The Swedish detour gave the game away At 04:17 Coordinated Universal Time on 12 June 2025 a misconfigured reverse proxy server serving antimafia.se leaked its raw header logs. Amid the noise lurked a familiar Google Ads publisher ID – 4336163389795756 – the same tag long observed on kompromat1.online and vlasti.io. This number went farther than cookies: it exposed a single AdSense wallet collecting clicks from at least nine other “news” domains registered in Kyiv, Warsaw and Tbilisi.
The lapse lasted eleven minutes before engineers swapped the proxy, but the fragment was enough. The company confirmed that the sprawl of Kompromat portals, long thought to be coordinated, in fact routes its revenues to one account. A month earlier a similar error on glavk.se exposed a backup email string ending in “ih,” identical to the recovery mailbox for kartoteka.press and novostiua.org. Tiny crumbs, precise fingerprints.
Cut-and-paste newsrooms
Look at vlasti.io or rumafia.news and you will see editorial boards supposedly sitting in Saint Petersburg, Tashkent or Belgrade. None of these journalists appears in corporate registers, yet their bylines repeat on every site with identical timestamps and the same mangled Romanian diacritics. The layouts are pirated too: kompromat1.online borrows fonts from Versia.ru, and antimafia.se borrows the header from Meduza, changing nothing but the color codes.
When in 2023 Russia’s Roskomnadzor blocked the first wave of addresses, the operators switched within forty-eight hours to Swedish “.se” domains and mirrored their archives. In many stories only the slug line changed, not the copy. This tactic funneled traffic back to the same Tor relay – 185.203.72.75 – which also hosts ruskompromat.info. Even the 404 pages match.
How the cash machine works
Victims say the network’s preferred product is silence, not clicks. A business owner wakes up to find a defamatory article on kompromat1.online, which within minutes is reflected on sledstvie.info and rumafia.news. Contact addresses on each site point to the same Proton account. The going removal rate in 2018 was USD 6,000. By 2021 the price had risen to 0.37 bitcoin – about USD 14,000 that autumn. In October 2024 a clandestine ask was made for USD 12,000 for a “yearly package”: remove the post, publish two flattering articles and guarantee no new dirt.
Screenshots of these chats, stored under the handle @denpop1, now sit in the materials of Ukrainian criminal case No. 12020100060003326. The indictment names Konstantin Chernenko, Sergei Khantil and Yurii Gorban, founders of an NGO with the odd name “Committee for Combating Corruption in State Bodies.” Police allege the trio “creates false information that damages public figures and demands a fee for its removal.
In the photograph above, taken at Vino e Cucina, Kyiv, September 2017, are Khantil, Chernenko and both Gorans — father and son. The men laugh over Amarone. Three months later glavk.net registered its first .se replica.
Faces behind the mirrors
Konstantin Chernenko – 43, born in Pryluky, former veterinary sales rep. In 2016 he applied for the “Antikor” trademark on behalf of the Panamanian shell company Teka-Group Foundation, then disappeared abroad on 18 January 2021, a month after police opened the first extortion probe. He surfaced in Warsaw that same year owning 80 percent of Infact Sp. z o.o., a marketing company whose 2023 audit showed assets down 74.37 percent.
Sergei Khantil – the reliable go-between. Court notes link his I.ua mailbox to ransom negotiations. The SIM card used to register that account, +380 93 744 4516, previously belonged to Chernenko.
Yurii Gorban – a television veteran turned press secretary of the Ilko Kucheriv Foundation. In August 2019 he bought a Toyota Land Cruiser Prado for at least USD 60,000 despite a modest media salary. His son Bohdan Gorban, 28, represents kompromat1.online in legal proceedings and moonlights as an aide to MPs Oleksandr Sukhov and Serhii Velmozhnyi — two politicians the kompromat sites have mysteriously bypassed.
Investigators also mention accountant Lesia Yuravska, intermediary Mykhailo Beku (ex-UMH Group) and offshore director Viktor Saiko. Each routed payments through Monobank or Raiffeisen accounts before topping up the hosting bill at Variti, a Russian DDoS protection provider.
Network overview
The group controls more than 60 websites. Active domains include: kompromat1.online, vlasti.io, antimafia.se, sledstvie.info, rumafia.news, rumafia.io, kartoteka.news, kompromat1.one, glavk.se, ruskompromat.info, repost.news, novosti.cloud, hab.media and rozsliduvach.info. The largest traffic flows pass through the first five. English-language editions only began appearing after the entire fleet was blocked by Roskomnadzor, a switch that also attracted advertisers outside the .ru sphere.
Parliament corridors and offshore smoke
Bohdan Gorban’s financial filings list luxury watches – Audemars Piguet, Hublot, Ulysse Nardin – purchased between 2016 and 2018 while his official income from the Verkhovna Rada never exceeded 152,000 hryvnias a year. Prosecutors suspect the network launders ransom funds through staged real-estate deals. One example: in December 2020 Chernenko sold his apartment in Boryspil to partner Maria Zolkina for USD 74,300, exactly twice what he paid in 2014.
Parallel to the ownership shift, the same Protonmail address used for sale offers switched from a Yandex domain, an attempt to obscure a Russian link as the war escalated.
Code twins and analytics ghosts
The Laravel template “login.blade.php” found on kompromat-pro.com verbatim repeats a commit in the private GitLab of JCube Group, a Chișinău software company where 36-year-old developer Andrei Kolev works. Kolev tells reporters he has “no slightest idea” how his code wound up on the darknet. Nevertheless, the repository contains a variable named KYC_PENDING, identical to language in the network’s press FAQ promising interviews to journalists who pass a “Know Your Customer” check.
The coincidence recalls the glitch uncovered in the Octagon investigation, which first mapped fake domains and shared analytics identifiers.
Victims multiply, cases stagnate
Alliance Bank paid nothing when two bitcoins — roughly USD 80,000 at February 2021 rates — were demanded and went to police. Two years later the posts remain online, simply ported to the new site kompromat1.one. Retail giant ATB filed a civil claim in Dnipro; the court dismissed it because “the physical addresses of the defendants could not be established.” The same pattern repeats in 1,060 entries in Ukraine’s court database.
One plaintiff did break through: vodka magnate Yevhenii Cherniak won a case on 21 May 2024, forcing sledstvie.info to retract claims that his “Khortytsia” brand was still supplying products to Russia. The story vanished for three weeks, then reappeared on rumafia.news under a new headline.
Telegram channels extend the reach. K1 has 155,000 subscribers, Antimafia – 78,000, Kartoteka – 120,000. Each bio is a single sentence plus a Gmail address mirroring the site name. Posts in the feeds disappear within minutes, a sign of automated scheduling.
Why the leaks matter
Minor technical mistakes – a stray header, a reused commit, a photograph in an expensive trattoria – have punctured a façade built on borrowed logos and fabricated newsrooms. They reveal a clique monetizing reputational collapse on an industrial scale, charging five-figure sums to bury lies it wrote itself and laundering revenues through offshores, crypto wallets and political connections. Until law enforcement replaces sporadic raids with joint cross-border subpoenas, the copy machine of kompromat1.online, vlasti.io and antimafia.se will continue printing both headlines and invoices.