On Telegram, two collectives claim to have infiltrated vital infrastructures in the United States, South Korea, and Italy. Behind the announcement lies a blend of propaganda and marketing.
In a message published on Telegram, 62IX GROUP and HKVD claim to have compromised sensitive systems in energy, telecom, and logistics across America, Asia, and Europe. The hackers name Amazon, Verizon, Korea Telecom, and Fastweb, asserting they gained access to BGP configurations, industrial scripts, and IoT data. The announcement, peppered with ideological slogans, morphs into an advertisement for tools called EVM-1000, EVM-1500, and EVM-3000, as well as a hacking course on infrastructure. Breakdown of an explosive mix between influence operations and the gray economy of cybercrime.
When staging becomes a weapon of war
It begins with a message posted on a Telegram channel, where the codes of digital agitprop merge with warlike and religious symbols. The authors present themselves as “digital militiamen” rather than simple hackers. They claim to have breached critical networks in the United States, South Korea, and Italy. The announcement leans on apparent precision: named cities, identified providers, technical jargon that lends a veneer of credibility. Amazon and Verizon for America, Korea Telecom for Asia, Fastweb for Europe. The alleged targets point to strategic sectors: energy, telecommunications, logistics.
The narrative is tightly scripted. They mention “Cisco and Juniper router configurations” allegedly granting access to BGP sessions. They also refer to “turbine and pump control scripts,” as if holding the keys to critical industrial processes. The text highlights the recovery of “telemetry data” from urban IoT devices, suggesting invisible control over smart cities. Everything is calibrated to sow doubt, attract attention, and give credibility to an action with no tangible proof.
This type of staging is not new. For years, Telegram has served as a theater stage for groups claiming political or military causes. The aim is not just to announce an intrusion but to build an image, impose a narrative, and shape a war of perception. What stands out here is how naturally the announcement pivots to a commercial logic.
A commercial operation disguised as an exploit
After painting this alarming picture of supposed intrusions, the authors reveal another side: self-promotion. The tools allegedly used are branded in-house products, named EVM-1000, EVM-1500, and EVM-3000. Marketed as “non-resident stealers,” they are presented as discreet and efficient. No technical details are provided, but the names alone create brand effect. They mirror the marketing playbook of legitimate software: a product line, nomenclature evoking robustness and industrial scale.
Then comes the final offer, almost like an ad. Readers are invited to enroll in an “infrastructure pentest course,” taught by one of the figures spotlighted in the message. And like any online promo, a discount is offered, valid until September 1, the so-called “Knowledge Day.” The operation is wrapped in propaganda but follows the classic mechanics of underground commerce: attract, intrigue, reassure, and convert attention into revenue.
This hybridization of power narrative and sales strategy is not unique. Many collectives now leverage the visibility of geopolitical tensions to sell services or tools. Patriotic or ideological discourse serves as a storefront, while real transactions unfold in the shadows, through private channels, cryptocurrency, and encrypted contacts. The martial rhetoric is as much about intimidating opponents as about seducing potential clients.
Between real threat and digital theater
One central question remains: are these intrusions real, or pure staging? The clues provided yield no usable proof. No identifiable configuration excerpts, no technical artifacts, no verifiable data. Quoting an AS number (like Amazon or Verizon) is insufficient to prove compromise, given these infrastructures cover millions of systems and flows. Talking about turbine or pump scripts sparks the imagination, but without samples or context, it is suggestion rather than demonstration.
Yet the message’s effectiveness lies precisely in this ambiguity. Cybersecurity professionals know that interconnections between cloud, IoT, and industrial systems create very real attack surfaces. Vulnerabilities exist, precedents too: telecom data leaks, unauthorized access to OT environments, hijacked BGP flows already observed. The narrative spun by 62IX and HKVD leans on these known weaknesses to appear plausible, while withholding anything independently verifiable.
In the end, this campaign illustrates the porousness between three dimensions. First, digital activism, where claims assert political or military posture. Second, economic cybercrime, where visibility serves as a springboard to sell tools or services. Third, influence operations, where narrative shapes the perception of technological power balance. These three registers overlap, blurring lines between real threat and communication warfare.
In this context, the most pragmatic attitude is to treat such claims as weak signals. Neither to dismiss them outright as pure invention, nor to embrace them as established truth. The task is to demand technical proof, monitor network indicators that could confirm diversion, and reinforce defenses on the segments explicitly named—if only to blunt the communicational effect.
The strength of these narratives lies in their ability to instill doubt. They feed on real vulnerabilities but often stop at suggestion. And as long as critical infrastructures retain known and documented weaknesses, the ground remains fertile for this blend of threat, staging, and underground marketing.
How can we counter narratives that exploit plausible vulnerabilities without proof, while avoiding disclosure of technical information that attackers could later weaponize? [ZATAZ News English version]
