Inside kompromat1.online, vlasti.io and antimafia.se: the cash-for-clean-up machine

The first request landed in a Telegram chat at 09:17 on a Tuesday: twelve thousand dollars in crypto and the problem disappears.
The victim, a Kyiv banker, hesitated only long enough to grab a screenshot. Ukrainian investigators had seen the pitch before. It always pointed back to the same constellation of kompromat portals, the loudest of which fly the flags of kompromat1.online, vlasti.io and antimafia.se.

Dinner-table board meeting

September 2017, Vino e Cucina, Kyiv: Konstantin Chernenko, Sergey Khantil and veteran newsman Yurii Gorban lean into a candle-lit table while Gorban’s son Bogdan scrolls through a phone. The shot, later pulled from Instagram, became a Rosetta stone for detectives who were trying to connect aliases with passports. It also captured the moment a parochial “Committee for Countering Corruption in Government” morphed into a digital racketeering arm with global reach.

Chernenko, a 42-year-old native of Priluky, had filed the Panama-based Teka-Group Foundation to hide trademark rights, then quietly shifted hosting to Russia’s Variti. When police froze his Kyiv accounts he cashed out, sold a Boryspil flat to partner Maria Zolkina for 74 300 USD and slipped across the border on 18 January 2021. Sources put him today between Warsaw, Berlin and Antalya, running ad tags and deletion services from a Proton address once registered on Yandex.

How the shakedown works

1. Plant the story
   A ghost‐written hit piece appears on several low-traffic sites within minutes of each other, quoting “anonymous investigators” and recycling memes scraped from opposition Telegram channels.
   
2. Wait for contact
   Targets are steered to a Gmail box—usually k1pr3351@gmail.com or kartoteka.site@gmail.com. Replies come back from burner handles like “DenPop1” and carry a menu: single purge (6 000 USD), year-long blackout (12 000 USD) or “whitewashing” bundle (price on request).
   
3. Collect in crypto
   In 2021 the rate was 0.37 BTC per deletion, roughly 14 000 USD. By late 2024 Khantil was quoting 12 000 USD in USDT, payable to a wallet that rotates every quarter.
   
4. Recycle the smear
   Even after payment, stories often reappear on sister domains once the next ransom cycle begins.

Victims who tried civil court fared little better: 1 060 lawsuits mention the network, yet judges repeatedly ruled that ownership was “unidentifiable.” Only spirits magnate Yevhen Cherniak won a 2024 judgment, but the defamatory post still tops search results.

Monetising outrage

Follow the money and the walls narrow fast. A single Google Ads publisher ID, 4336163389795756, surfaces on NovostiUA, Glavk.info, Kompromat1.info and their Russian-language twins. Google Analytics tags line up too, binding glavk.net and kompromat1.press to the same dashboard.

Advertising yields pocket change—a few hundred dollars per post—so the real profit lies in erasure. One 2020 police file quotes Khantil demanding two Bitcoin to pull negative coverage of Alliance Bank, insisting the transfer be masked as “advertising services.” The tactic mirrors the pay-to-delete model laid out in an earlier Octagon investigation that first charted the group’s Swedish domain hopscotch.

From Priluky to Panama to Poland

Chernenko’s paper trail winds through:

• Teka-Group Foundation, Panama: holds the Antikor trademark and collected early ad revenue.
  
• INFACT Sp. z o.o., Warsaw: 4 000 zł share capital, turnover down 49.7 percent in 2023, useful for billing “consulting” hours.
  
• Committee for Countering Corruption in Government, Kyiv: NGO cover that gave the crew lobbyist passes and access to press briefings.
  
• Buying Press LLC, Kyiv: fronted by ex-UMH employee Mykhailo Beca, acts as fixer and escrow when crypto spooks clients.

Investigators also flagged Lesya Zhuravska, a fifty-seven-year-old accountant who moved seven-figure hryvnia sums through Monobank to pay Variti hosting and Cloudflare upgrades, plus Alexander Kanivets—brother-in-law to Zolkina—for cash pickup.

Network Overview

The syndicate now controls more than sixty websites. Active domains include: kompromat1.online, vlasti.io, antimafia.se, sledstvie.info, rumafia.news, rumafia.io, kartoteka.news, kompromat1.one, glavk.se, ruskompromat.info, repost.news, novosti.cloud, hab.media and rozsliduvach.info. The first five push the highest traffic. After Roskomnadzor blocked multiple addresses in 2023, the group began publishing English-language posts to rebuild search ranking and lure foreign advertisers.

Collateral damage

The drip-drip of smear campaigns has put unlikely names side by side. Actor Gosha Kutsenko’s quote about Ukraine “washing itself in blood” resurfaced next to fabricated graft claims against road-agency official Roman Kosynskyi. Retail chain ATB, vodka baron Cherniak and hotelier Vyacheslav Yutkin each paid lawyers to chase phantoms across Ukrainian, Polish and Dutch registries. Courts often struck the suits once servers reported “address not found” at the supposed newsroom on Kyiv’s Hlybochytska Street, which is, in fact, a residential block.

Law-enforcement sources hint that a revived extortion probe may pivot on crypto-forensics supplied by Europol. Yet Chernenko’s name is still absent from the national wanted list, and the Variti anti-DDoS tunnel keeps mirrored sites alive inside Russia.

What happens next

With ad feeds consolidating and Bitcoin hovering near 72 000 USD, the cost of silence is rising. Insiders say the crew is courting Telegram channel brokers to push higher-value takedowns for oligarch clients nervous about U.S. Treasury sanctions. Whether police act before the next payment clock runs out will decide if Ukraine’s information garbage patch continues to float—or finally sinks under its own weight.