Russian suspect detained in Thailand is allegedly tied to Void Blizzard group

A suspected Russian hacker arrested in Thailand earlier this month is reportedly linked to a relatively new Kremlin-aligned threat actor that has targeted government and critical infrastructure networks across Europe and North America, according to media reports.

Thai police last week confirmed the detention of a “world-famous hacker” wanted by the United States for cyberattacks on government agencies. Russian state-controlled outlet RT later identified the suspect as 35-year-old Denis Obrezko, a Stavropol native who previously worked for major Russian IT firms “developing high-tech systems for domestic industries.”

Obrezko was detained on November 6 in a joint operation involving the FBI and Thai police, according to local media reports citing law enforcement. Officers raided his hotel room on the resort island of Phuket just a week after he arrived in the country. They seized laptops, mobile phones and digital wallets. 

According to reports last week, the suspect was being held in Bangkok following his arrest, pending extradition to the United States. His family has acknowledged the arrest and said they are seeking legal representation in an effort to block his transfer to American authorities, according to RT. Russia’s embassy in Bangkok has also demanded consular access.

Thai officials have not publicly named the suspect, but local police sources told CNN that Obrezko is allegedly a member of Void Blizzard, also known as Laundry Bear — a Russia-affiliated threat actor first detailed by Microsoft earlier this year.

A newer Blizzard

In a May report, Microsoft described Void Blizzard as a relatively new espionage advanced persistent threat (APT) group operating in support of Russian government interests. (The company labels Russia-linked groups with “Blizzard.”) The hackers have targeted organizations across government, defense, transportation, media, NGOs and healthcare, with a particular focus on Europe and North America.

According to Microsoft, Void Blizzard typically uses purchased or stolen credentials to infiltrate networks and exfiltrate large volumes of emails and internal documents.

In September 2024, Dutch intelligence services said Void Blizzard had breached several Dutch organizations, including the national police, and stolen “work-related contact information.”

“The threat actor’s prolific activity against networks in critical sectors poses a heightened risk to NATO member states and allies to Ukraine in general,” Microsoft said.