Russian national charged in connection with Void Blizzard espionage campaign

Federal prosecutors have charged a Russian national with conspiracy to commit unauthorized computer access in connection with a sprawling cyber-espionage campaign linked to the Russia-aligned threat group Void Blizzard, according to a criminal complaint filed in federal court this week.

Denis Nikolayevich Obrezko, a Russian citizen, is accused of breaking into systems owned by companies in the United States and elsewhere, according to an FBI affidavit unsealed Tuesday. Investigators allege Obrezko facilitated the campaign by purchasing a virtual private server and domain names used in attacks targeting businesses, educational institutions, and other organizations.

The charges come roughly a year after Microsoft publicly identified Void Blizzard — which it also tracks as Laundry Bear — as a state-sponsored Russian threat group conducting large-scale espionage operations against government agencies, defense suppliers, and critical infrastructure providers across NATO member states, Ukraine, and beyond. Dutch intelligence and security services separately confirmed in May 2025 that the group had infiltrated the Netherlands’ national police force in September 2024, stealing work-related contact information on police staff.

The FBI affidavit describes a methodical but largely unsophisticated operation. Investigators say Void Blizzard primarily relied on stolen session tokens to authenticate to victim accounts without triggering re-authentication requirements, then used a U.S.-based commercial proxy service to mask the connection’s location. The group typically routed traffic through a VPN before selecting proxy IP addresses in the same region as a target, allowing it to bypass geographic firewall restrictions.

From June-July 2024, the FBI received tips from a foreign partner and a U.S.-based private-sector firm identifying several American companies being targeted by the emerging group. Investigators subsequently verified intrusions at 11 U.S. companies, a figure the affidavit describes as likely a fraction of the total victim count nationwide.

Void Blizzard’s methods, while not technically advanced, have proven broadly effective. Microsoft researchers noted in 2025 that the group’s success illustrates the sustained risk posed by even basic intrusion techniques when applied at scale. The group has been observed harvesting bulk email and files from compromised cloud environments, accessing Microsoft Teams conversations, and cataloging Microsoft Entra ID configurations to map organizational structures.

In April 2025, Microsoft identified a separate spear-phishing campaign attributed to Void Blizzard that targeted more than 20 non-governmental organizations in Europe and the United States, using typosquatted domains to spoof Microsoft authentication pages. The affidavit corroborates that activity, identifying domains such as miscrsosoft[.]com and micsrosoftonline[.]com registered through accounts connected to the same infrastructure used by the group.

Obrezko appeared in court Tuesday and agreed to be taken into custody while awaiting trial.

You can read the affidavit below.