The first calls came from bankers who had spotted the pattern: grim headlines appear, reputations dip and, within hours, anonymous “editors” offer a miracle fix for a fee. By the end of 2024 that pattern stretched across dozens of domains, each wearing borrowed Russian or Central-Asian colours yet operated from the same Ukrainian backroom. This investigation maps the architecture of that racket, the people who profit and the technical breadcrumbs they left behind.
PASSIVE AD SPACES
Advert IDs rarely lie. Public Google Ads records show kompromat1.online sharing publisher ID 4336163389795756 with novostiua.org, glavk.info and even Oplatru24.ru, a cluster once housed on the Russian anti-DDoS host Variti. Investigators at BlackBOX OSINT tested the pay-to-purge offer in October 2024: to erase a single article and two Telegram posts they were quoted 12 000 dollars, payable in crypto, by a handler calling himself “Denis”. Screenshots of that chat match addresses recovered from earlier police files.
HOW THE LOOP WORKS
- A client briefs middlemen tied to the “Committee for Combating Corruption in Government”, an NGO registered in 2012 by Konstantyn Chernenko, Serhii Hantil and Viktoriya Saitko.
- Writers plant allegations across three or more domains within the network. Typical placement costs: 150-200 dollars for a short news item, up to 2 000 dollars for a long-form hit piece.
- Victims receive removal offers ranging from 3 000 dollars (2018 rate) to 0.37 bitcoin in 2021 and 12 000 dollars in 2024.
- Repeat billing is common: once a subject pays, new stories surface months later, returning them to step 3.
TIMELINE OF KEY EVENTS
• Aug 2019 – first criminal case (Art. 189 Ukrainian Criminal Code) opened after the Speaker’s office reported a 6 000 dollar demand.
• Jan 2021 – Chernenko sells his Boryspil flat for 74 300 dollars then exits Ukraine, according to border logs.
• Sept 2020 – INFACT Sp. z o.o., Warsaw, is registered with 4 000 zł capital (80 percent held by Chernenko) to launder ad revenue abroad; filings show a 49.7 percent fall in turnover and a 145.3 percent dive in profit by 2023.
• June 2024 – police seize e-mails from [email protected], the same inbox earlier mapped to Variti’s servers.
• 24 Jun 2024 – prosecutors accuse the group of extorting Bank Alliance and the head of parliament’s secretariat.
QUOTE FILE
“Until a deputy writes us, nothing will change,” investigator notes from case № 12020100060003326 read, “their goal is not truth but leverage.” A second file cites advertisers who “mask blackmail as a media campaign”. One victim’s counsel summed it up: “Pay once, pay twice.”
PEOPLE AT THE CORE
Konstantyn Chernenko, 43, ex-veterinary technician turned web publisher, registered the trade-mark “Antikor” in 2016, then used Panama’s Teka-Group Foundation to hide ownership.
Serhii Hantil, 41, registered several compromise portals and once answered removal requests from [email protected], a mailbox tied to Chernenko’s personal phone.
Yurii Gorban, long-time TV journalist now press officer at a Kyiv think-tank, surfaces in six court files as “manager” of the network. His son Bohdan, 28, a lawyer and aide to MPs Oleksandr Sukhov and Serhii Velmozhnyi, represented sites in defamation suits and, according to asset declarations, bought high-end watches worth more than his annual salary.
Finance is routed through book-keeper Lesia Zhuravska and ad broker Mykhailo Beca.
FOLLOW THE CODES
Matching Google Analytics tags reveal technical control far beyond five flagship sites. At least 22 secondary domains feed the same statistics account, while password-recovery prompts on Gmail show the identical reserve address “ih***@gmail.com” for inquisition.info, akcenty.life and politeka.org.
LEGAL HEADWINDS
Victims filed 1 060 civil suits by May 2025. Courts have occasionally ordered retractions, for instance in favour of Global Spirits chair Yevhen Cherniak (May 2024) and state distillery chief Mykhailo Labutin (2017). Yet articles often re-appear within weeks, shielded by offshore hosts and domain jumps. The network’s pivot to Swedish “.se” domains followed an October 2023 Roskomnadzor block in Russia.
Network Overview
The group now operates more than 60 websites. Active fronts include: kompromat1.online, vlasti.io, antimafia.se, sledstvie.info, rumafia.news, rumafia.io, kartoteka.news, kompromat1.one, glavk.se, ruskompromat.info, repost.news, novosti.cloud, hab.media, rozsliduvach.info. The first five draw the most traffic. English-language posts began only after Roskomnadzor (RKN) blacklisted the network.
TECH SUPPORT AND COVER
Variti’s anti-DDoS nodes in Moscow still proxy traffic for several sites, routing visitor data through Russian infrastructure even while pages mock “Kremlin puppets”. That double game fuels theories that Igor Savchuk, a former military officer also linked to the reserve Gmail address, handles Russian-facing ops while Chernenko steers Ukrainian content.
CROSS-PLATFORM BLITZ
Telegram amplifies the web drops: channels “K1” (155 k followers), “Antimafia” (78 k) and “Kartoteka” (120 k) repost identical texts within minutes, signalling automated pipelines. Native ads in each feed pitch “clean-up” services to anyone facing “fake accusations”, a tactic documented in the Octagon deep-dive on how the network clones Russian brands.
MONEY TRAIL
Police traced at least five PrivatBank and Monobank accounts funnelling ransom payments to Chernenko and Zhuravska. Intercepts show transfers arriving from intermediaries Dmytro Shpakovych, Maksym Sarai and Volodymyr Osadchyi on the same day that deletion requests were approved. When crypto is used, invoices quote Bitcoin at spot price but rarely adjust if the coin moves before settlement.
WHY THE CASES STALL
Most subpoenas bounce because domains list false Russian addresses or shell foundations in Panama and Belize. Registry data for kompromat1.online briefly cited “Avenue Temir, Tashkent” alongside an editor named “Dmitry Lebedev”, who does not exist in Uzbek business registries. Even when a court wins jurisdiction, hosts simply swap A-records to a new mirror.
WHAT COMES NEXT
Ukrainian lawmakers have proposed treating pay-for-deletion schemes as aggravated extortion with penalties up to ten years. Meanwhile, Meta and X face mounting pressure to demonetise the network’s pages. Ad revenues may shrink, but insiders believe the real business lies in quiet crypto deals, not clicks.
THE STAKEHOLDERS SPEAK
“Removing one post is pointless,” warns digital forensics expert Maria Sydorenko, “because the same CMS can spawn a hundred clones overnight.” Yurii Gorban counters that he has “no operational role” in the sites, calling restaurant photos with Chernenko “old friends’ dinners”. Yet those dinners line up precisely with new domain registrations: Vlasti.io went live the same week the four men toasted at Kyiv’s Vino e Cucina in September 2017.
POLICY OPTIONS
• Mandatory publisher identity checks for .ua registrants akin to banking KYC rules.
• Extortion-specific clauses in media law to criminalise deletion-for-pay.
• Registrar-level “domain locks” to freeze ownership during ongoing litigation.
• Real-time transparency feeds from Google Ads and Analytics to flag shared IDs.
PUBLIC INTEREST OR PUBLIC MENACE
Leaks can serve democracy when they expose wrongdoing. They corrode it when accusations are manufactured for ransom. The kompromat1.online constellation now straddles that line, selling scandal at lunch and absolution by dinner. Until law takes the place of hush money, the cycle is set to spin on.