaigns (2022)

The IT Army of Ukraine initiated its operations on February 26, 2022, following a public call by Ukrainian Deputy Prime Minister via Telegram, urging volunteers to conduct distributed denial-of-service (DDoS) attacks against digital infrastructure in response to the ongoing invasion. This marked the group's first coordinated campaign, targeting an initial list of 31 entities, including government agencies, banks such as , and corporate sites like the Stock Exchange. The effort mobilized an estimated 1,000–1,500 Ukrainian IT specialists initially, leveraging crowdsourced participation to overwhelm targets with traffic. Early campaigns relied on open-source DDoS tools distributed via GitHub repositories and Telegram channels, including db1000n for generating botnet-like traffic and MHDDoS for multi-protocol floods. On February 27, 2022, the group expanded to 43 Belarusian websites, aligning with perceived support for Russian operations. By early March, volunteers released the Liberator tool on March 4, enhancing offensive capabilities alongside defensive software like disBalancer, which had been developed pre-invasion. These attacks disrupted access to targeted sites, with reports of temporary shutdowns for financial and state media platforms, though Russian countermeasures often restored services within hours. The campaigns prioritized civilian infrastructure perceived as enabling the war effort, such as banks (e.g., ) and regulatory systems (e.g., EGAIS for distribution), rather than purely military assets. Participation grew rapidly to hundreds of thousands by late 2022, coordinated through public task lists updated via Telegram, emphasizing low-barrier entry for non-experts using pre-configured scripts. While effective in causing short-term outages, the DDoS approach yielded limited strategic impact amid Russia's fortified defenses, serving primarily as a morale booster and symbolic resistance.

Evolving Methods and Later Attacks

As operations progressed beyond the initial distributed denial-of-service (DDoS) campaigns of early 2022, the IT Army of Ukraine developed proprietary tools to enhance attack efficacy and anonymity, including MHDDoS_proxy and Distress software hosted on GitHub, along with automated Telegram bots introduced in June 2022 for coordinating cloud-based DDoS efforts. These advancements allowed for personalized attack statistics tracking starting October 1, 2022, and a user leaderboard implemented in February 2023 to incentivize participation. By mid-2022, the group had bifurcated into a public-facing arm for mass DDoS mobilization and a private in-house team, reportedly involving Ukrainian defense and intelligence personnel, which shifted toward more intrusive methods such as website defacements, data breaches, doxing, and limited wiper operations. Later attacks incorporated these evolved tactics against critical Russian infrastructure. In May 2022, the group breached the video platform, accessing systems to nearly delete its content library. September 2022 saw of the Rossgram alongside leaks of data from the Right Line service. 2022 operations targeted the LOESK power grid operator, resulting in reported outages across , and , disrupting its website, SMS services, and call centers through IP pool attacks. Defacements and data deletions extended to broader civilian and media targets, often focusing on .ru domains to amplify psychological effects. Into 2023 and 2024, methods integrated with kinetic operations, including efforts to disable surveillance systems ahead of Ukrainian drone strikes on Russian oil refineries, leveraging DDoS and access disruptions to neutralize CCTV feeds. In June 2024, the group executed a major DDoS campaign against Russia's Mir payment system and associated banks, claiming it as one of the largest such attacks to date by overwhelming financial transaction infrastructure during heightened economic events like the St. Petersburg International Economic Forum. These operations prioritized logistics, energy, and financial sectors, with ongoing defacements and leaks aimed at eroding Russian operational resilience, though independent verification of full-scale impacts remains limited due to the group's opaque reporting.

Technical Tools and Approaches

The IT Army of Ukraine relies on crowdsourced distributed denial-of-service (DDoS) attacks as its core technical approach, leveraging volunteer-operated software to generate overwhelming traffic against Russian-linked websites and infrastructure. Volunteers are instructed via Telegram channels to download and execute pre-packaged tools that perform HTTP/HTTPS floods, application-layer exploits, and amplification techniques, effectively turning participants' devices into a decentralized attack network without requiring a traditional botnet compromise. This method democratizes participation, allowing non-experts to contribute by simply running scripts on personal computers or servers, though it limits sophistication compared to state-sponsored operations. Primary tools include MHDDOS Proxy, a Python script developed specifically for the group, which proxies requests to targets while supporting multi-threaded flooding and method randomization (e.g., GET, POST) to evade basic defenses. Another key application is DB1000N ("Death by 1000 Needles"), implemented in Go for cross-platform efficiency, focusing on generating diverse, low-volume streams that cumulatively exhaust resources through techniques like slowloris variants and randomized payloads. Additional utilities such as Distress and uaShield provide supplementary capabilities, including traffic obfuscation and proxy chaining, enabling sustained attacks without immediate IP blacklisting. These tools were enhanced from open-source predecessors by Ukrainian cybersecurity volunteers, prioritizing ease of deployment over advanced persistence. Operational approaches emphasize target rotation and volunteer coordination: the group's Telegram broadcasts specific URLs or domains (e.g., banks, media outlets, state agencies), with tools configured to attack for fixed durations, often 24-48 hours, before shifting to mitigate mitigation efforts. By October 2, 2022, the IT Army shifted to proprietary variants concealing target details within the software, reducing traceability and encouraging broader adoption. This volunteer-driven model avoids malware distribution or zero-day exploits, focusing instead on volumetric and resource exhaustion tactics suitable for asymmetric warfare, though vulnerable to countermeasures like content delivery networks.

Assessed Impact

Disruptions Achieved

The IT Army of Ukraine has primarily achieved temporary disruptions through distributed denial-of-service (DDoS) attacks on Russian financial institutions and communication providers, often lasting hours to days and forcing targets to divert resources to mitigation. In February 2022, the group knocked offline the websites of , Russia's largest bank controlling nearly one-third of national banking assets, and the , amid early invasion-related operations. Similar attacks targeted other banks, with facing repeated campaigns, including a July 2024 incident described by its deputy CEO as the most powerful DDoS in the bank's history. In June 2024, the IT Army executed a large-scale DDoS campaign against Russia's banking sector, including VTB, , and , which disabled the Mir national payment system and halted transactions across multiple providers. The group claimed this as the largest DDoS attack ever recorded, overwhelming and contributing to broader resource strains on Russian digital systems. Communication disruptions included a March 2025 DDoS on Lovit, a Moscow-based , which interrupted services in and St. Petersburg for at least three days, disabling residential intercoms, business payment terminals, loyalty programs, and general access. regulator confirmed the attack originated from multiple countries and targeted , noting Lovit's inadequate preparedness. Other efforts disrupted up to 40% of resources at select providers at peak times and targeted networks to impair during coordinated operations. Analyses attribute approximately 61% of the group's operational successes to DoS methodologies, with cumulative economic impacts estimated at $2-5 billion in direct and indirect damages to by mid-2025, though such figures rely on aggregated claims and lack . These actions have compelled entities to enhance defenses, but effects remain largely reversible without physical infrastructure compromise.

Measured Effectiveness Against Russian Targets

The IT Army of Ukraine's operations against Russian targets have predominantly involved distributed denial-of-service (DDoS) attacks, which have achieved temporary disruptions to websites and online services rather than sustained or destructive effects. Between February 2022 and January 2023, the group conducted 58 verified cyberattacks, with 61.1% being denial-of-service actions targeting sectors such as (43.1% of attacks), information services (20.7%), and (13.8%), resulting in website unavailability, database access issues, and reduced operational capacity for affected entities like banks. These disruptions were generally short-lived, often lasting hours, as evidenced by instances where Russian government sites, including those of the and party, experienced outages but recovered via mitigation measures. Quantifiable impacts include over 90% of attacks focusing on DDoS against digitized industries, affecting finance (93 incidents), information technology (57), and government portals (55), with some leading to operational delays such as a reported over-one-hour postponement of a speech by Vladimir Putin due to network overload. Data leaks from entities like Gazprom and the Moscow Metro were also claimed, alongside defacements and doxing, but these did not translate to verifiable long-term strategic degradation of Russian military or critical infrastructure capabilities. In 2024, Russian cybersecurity firm F6 assessed the IT Army as the most active threat actor, noting a sharp rise in attacks on regional telecoms, media outlets (e.g., 50 sites in Kursk), and transport systems (e.g., payment apps in St. Petersburg and networks in Krasnodar), which overwhelmed networks and temporarily halted services like internet access and parking systems, particularly in under-secured border regions. However, F6's analysis, from a Russian-based entity potentially aligned with state interests, highlights vulnerabilities in regional firms but does not quantify enduring economic or operational losses beyond immediate outages. The group's crowdsourced tools, such as MHDDOS, DB1000N, and Distress integrated into the IT Army Kit, enabled high-volume traffic generation—top volunteers reportedly produced up to 460 terabytes of data over campaigns—but effectiveness remained constrained by Russia's defensive redundancies and the non-destructive nature of DDoS, limiting outcomes to symbolic and psychological pressure rather than causal interruption of wartime or command systems. While the IT Army claimed responsibility for large-scale actions, including a purported record DDoS in June 2024 targeting banks, independent verification of crippling effects is absent, and overall contributions appear more aligned with amplifying and countering propagation than achieving measurable advantages. No evidence indicates significant diversion of resources or alteration in dynamics attributable to these efforts.

Controversies and Criticisms

Legal Status Under International Law

The IT Army of Ukraine comprises civilian volunteers conducting cyber operations against Russian targets amid the international armed conflict triggered by Russia's invasion on February 24, 2022, thereby subjecting their activities to (IHL) as codified in the and their Additional Protocols. Members do not qualify as combatants under Article 4 of the Third Convention or Article 43 of Additional , absent formal incorporation into Ukraine's armed forces, nor do they meet the criteria for under Article 4(A)(6) of the Third Geneva Convention, which requires spontaneous uprising by inhabitants of non-occupied territory carrying arms openly to resist invading forces—conditions incompatible with the group's organized, global recruitment of over 200,000 participants (many non-Ukrainian) and reliance on covert cyber methods like DDoS attacks rather than open armament. Classified as civilians, IT Army participants may nonetheless engage in direct participation in hostilities () for specific operations that satisfy the ICRC's three cumulative criteria: threshold of harm to the enemy's capacity (e.g., disrupting command-and-control systems), direct causation by the act, and nexus to the conflict. During such , they temporarily lose protection from direct attack under Article 51(3) of Additional but remain shielded from disproportionate or indiscriminate harm; however, many documented operations—such as temporary website disruptions against or administrative portals—likely fail the harm threshold and thus do not constitute , preserving full civilian immunity outside those acts. The group's decentralized structure precludes recognition as a continuously targetable organized armed group under Rule 83 of the 2.0, which requires sustained capacity for armed operations integrated with territorial control or objectives. If captured, non-incorporated members risk denial of prisoner-of-war status and prosecution as unlawful belligerents under the capturing power's domestic law, though IHL forbids reprisals or trials solely for lawful absent grave breaches like targeting civilians. To mitigate these risks, Ukraine's —which oversees coordination without direct military command—backed draft legislation in March 2023 to classify IT Army volunteers as reservists upon , potentially granting combatant privileges and obligations under IHL, including accountability for violations of distinction, , and in cyber targeting. Operations attributable to the state as auxiliary actions must still comply with jus in bello norms, with potential spillover effects on neutral third-party infrastructure raising separate attribution and compensation issues under .

Ethical and Proportionality Issues

The IT Army of Ukraine, comprising civilian volunteers conducting distributed denial-of-service (DDoS) attacks and other cyber operations against Russian targets, has prompted ethical scrutiny over adherence to principles of distinction and proportionality under international humanitarian law (IHL). Critics argue that targeting dual-use infrastructure, such as banks and media outlets, risks indiscriminate effects on non-combatants, even if intended to disrupt military logistics or propaganda dissemination. For instance, DDoS campaigns against Russian financial institutions from February 2022 onward disrupted civilian access to banking services, potentially exacerbating economic hardship without direct military gains proportionate to the collateral interference. Proportionality assessments in operations require weighing anticipated military advantage against incidental civilian harm, a challenge amplified by the IT Army's decentralized structure lacking formal command oversight. Legal scholars note that while some targets like may support wartime information operations, broad-spectrum attacks—such as those overwhelming over 800 Russian websites including in June-July 2022—could exceed necessary force if civilian disruptions (e.g., payment processing failures affecting households) outweigh strategic benefits like hindering coordination. This raises causal questions: Do temporary service outages justify volunteer-led actions that blur lines, potentially exposing participants to direct targeting as unlawful belligerents under IHL? Ethical concerns extend to and escalation risks from crowdsourced , where unvetted volunteers may pursue operations without rigorous target validation, eroding norms against civilian cyber involvement. Analyses highlight that the IT Army's model, involving up to 400,000 participants per Russian estimates, circumvents state control, complicating attribution and raising liability for unintended escalations, such as retaliatory strikes on Ukrainian . While defenders invoke necessity amid Russia's invasion, independent observers emphasize that ethical cyber conduct demands verifiable military utility over symbolic disruptions, cautioning against precedents that normalize non-state actors in .

Perspectives from Russia and Neutral Observers

Russian state and officials have characterized the IT Army of Ukraine's operations as acts of cyber terrorism and criminal hacking, framing them as unlawful aggression that violates international norms and targets civilian infrastructure. The has specifically accused the group of forming a "criminal " responsible for cybercrimes against entities, including disruptions to websites and services since 2022. cybersecurity firms, such as , have documented a surge in IT Army-attributed attacks—reporting an increase in incidents against targets in 2024–2025—while portraying these as escalatory threats amid the ongoing conflict, often emphasizing their disruptive impact on domestic services without acknowledging utility. From the Russian viewpoint, these activities exemplify Western-backed aimed at undermining Russian sovereignty, with claims that the IT Army's DDoS campaigns and defacements serve propaganda purposes rather than strategic military gains, drawing parallels to prohibited peacetime cyber operations under . Official statements have rejected any legitimacy for the group, insisting that its volunteer nature does not confer combatant status and instead invites criminal prosecution for violations of Russian domestic laws and bilateral agreements. Neutral analysts from cybersecurity think tanks and legal experts have offered more nuanced assessments, highlighting the IT Army's innovative crowdsourced model as a form of asymmetric cyber resistance but questioning its compliance with (IHL). Experts at the Lieber Institute note that IT Army members risk losing civilian protections under the law of armed conflict due to direct participation in hostilities through cyberattacks, potentially rendering them targetable and ineligible for prisoner-of-war status if captured, especially as non-state actors without formal integration into Ukraine's armed forces. CSIS analysts describe the operations as operating in a "grey space" legally, particularly for foreign volunteers, where the of disruptions to civilian-linked targets—like banks and media—raises concerns over distinction and , even if short-term effects on Russian military capabilities appear limited. Independent evaluations, such as those from the Center for European Policy Analysis (CEPA), underscore operational challenges including attribution difficulties and ethical dilemmas in volunteer-led hacks, which could blur lines between state-directed and private actions, potentially eroding norms against offensive operations in wartime. Broader commentary from sources like the views the IT Army as emblematic of private sector involvement in conflict, praising its resilience-building role for but cautioning that unregulated may set precedents for uncontrolled escalation in future cyber domains, without clear strategic deterrence against Russian advances. These perspectives emphasize empirical tracking of impacts—such as temporary outages rather than systemic degradation—over ideological framing, attributing the group's persistence to motivational factors like national defense rather than proven efficacy.

Broader Implications

Influence on Cyber Warfare Doctrine

The IT Army of Ukraine has exemplified a crowdsourced model of offensive operations, integrating volunteer civilians under loose oversight to conduct denial-of-service attacks and website defacements against targets, thereby introducing a auxiliary force unprecedented in scale during active . Formed in late February 2022 and subordinate to Ukraine's , the group rapidly mobilized over 175,000 volunteers within two days and expanded to more than 300,000 in two weeks, executing 58 verified operations primarily focused on disrupting (43.1% of targets) and information sectors (20.7%), such as government ministries and media outlets like . This approach aligns with Ukraine's 2016 National Cybersecurity Strategy but extends it through decentralized volunteer participation, demonstrating the feasibility of leveraging non-professional hackers for wartime effects without heavy reliance on elite units. This model has prompted discussions on evolving warfare doctrines toward incorporating state-tolerated civilian auxiliaries, challenging traditional state-centric frameworks that emphasize professionalized, attributable operations under unified command. Analysts argue it represents an emerging facet of where governments sponsor volunteer cyber militias to amplify kinetic efforts, potentially serving as a template for future conflicts, such as a Taiwan-China scenario, by enabling rapid scaling of low-cost disruptions against superior adversaries. However, its decentralized nature has highlighted doctrinal gaps in coordination, attribution, and legal compliance, with recommendations for integrating such groups into formal or structures to enhance targeting agility and reduce risks of uncontrolled escalation. The IT Army's success in democratizing cyber tools—facilitating public involvement in distributed denial-of-service campaigns via simple platforms like Telegram—has reshaped paradigms of engagement, underscoring how non-state actors can contribute to national defense strategies and influencing broader thinking on mobilization. While no major powers have formally adopted this exact model as of 2025, it has informed analyses of asymmetric resistance, emphasizing the need for doctrines that account for volunteer-driven operations in protracted conflicts, though concerns persist over operational security and proportionality under .

Ongoing Role and Adaptations

The IT Army of Ukraine continues to operate as a volunteer-driven entity conducting distributed denial-of-service (DDoS) and other cyber disruptions against financial, governmental, and media targets, with capabilities to maintain simultaneous attacks on over 800 sites using automated tools. As of May 2025, a cybersecurity firm assessed it as the most active group targeting digital infrastructure throughout 2024, reflecting sustained operational tempo amid the ongoing conflict. In early 2025, the group coordinated with Ukrainian intelligence services to execute DDoS strikes on closed-circuit television networks, aiding physical military operations by impairing surveillance. Structurally, the organization has adapted since June 2022 into a bifurcated model comprising global civilian volunteers for mass participation and a core of dedicated IT professionals handling more sophisticated tasks, enhancing coordination and impact beyond initial efforts. This evolution includes a shift toward refined, automated software platforms that synchronize volunteer inputs, enable target refreshes, and incorporate continuous updates from cybersecurity experts, economists, and developers to counter defenses and maintain efficacy. The decentralized, bottom-up persists, relying on Telegram channels for task and volunteer , allowing without formal . These changes have rendered operations more nimble and intelligent compared to traditional hacktivist models, as noted in analyses of its maturation. As Ukraine establishes formal Cyber Forces in October 2025 for integrated military cyber operations, the IT Army remains a complementary focused on offensive disruptions outside official command structures, preserving its crowdsourced . Its campaign against Russian targets persists without cessation as of September 2025, underscoring adaptability to prolonged .

References

  1. [1]
    Mykhailo Fedorov on X: "We are creating an IT army. We need ...
    Feb 26, 2022 · We are creating an IT army. We need digital talents. All operational tasks will be given here: https://t.me/itarmyofurraine.
  2. [2]
    The IT Army of Ukraine | Strategic Technologies Blog - CSIS
    Aug 15, 2023 · The IT Army of Ukraine has mobilized thousands of volunteers to launch high profile cyberattacks against Russian targets in response to Russia's 2022 invasion ...
  3. [3]
    Cyber Operations Tracker - Council on Foreign Relations
    The Ukrainian IT Army is a threat actor comprised of international and Ukrainian volunteer hackers working in collaboration with officials from Ukraine's ...
  4. [4]
    "The Information Technology Army of Ukraine and Cyber Warfare ...
    The IT Army of Ukraine's cyber operations in the Russia-Ukraine conflict has provided a novel approach to cyber warfare – that of a crowdsourced, volunteer, ...
  5. [5]
    IT Army of Ukraine's cyber campaign against targets in Russia (since ...
    Sep 22, 2025 · ↑ Mykhailo Fedorov, (26 Михайло Федоров's Facebook post (26 February 2022); James Pearson, Ukraine Launches 'IT Army,' Takes Aim at Russian ...
  6. [6]
    Ukraine's IT Army is Waging a Crowdsourced Cyber War Against ...
    Mar 24, 2025 · The IT Army of Ukraine, a decentralized hacking force that has launched relentless cyber offensives against Russia's digital infrastructure.
  7. [7]
    [PDF] The Information Technology Army of Ukraine and Cyber Warfare ...
    The IT Army of Ukraine is a crowdsourced, volunteer, offensive cyber auxiliary force, a state-sponsored group of civilians using personal computers for attacks.
  8. [8]
    Ukraine's volunteer IT Army is making gains on the cyber front
    May 27, 2025 · Ukraine's IT Army targets war-sustaining Russian infrastructure, uses DDoS attacks, and has disrupted internet for 200,000 residents and caused ...Missing: activities | Show results with:activities
  9. [9]
    The invisible front: Ukraine's IT army and the evolution of cyber ...
    The opening days of Russia's 2022 invasion of Ukraine saw the creation of an unprecedented wartime actor: the IT [Internet] Army of Ukraine (ITAU).
  10. [10]
    Ukraine Volunteer IT Army Confronts Tech, Legal Challenges - CEPA
    Nov 27, 2023 · Ukraine's volunteer IT army is growing in strength and audacity. Its independence also poses questions of legality.<|separator|>
  11. [11]
    Cyber Operations during the Russo-Ukrainian War - CSIS
    Jul 13, 2023 · Of the 30 recorded cyber events between Russia and Ukraine, 28 (or 93 percent) were initiated by Russia. Over this period, the majority of ...
  12. [12]
    [PDF] Building Resilience in the Face of Russian Cyber Aggression
    The existence of regular cyber forces as a part of Ukraine's army before the invasion greatly increased Ukraine's strategic capacities for cyber defence, ...
  13. [13]
    [PDF] Russia's war on Ukraine: Timeline of cyber-attacks
    Jun 8, 2022 · Russia launched its war on Ukraine on 24 February 2022, but Russian cyber-attacks against Ukraine have persisted ever since Russia's illegal ...
  14. [14]
    [PDF] The Cyber Dimensions of the Russia-Ukraine War
    Experts have generally seen several distinct phases of cyber operations in Ukraine: 1) Pre-invasion: prior to Russia's full-scale invasion into. Ukraine on 24 ...
  15. [15]
    Ukraine's Volunteer 'IT Army' Is Hacking in Uncharted Territory
    Feb 27, 2022 · The IT Army will likely instead take on defensive tasks to free up Ukraine's government hackers.Missing: controversies | Show results with:controversies
  16. [16]
    Ukraine launches 'IT army,' takes aim at Russian cyberspace
    Feb 26, 2022 · Ukraine will create an "IT army" to fight against Russia's digital intrusions, Vice Prime Minister Mykhailo Fedorov said on Saturday.<|separator|>
  17. [17]
    How Ukraine built a volunteer hacker army from scratch
    Jan 16, 2024 · At its peak, the volunteer IT army's Telegram channel reached around 300,000 members in March 2022. IT army of Ukraine mykhailov Fedorov ...
  18. [18]
    Mykhailo Fedorov Is Running Ukraine's War Like a Startup - WIRED
    Jul 25, 2023 · Fedorov promoted a Telegram channel, the “IT Army of Ukraine,” which gathered volunteers from across the country and all over the world to ...
  19. [19]
    [PDF] CYBERDEFENSE REPORT The IT Army of Ukraine Structure ...
    Jun 10, 2022 · For several years prior to the Russian invasion on 24 Feb- ruary 2022, the principal idea of creating a cyber volun- teer army had been ...
  20. [20]
    Meet the hacker armies on Ukraine's cyber front line - BBC
    Apr 14, 2023 · How links between 'hacktivists' and official military are becoming blurred on both sides in the war.Missing: controversies | Show results with:controversies<|control11|><|separator|>
  21. [21]
    The IT Army of Ukraine - ETH Research Collection
    As of this writing, the IT Army consists of two parts: (1) a continuous global call to action that mobilizes anyone willing to participate in coordinated DDoS ...Missing: activities | Show results with:activities
  22. [22]
    Ukraine's IT Army now aids drone strikes on Russian oil refineries
    Jun 29, 2024 · ... IT Army of Ukraine, who goes by the callsign Ted. In an exclusive interview with Euromaidan Press, Ted discussed the organization's ...
  23. [23]
    The Status of Ukraine's “IT Army” Under the Law of Armed Conflict
    May 10, 2023 · Over a year later, the so-called IT Army has accumulated nearly 200,000 volunteers. These cyber operators have targeted the websites and ...Missing: initial subscribers
  24. [24]
    Volunteer hackers form 'IT Army' to help Ukraine fight Russia - NPR
    Mar 27, 2022 · I mean, there's an old saying in hacking that the difference between a black hat hacker - a bad hacker - and a white hat hacker - good hacker - ...
  25. [25]
    Insights from the IT Army of Ukraine's Cyber Campaign | Radware Blog
    Feb 21, 2024 · The IT Army of Ukraine democratized DDoS attacks by lowering barriers, using open recruitment, providing accessible tools, and normalizing ...
  26. [26]
    Ukrainian coders splitting their time between day job and cyberwar
    Mar 23, 2022 · Over 311,000 people have joined a group called "IT Army of Ukraine" on the social media platform Telegram, where Russian targets are shared.Missing: recruitment | Show results with:recruitment
  27. [27]
    Ukraine's IT hacker army requires a non-technical solution to scale
    Jul 19, 2024 · Formed in response to a digital call to arms by Ukraine's Minister of Digital Transformation, Mykhailo Fedorov, the IT Army has democratized ...<|separator|>
  28. [28]
    Ukraine launches 'IT army,' takes aim at Russian cyberspace | Reuters
    Feb 27, 2022 · Ukraine will create an "IT army" to fight against Russia's digital intrusions, Vice Prime Minister Mykhailo Fedorov said on Saturday.
  29. [29]
    Ukraine's volunteer 'IT army' responds to Russian hackers, minister ...
    Aug 24, 2022 · "Cyberspace is a frontline of the 21st century, and victories there are as important as in actual battlefields," Mykhailo Fedorov, the Minister ...Missing: goals | Show results with:goals<|separator|>
  30. [30]
    From 0 to 100: a story of the escalation of Threat Actors
    Jun 30, 2023 · February 25 – March 4, 2022. On February 26 ... The IT Army of Ukraine has two DDoS crowdsourcing projects – disBalancer and Liberator.
  31. [31]
    None
    ### Summary of the Evolution of the IT Army of Ukraine's Tactics
  32. [32]
    IT Army of Ukraine’s cyber campaign against targets in Russia (since 2022) - International cyber law: interactive toolkit
    ### Summary of IT Army of Ukraine’s Cyber Campaigns Against Russia (Post-Initial Phase, 2023-2025)
  33. [33]
    IT Army attacks Russian banking system, disabling Mir payment ...
    Jun 20, 2024 · IT Army attacks Russian banking system, disabling Mir payment system ... The Ukrainian IT Army has launched a large-scale attack on the Russian ...
  34. [34]
    Ukraine's IT Army Is a 'World First' in Cyberwarfare, but It's a Gamble
    Jul 27, 2024 · Ukraine's IT army says it has launched thousands of attacks on Russian organizations since Russia launched its full-scale invasion in ...
  35. [35]
    The Dynamics of the Ukrainian IT Army's Campaign in Russia
    Jun 15, 2023 · Ukrainian authorities have lowered the barrier to entry for patriotic hacking ... In a few cases, the IT Army launched a longer DDoS ...
  36. [36]
    One Year After: The Cyber Implications of the Russo-Ukrainian War
    Feb 21, 2023 · The IT Army of Ukraine provides its members the attack infrastructure as well as targeting indications likely to support and reinforce Ukraine's ...Missing: methods | Show results with:methods
  37. [37]
    Moscow Exchange, Sberbank Websites Knocked Offline ... - Forbes
    Feb 28, 2022 · Sberbank and Moscow Exchange down in DDoS attack claims. Sberbank and the Moscow Exchange were both named as targets of the Ukraine IT Army.
  38. [38]
    At the end of July, Sberbank suffered the most powerful DDoS attack ...
    At the end of July, Sberbank suffered the most powerful DDoS attack in its history, organized by the IT army of Ukraine, - said Stanislav Kuznetsov, deputy
  39. [39]
    Lengthy disruption of Russian internet provider claimed by ...
    Mar 25, 2025 · A Ukrainian volunteer hacker group known as the IT Army has claimed responsibility for a cyberattack on Russian internet provider Lovit that disrupted services ...
  40. [40]
    Ukraine's IT Army keeps up attacks on Russia despite waning media ...
    Mar 19, 2025 · Earlier in March, the IT Army claimed responsibility for taking offline nearly 50 media websites in Kursk, a city in western Russia. Back in ...Missing: controversies | Show results with:controversies
  41. [41]
    Ukranian 'IT Army': A Cyber Levée en Masse or Civilians Directly ...
    Mar 9, 2022 · Participants in the IT Army who do not qualify as combatants will be treated as civilians and, as such, they cannot be directly targeted unless ...
  42. [42]
    Ukraine Scrambles to Draft Cyber Law, Legalizing Its Volunteer ...
    Mar 14, 2023 · The IT Army of Ukraine has claimed responsibility for cyber attacks such as knocking offline the websites of Russian state media during ...Missing: legality | Show results with:legality
  43. [43]
    Recapping “Cyber in War: Lessons from the Russia-Ukraine Conflict”
    Jan 8, 2024 · Cyberspace has played a significant role in the ongoing war in Ukraine. Russia engaged in numerous cyber operations against Ukraine in the lead ...
  44. [44]
    The Accountability Dilemma: Civilian Cyber Vigilantism and ...
    Dec 13, 2024 · The IT Army is in fact unlikely to be considered an organized armed group with regard to the combatant status, as its members do not belong to ...<|separator|>
  45. [45]
    Reflecting on the Role of Cyber Operations in the Russia-Ukraine War
    Feb 22, 2024 · Early on, Ukraine mobilized a global “IT Army” that raised legal questions about the role of individuals and the private sector in an armed ...
  46. [46]
    IT ARMY of Ukraine: Офіційний сайт боротьби проти ворога на it ...
    It Army Of Ukraine - це спільнота IT-фахівців з усього світу, які об'єдналися після початку повномасштабного вторгнення в Україну з боку росії.
  47. [47]
    [PDF] The Evolution of the IT Army of Ukraine By Stefan Soesanto
    Sep 24, 2023 · 2023. 12 Ibid. 13 IT Army of Ukraine, “Instructions to configure DDoS Attacks to Enemy Country,” itarmy.com.ua,.
  48. [48]
    https://www.csis.org/analysis/unpacking-ukraines-future-cyber-and-space-forces