In September 2024, Dutch cybersecurity experts discovered that someone had burrowed into the computer systems of the National Police Force and accessed the email account of a police employee.
The intruder, or group, had used a stolen cookie — a piece of data temporarily stored on a user’s device by web browsers — to access the person’s electronic address book.
That meant the intruder had access to all the contacts in the person’s email; including potentially all 64,000 employees of the police force, not to mention possibly names of sources or informants used by the police.
For the first time, “the Netherlands had fallen victim to deliberate cyber sabotage by a Russian-backed group,” the country’s military intelligence agency concluded in a report. The group, which was later given the nickname Laundry Bear “has proved particularly successful.”
“It blew up in the media. It caused a lot of unrest” among Dutch lawmakers, security agencies, and the wider public, said Bart van den Berg, who was lead intelligence analyst and crisis manager at the government National Cyber Security Center. “It was a sensitive issue.”
Fast forward two years, Denis Obrezko, a 35-year-old IT programmer from the central Russian region of Samara, was detained on November 6 by Thai police on a US arrest warrant. In his hotel room in the resort city of Phuket, police seized Obrezko’s laptop, mobile phone, and a digital wallet.
Last week, about a month after he was extradited, Obrezko appeared in federal court in Boston for the first time, where he pleaded not guilty to hacking nearly a dozen US companies and government agencies. He faces up to 10 years in prison.
The arrest – and extradition – of Russian hackers on US warrants around the world used to be a common occurrence. Authorities in Moscow at one point accused the US of “hunting” Russian citizens.
It’s been less common in the past five years — one of the reasons that Obrezko’s case is unusual. What’s also unusual: Obrezko used to work for Russia’s main intelligence agency, the Federal Security Service, or FSB. And the private company he was working for at the time of the alleged hacks was reportedly linked to another former FSB officer.
He also may have been careless.
“I mean, what was he thinking going to Thailand?” van den Berg said. “These guys risk getting arrested when they’re outside of Russia.”
“Something in his Russian criminal calculus went wrong,” he added. “Or he underestimated Western intelligence. Or he overestimated his protection” from the Russian state.
“Mr. Obrezko has entered a not guilty plea and intends to defend the case vigorously in court, both legally and factually,” defense lawyer Maksim Nemtsev said. “Because the case is pending, we do not believe it is appropriate to litigate the facts in the press.”
Local Business
About three years before the Dutch police system was hacked, the organization founded by the late Russian anti-corruption crusader Aleksei Navalny reported that more than half a million email addresses used to register with Navalny’s organization had been stolen. Many of those whose e-mails were stolen later reported receiving threatening messages.
The effort involved someone setting up fake domain names — intentionally misspelled websites that look similar to a real one — and then using that to send e-mails. Sometimes, they included virus-infected messages.
A 2021 investigation by Current Time traced an e-mail address to a series of fictitious domains used to harass businesses in Samara, a Volga River region in central Russia.
The domains were linked to a businessman named Mikhail Dudin, who reportedly partnered with a former FSB officer from the region named Pavel Seleznev. Neither Dudin nor Seleznev could not be located for comment.
Dudin’s name appears in a database used by GetContact, a popular app that helps people screen phone calls. The app allows users to cross-search a phone number with other numbers and account names.
According to Current Time, Dudin’s account in GetContact appears under the nickname “Ethan Hunt” — a reference to the lead character in the Mission: Impossible action films.
One of Dudin’s companies was called Yutek-NN, which describes itself as employing “cutting-edge technology, innovative concepts, and creative design.” The company was licensed to sell specialized technical equipment designed for covert information acquisition, a license that is normally issued by the FSB.
According to US court filings, Obrezko was the deputy director of Yutek, which he joined in 2023.
‘Your Mission, Should You Choose To Accept’
An account on the Russian social media platform VK indicates that Obrezko graduated from Bauman University, a Moscow technical school that was identified by a consortium of media outlets as a training ground for government hackers.
Prior to joining Yutek, Obrezko worked for the FSB between 2012 and 2017, according to an FBI affidavit unsealed at the time of his extradition. It was unclear what he did for them.
According to Reuters, Obrezko worked for Kaspersky Lab, a well-known Moscow antivirus developer before joining Russia’s Emergency Situations Ministry; in 2021, he was a guest speaker at an event hosted by the Moscow Technical University of Communications and Informatics. He was identified as the deputy director of the ministry’s information and analytical center.
In June and July 2024, prior to the discovery of the Dutch police service intrusion, the FBI was notified by a US-based private sector partner — believed to be Microsoft — that US and European companies and government agencies were being targeted.
Yutek employees stole e-mails from “various NATO aligned government agencies throughout Europe, and from other organizations supportive of Ukraine’s continued resistance of the Russian invasion,” according to the affidavit.
Yutek “conducted these cyberespionage operations at the behest of the Russian government.”
According to the affidavit, FBI investigators traced the fictitious e-mails to another set of e-mails — and then to a series of cryptocurrency transactions in 2024 and 2025. One of the transactions traced back to an Internet provider in Samara.
Ultimately, investigators said they found that the e-mail address used for the cryptocurrency transactions was directly linked to another Google e-mail under Obrezko’s real name.
That same Google e-mail was used to register several social media accounts — including X and Instagram — and a PayPal account, which also used the same cell phone number, identified as Obrezko’s, and listed Obrezko’s date of birth.
The same username and photograph was also used for several social media accounts, including Instagram.
On May 27, 2025, the Dutch government publicly identified the hackers as “a Russian state-supported threat actor,” and dubbed the group Laundry Bear. A Microsoft report released the same day called the group Void Blizzard.
Neither the Dutch report nor Microsoft, however, identify specific individuals, or even specific companies involved in the hack.
Hours after the release of the Microsoft report, according to the FBI affidavit, Obrezko e-mailed “Ethan Hunt” — whom the FBI calls an “unidentified co-conspirator” — to meet up later that day.
Where Obrezko screwed up, said Alexander Leslie, senior adviser at Recorded Future, a US-based cyberresearch organization, is by reusing a username and his Russian cell number across different e-mail and social media accounts.
“The FBI does not appear to have identified him through one catastrophic mistake. Investigators gradually assembled a chain of mutually reinforcing evidence from a series of smaller operational failures,” he said.
A hacker “can be highly effective at gaining access, stealing information, and evading detection,” Leslie said, “yet be less effective at protecting his identity during a long-term counterintelligence investigation.”
Hunt For Hackers
It’s not clear exactly what Obrezko was doing in Thailand when he arrived there on October 31 last year.
Up until 2021, the arrest of Russian citizens alleged to have committed cybercrimes by US authorities occurred regularly around the world, which Moscow complained vocally about.
In October 2016, a Russian named Yevgeny Nikulin was arrested as he entered the Czech Republic. Wanted for engineering a hack of social media company LinkedIn, Nikulin was sentenced to seven years in a US prison in 2020, and deported to Russia three years later.
In March 2021, Vladislav Klyushin, an IT entrepreneur linked to the Kremlin, was arrested in Switzerland, accused of using hacked press releases to make stock trades. US authorities tied him to a Russian military intelligence officer charged with hacking Democratic Party computers in 2016.
Sentenced to nine years in prison, Klyushin was released in 2024 and sent back to Russia as part of a major prisoner swap that included Americans held in Russian prisons.
In 2021, a series of cyberattacks involving ransomware — where hackers use malicious viruses to lock computer systems, unlocking them in exchange for ransom payment — targeted hospitals, software companies, meatpackers, and other companies in the United States.
US authorities said the ransomware — called REvil — was run out of Russia.
After President Joe Biden directly warned Russian leader Vladimir Putin to crack down on the problem in July 2021, the FSB conducted widespread raids on alleged members of the group in Moscow and elsewhere. The agency said it was done at the request of US authorities.
For researchers and investigators, the persistent problems with Russian cybercrime stem from the blurred lines between criminal groups and intelligence agencies like the FSB.
“It would be very Western-minded to assume in Russia there are clear distinctions [between] what is state and what is criminal,” van den Berg said.
Russian cybercriminals also tend to operate with the understanding that as long as they’re not targeting individuals or companies or government agencies in Russia, they have free rein, Western experts say.
In the example of the Dutch attack, van den Berg said, a regular cybercriminal might try to extort money from a targeted person, or blackmail them, or try some commercial transaction.
That didn’t happen here.
“Are we witnessing a criminal attack or a business model? As the business model is unclear, you might wonder who pays the guy?” van den Berg said. “Does he sell stolen data to the state or has he been directly employed by it? If that turns out to be the case, there is a level of state involvement in the entire case.”

