Full Report
H8Core is a Russian fashion brand that sells clothing items glorifying far-right ideology and the Russian mercenary group Wagner. Its products – which include t-shirts, caps and hoodies – have been cross-promoted on a variety of pro-Wagner and far-right Russian channels. They have even been held aloft by senior figures in the neo-Nazi Wagner paramilitary […] The post Unmasking Maskov: How Bellingcat Found a Man Outfitting Russian Neo-Nazis appeared first on bellingcat.
Analysis Summary
# Threat Actor: Roman Morin (H8Core Admin)
## Attribution & Identity
**Threat Actor:** Roman Vasilyevich Morin (38, from Stavropol, Russia).
**Known Aliases/Roles:** Identified as the operator behind the H8Core brand, referred to as "Uncle Roma" by associates. Former Wagner fighter. Admin of the Telegram group "White Uncles in Africa."
**Associated Groups:** Directly affiliated with the Russian mercenary group Wagner and the neo-Nazi paramilitary group Rusich (Alexey Milchakov/Serb).
## Activity Summary
Morin operates the far-right clothing brand H8Core, which sells merchandise glorifying far-right ideology and the Wagner Group. H8Core was founded in 2014. The brand promotes its wares across social media, including VK.com (23,000+ subscribers) and Telegram (3,000+ subscribers). Morin coordinates sales and promotion through the popular Telegram channel "White Uncles in Africa" (77,000+ subscribers), which sells merchandise collaborating with H8Core. Morin recently delivered "combat kits" to Alexey Milchakov ("Serb"), commander of the sanctions-listed Rusich group. The brand uses merchandise to foster awareness and likely fund its activities within the Russian far-right and pro-Wagner ecosystem.
## Tactics, Techniques & Procedures
- **T1547.001 (Boot or Logon Auto-start Execution):** Inferred historical use of online platforms (VK.com, Telegram) for rapid distribution and initial sales.
- **T1598.003 (Phishing for Information - Social Media):** Leveraged social media activity, including posts showing tattoos and shared clothing items, for identification by investigators.
- **T1591.002 (Influence/Propaganda):** Use of clothing retail to spread far-right ideology, commemorate convicted/assassinated neo-Nazis (like Tesak and Yuriy Budanov), and glorify Wagner's actions (including the 2017 execution video from Syria).
- **T1560.001 (Archive via Obfuscation):** Deletion of specific content, such as an unedited video of the 2022 Buffalo shooting, from their Telegram channel post-publication.
## Targeting
- **Sectors:** Primarily targets adherents of Russian far-right ideology, "Russian patriots," and supporters/members of the Wagner Group and associated military units like Rusich. The nature of the brand suggests an operational focus on influence rather than financial targeting in the traditional sense.
- **Geography:** Origin and primary audience appear to be based in Russia, although promotion extends globally through social media channels.
- **Victims:** While not engaging in direct cyberattacks, the content shared (e.g., Buffalo shooting video) targets specific demographic groups for ideological motivation. The brand commemorates figures involved in extremist violence and war crimes.
## Tools & Infrastructure
- **Malware Families Used:** None explicitly mentioned in the context of cyber operations.
- **Infrastructure (C2, domains, IPs):**
- Primary sales and communication channels: VK.com and Telegram.
- Contact email associated with H8Core YouTube page was used for identification.
- White Uncles in Africa Telegram channel (promotes H8Core).
## Implications
Morin represents the intersection of cyber-enabled influence operations, ideological extremism (far-right/neo-Nazi), and mercenary military operations (Wagner/Rusich). The use of retail, driven by social media acceleration (as seen in the massive growth of the White Uncles in Africa channel), demonstrates a professionalized strategy for disseminating pro-war and extremist narratives while potentially self-funding activities within the pro-Kremlin, ultra-nationalist sphere. This highlights the blurred lines between online activism/retail and tangible support for sanctioned military entities.
## Mitigations
- **Monitor Pro-Military/Extremist Merchandise Retail:** Organizations should monitor platforms (e.g., social media, e-commerce) used by domestic and foreign extremist groups for fundraising or ideological promotion.
- **Social Media Account Correlation:** Correlate online aliases, especially those using consistent imagery (tattoos, known associates) across different platforms (VK, Telegram) to identify key influencers.
- **Monitor Nexus with Sanctioned Groups:** Pay close attention to online figures transacting or coordinating (even by delivering physical goods/kits) with known sanctioned entities like Wagner or Rusich commanders.
- **Digital Due Diligence:** Be aware that operators claiming activities are "just a hobby" (Morin's claim) often hide significant ideological or financial motivations.