Hacktivists Launch #FreeDurov Campaign to Demand Telegram CEO Release

A new wave of hacktivist activity has surged in response to the arrest of Telegram CEO Pavel Durov by French authorities. Dubbed #FreeDurov or #OpDurov, the campaign aims to pressure French authorities into releasing Durov, with numerous hacking groups targeting French organizations using distributed denial-of-service (DDoS) attacks.

Check Point Research has highlighted key hacktivist groups participating in this campaign, each with their own agendas and attack methods.

In response to the arrest of Telegram CEO Pavel Durov by French authorities, a new hacktivist campaign, #FreeDurov, has emerged. This campaign has seen various hacking groups launching coordinated DDoS attacks against French websites. Check Point Research highlights the key players and their activities in this escalating cyber campaign.

Key Events

August 24, 2024: The campaign began as hacktivist groups mobilized to protest Durov’s arrest. Several groups quickly joined forces, using DDoS attacks to target French digital infrastructure.

Following Days: Over 50 French websites were targeted by these hacktivists, disrupting services and drawing attention to their cause.

Prominent Groups Involved

1. Cyber Army of Russia Reborn (CARR)

Formed in March 2022 amidst the Russia-Ukraine conflict, CARR is known for its DDoS attacks against targets in Ukraine and its allies. The group, linked to Russia's military intelligence, announced its participation in #FreeDurov on August 24, 2024. Targets included:

• ansm.santre.fr (August 25)
• fibre.sayne.fr (August 26)
• echr.coe.int (August 26, in collaboration with CyberDragon)

Interestingly, CARR removed posts about these attacks after September 2, 2024, despite its usual practice of publicizing its activities.

2. RipperSec

Established in June 2023, RipperSec has previously targeted organizations in Israel, the U.S., and India. Known for its DDoS tool, MegaMedusa, the group initially announced a shutdown of operations but reversed this decision in response to Durov’s arrest. RipperSec’s targets included:

• pricebank.fr (August 25)
• boursedeparis.fr (August 26)
• justice.gouv.fr (September 2)

3. EvilWeb

A newer group founded in March 2024, EvilWeb engages in both DDoS and data leak operations. With a smaller membership, it joined #FreeDurov on August 25, 2024, targeting sites like:

• service-public.fr (August 25)
• justice.gouv.fr (August 25, with partial data leaks)

4. CyberDragon

Created in September 2023, CyberDragon supports the Russian perspective and previously targeted Ukrainian and NATO entities. The group joined the #FreeDurov campaign on August 26, 2024, and attacked:

• coe.int (August 26)
• greffe-tc-paris.fr (August 26)

5. UserSec

Operating since at least 2022, UserSec focuses on NATO member states. On August 25, 2024, the group announced support for #FreeDurov and targeted French sites such as:

• courdecassation.fr (August 25)
• axa.com (August 27)

6. Stucx Team

A Malaysian group established in March 2023, Stucx Team previously targeted entities in India and Israel. They joined #FreeDurov on August 26, 2024, attacking:

• reseau-chaleur-chalons.fr (August 26)
• alombre.fr (August 27)

Conclusion

The arrest of Pavel Durov has sparked a significant hacktivist response, with a range of groups targeting French websites in the #FreeDurov campaign. Motivations vary, with some groups expressing concern over the operational safety of Telegram and others framing the arrest as a threat to digital freedom. As Durov remains in custody, the campaign's intensity may fluctuate based on further actions by French authorities