Back

US Charges Russian Hacker for Facilitating Void Blizzard Cyber Espionage Campaign

Severity: High (Score: 73.2)

Sources: Independent, Globalbankingandfinance, Cyberscoop, Channelnewsasia

Published: 2026-06-11 · Updated: 2026-06-11

Keywords: suspected, russian, hacker, facilitating, campaign, charges, cyber

Summary

Denis Obrezko, a 36-year-old Russian national, was arrested in Thailand and extradited to the US, where he faces charges for facilitating a cyber espionage campaign linked to the group Void Blizzard. This group has targeted numerous US companies and organizations since at least April 2024, employing methods such as mass email harvesting and exploiting stolen session tokens. The FBI has identified at least 11 US companies that were hacked, with the actual number of victims believed to be much higher. Obrezko is charged with conspiracy to commit unauthorized access to protected computers and is currently held without bond. The campaign has been linked to broader Russian government objectives, and Microsoft had flagged Void Blizzard as a significant threat in May 2025. Key Points: • Denis Obrezko charged with facilitating cyberattacks by the Russia-aligned group Void Blizzard. • Void Blizzard has targeted at least 11 US companies, primarily through mass email harvesting. • The group has been active since April 2024, focusing on organizations critical to Russian government interests.

Detailed Analysis

**Impact** At least 11 U.S. companies across multiple business sectors have been compromised, with the total number of victims believed to be significantly higher. Targeted sectors include government, defense, transportation, media, healthcare, and non-governmental organizations primarily in NATO member states and Ukraine. The campaign involved mass email harvesting and unauthorized access to cloud environments, risking exposure of sensitive organizational data, Microsoft Teams conversations, and internal configurations. **Technical Details** Void Blizzard employed stolen session tokens to access victim accounts without triggering re-authentication and used VPNs combined with U.S.-based commercial proxy services to bypass geographic restrictions. The group registered typosquatted domains such as miscrsosoft[.]com and micsrosoftonline[.]com for spear-phishing campaigns targeting over 20 NGOs. Infrastructure included virtual private servers and domain names purchased via cryptocurrency transactions linked to Denis Obrezko. The attack chain focused on initial access through phishing and token theft, followed by data harvesting from cloud services. **Recommended Response** Organizations should monitor for suspicious login activity involving stolen session tokens and enforce multi-factor authentication to prevent unauthorized access. Block and investigate access from known Void Blizzard infrastructure, including identified typosquatted domains and proxy IP ranges. Enhance email filtering to detect phishing attempts using spoofed Microsoft authentication pages. Continuous monitoring of cloud environment configurations and Microsoft Entra ID logs is advised to detect lateral movement and data exfiltration.

Source articles (4)

  • US charges suspected Russian hacker with facilitating cyber campaign — Channelnewsasia · 2026-06-10
    BOSTON, June 10 : A suspected Russian hacker is now in U.S. custody following his arrest in Thailand last year and has been charged with facilitating a campaign of cyberattacks carried out by a Russia…
  • US charges suspected Russian hacker with facilitating cyber campaign — Globalbankingandfinance · 2026-06-10
    BOSTON, June 10 (Reuters) - A suspected Russian hacker is now in U.S. custody following his arrest in Thailand last year and has been charged with facilitating a campaign of cyberattacks carried out b…
  • US hunts down Russian 'Void Blizzard' hacker in Thailand raid — Independent · 2026-06-11
    A suspected Russian hacker has been extradited from Thailand to the United States, where he faces charges for allegedly facilitating a widespread cyberattack campaign that victimized numerous American…
  • Russian national charged in connection with Void Blizzard espionage campaign — Cyberscoop · 2026-06-11
    Federal prosecutors have charged a Russian national with conspiracy to commit unauthorized computer access in connection with a sprawling cyber-espionage campaign linked to the Russia-aligned threat g…

Timeline

  • 2024-04-01 — Void Blizzard begins operations: The group starts targeting organizations in NATO member states and Ukraine, focusing on cyber espionage.
  • 2025-01-01 — FBI receives tips on Void Blizzard: The FBI begins receiving tips about the group's targeting of American companies, leading to investigations.
  • 2025-05-01 — Microsoft identifies Void Blizzard: Microsoft publicly flags Void Blizzard as a new threat group conducting cyber espionage against critical organizations.
  • 2025-09-01 — Void Blizzard infiltrates Dutch police: Dutch intelligence confirms that Void Blizzard successfully infiltrated the Netherlands’ national police force.
  • 2025-11-01 — Obrezko arrested in Thailand: Denis Obrezko is apprehended in Thailand, leading to his extradition to the US.
  • 2026-06-10 — Obrezko appears in US court: Denis Obrezko makes his initial court appearance in Boston, facing charges related to cyber espionage.

Related entities

  • Laundry Bear (Apt Group)
  • Void Blizzard (Apt Group)
  • Data Breach (Attack Type)
  • Phishing (Attack Type)
  • Void Blizzard Espionage Campaign (Campaign)
  • Netherlands (Country)
  • Russia (Country)
  • Thailand (Country)
  • Ukraine (Country)
  • United States (Country)
  • micsrosoftonline.com (Domain)
  • miscrsosoft.com (Domain)
  • Defense (Industry)
  • Government (Industry)
  • Healthcare (Industry)
  • Media (Industry)
  • Non-governmental Organizations (Industry)
  • Transportation (Industry)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1090 - Proxy (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • Microsoft Entra ID (Platform)
  • Microsoft Teams (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed