Russian Hacker Denis Obrezko Charged in U.S. for Void Blizzard Cyberespionage Campaign
Denis Obrezko, a 36-year-old Russian national linked to the state-sponsored threat group Void Blizzard, has been charged in the U.S. for supporting a cyberespionage campaign targeting American companies.
A Russian national with suspected ties to the Kremlin-linked hacking group Void Blizzard appeared in federal court in Boston this week on charges of supporting a state-sponsored cyberespionage campaign that targeted U.S. companies, according to media reports. Denis Obrezko, 36, made his initial appearance after being extradited from Thailand, where he was arrested in November 2025 during a joint operation with the FBI on the resort island of Phuket. The charges, unsealed by the U.S. Justice Department, allege that Obrezko provided critical infrastructure to Void Blizzard, enabling the group to gain unauthorized access to computer networks for espionage purposes.
Void Blizzard, also known as APT29 or Cozy Bear, is a Russian state-sponsored threat actor that has been active for years, targeting government agencies, defense contractors, transportation companies, media organizations, healthcare providers, and NGOs across Europe and North America. The group typically uses purchased or stolen credentials to infiltrate networks and steal emails and internal documents. According to an FBI affidavit filed in the case, investigators have identified at least 11 U.S. companies that were compromised, though authorities believe the actual number of victims is significantly higher.
Prosecutors allege that Obrezko helped Void Blizzard by providing infrastructure used to support the group's cyber operations. Specifically, cryptocurrency transactions linked to him were used to purchase a virtual private server and an internet domain that facilitated attacks against organizations in the United States and other countries. The indictment details how Obrezko's actions directly supported the group's ability to conduct espionage campaigns, making him a key enabler of the threat actor's activities.
Thai authorities arrested Obrezko in early November during a joint operation with the FBI on the resort island of Phuket. Investigators raided his hotel room, seizing laptops, mobile phones, and cryptocurrency wallets. Russian diplomats later visited Obrezko in detention and sought his return to Russia, while Moscow separately placed him on an international wanted list earlier this year. The extradition process was completed in June 2026, bringing Obrezko to face charges in the United States.
Russian state media previously reported that Obrezko is a native of the southwestern Russian city of Stavropol and had worked for Russian technology companies developing high-tech systems for domestic industries. This background aligns with the profile of many individuals recruited by state-sponsored hacking groups, who often have technical expertise and connections to the Russian tech sector.
The case highlights the ongoing efforts by U.S. law enforcement to disrupt state-sponsored cyber operations and hold individuals accountable for their roles in these campaigns. The Justice Department, which is prosecuting the case, has not commented on the specifics of the charges. Obrezko reportedly remains in custody as the case moves forward.
Researchers have described Void Blizzard as a relatively new threat group operating in support of Russian government interests. The group's activities have been closely monitored by cybersecurity firms and government agencies, who have documented numerous campaigns targeting critical infrastructure and sensitive data. The arrest and extradition of Obrezko represent a significant step in countering these threats, though experts caution that many more individuals remain involved in such operations.
The broader context of this case underscores the persistent threat posed by state-sponsored cyberespionage groups, particularly those linked to Russia. As geopolitical tensions continue to drive cyber operations, law enforcement actions like this one serve as a deterrent and a signal that the United States will pursue those who facilitate such attacks, regardless of where they are located.
The newly unsealed FBI affidavit provides granular technical details on Void Blizzard's operational tradecraft, revealing that the group relied on stolen session tokens to bypass re-authentication and used a US-based commercial proxy service to mask connection origins. Investigators confirmed intrusions at 11 US companies, a figure described as likely a fraction of the total victim count, and identified typosquatted domains such as miscrsosoft[.]com and micsrosoftonline[.]com linked to the group's infrastructure. The affidavit also corroborates Microsoft's earlier reporting on the group's bulk cloud email theft and spear-phishing campaigns targeting over 20 NGOs in Europe and the US.