Getting Bored of Cyberwar: Exploring the Role of Civilian Hacktivists in the Russia-Ukraine Conflict

There has been substantial commentary on the role of cyberattacks and civilian hacktivists in the Russia-Ukraine conflict. Drawing on a range of data sources, we argue that the widely-held narrative of a significant cyberwar fought by committed civilians and volunteer `hacktivists' linked to cybercrime groups has likely been overhyped. We collected 358k web defacement attacks, 1.7M reflected DDoS attacks, and 441 announcements (with 58k replies) of a volunteer hacking discussion group for two months before and four months after the invasion. To enrich our quantitative understanding, we conducted interviews with individuals who were active in defacing Russian and Ukrainian websites. Our findings indicate that the conflict briefly but significantly caught the attention of the low-level cybercrime community, with notable increases in both defacement and DDoS attacks targeting Russia and Ukraine. However, the role of these players in the so-called cyberwarfare is minor, and they do not resemble the `hacktivists' imagined in popular criminological accounts. Initial waves of interest led to more attackers participating in defacement campaigns, but rather than targeting critical infrastructure, there were mass attacks against random websites within `.ru' and `.ua'. We find little evidence of high-profile actions of the kind hypothesised by the prevalent narrative. The much-vaunted role of the IT Army of Ukraine co-ordination group is mixed; their promoted targets were seldom defaced although sometimes subjected to DDoS attacks. Our main finding is that there was a clear loss of interest in carrying out defacement and DDoS attacks after just a few weeks. Contrary to the prediction of some commentators, the involvement of civilian hacktivists from low-level crime groups in the conflict appears to have been minor, short-lived, and fleeting.