惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Hacker News
The Hacker News
B
Blog RSS Feed
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
宝玉的分享
宝玉的分享
L
LangChain Blog
Google DeepMind News
Google DeepMind News
酷 壳 – CoolShell
酷 壳 – CoolShell
F
Full Disclosure
T
The Blog of Author Tim Ferriss
月光博客
月光博客
有赞技术团队
有赞技术团队
Last Week in AI
Last Week in AI
aimingoo的专栏
aimingoo的专栏
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Stack Overflow Blog
Stack Overflow Blog
WordPress大学
WordPress大学
MongoDB | Blog
MongoDB | Blog
小众软件
小众软件
博客园 - Franky
B
Blog
博客园_首页
C
CERT Recently Published Vulnerability Notes
Hugging Face - Blog
Hugging Face - Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
K
Kaspersky official blog
I
Intezer
P
Proofpoint News Feed
博客园 - 叶小钗
S
Schneier on Security
P
Privacy & Cybersecurity Law Blog
Recorded Future
Recorded Future
NISL@THU
NISL@THU
A
Arctic Wolf
Know Your Adversary
Know Your Adversary
C
Cyber Attacks, Cyber Crime and Cyber Security
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
The Register - Security
The Register - Security
C
Cisco Blogs
大猫的无限游戏
大猫的无限游戏
S
Secure Thoughts
T
The Exploit Database - CXSecurity.com
Forbes - Security
Forbes - Security
Project Zero
Project Zero
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Cisco Talos Blog
Cisco Talos Blog
D
Docker
Blog — PlanetScale
Blog — PlanetScale
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
人人都是产品经理
人人都是产品经理

Ctrl-Alt-Intel

Wordpress Exploitation Exposure Checker Chinese actor compromises thousands of Wordpress sites South-East Asian Military Entities Targeted via cPanel (CVE-2026-41940) Watch Guard! Qilin affiliate exploits network appliances for initial access KongTuke on compromised WordPress sites, DDOS Botnets and Cybercriminal Feuds Dissecting FudCrypt: A Real-World Malware Crypting Service Analysis Supply-Chain Attacks, TP-Link devices & a pair of socks The BuddyBoss Attack: Claude’s Supply-Chain Attack The BuddyBoss Attack: Full Incident Analysis Inside the UPMI Phishing-as-a-Service Platform FancyBear Exposed: Major OPSEC Blunder Inside Russian Espionage Ops MuddyWater Exposed: Inside an Iranian APT operation Investigating Suspected DPRK-Linked Crypto Intrusions Diesel Vortex: Exploring connections to Russian LLCs Aeternum Loader: When your C2 lives forever Aeternum Loader: Inside the binary ErrTraffic Under the Hood: A look at the source code
Burnt by Burgers: Highlighting Void Blizzard’s Russian State Links
Ctrl-Alt-Intel · 2026-07-14 · via Ctrl-Alt-Intel

Overview

On 30 October 2025, Russian citizen Denis Obrezko landed in Phuket, Thailand. Less than a week later, Thai authorities arrested him at the request of the FBI. Obrezko has since been extradited and indicted in the United States, where he is accused of participating in the Russian state-aligned threat group Void Blizzard, also known as Laundry Bear.

Following his arrest, Moscow reportedly placed Obrezko on an international wanted list, issuing an arrest warrant. We assess this may have been intended to distance the Russian state from him by presenting Obrezko as a rogue criminal rather than a state-linked operative.

Using identifiers disclosed in FBI affidavits and indictments, Ctrl-Alt-Intel identified evidence connecting Obrezko to the Information and Analytical Center of EMERCOM of Russia, a state institution within Russia’s Ministry of Emergency Situations. Our findings indicate that this connection was active during at least 2021.

Void Blizzard Recap

Microsoft named Void Blizzard in May 2025, describing it as a Russia-affiliated threat actor conducting cyberespionage against NATO member states and Ukraine.

Working with the Netherlands’ AIVD and MIVD intelligence agencies, Microsoft tracked the group from at least April 2024. In April 2025, it observed Void Blizzard using spear phishing to steal credentials. Although its techniques were not unique, Microsoft reported that they achieved widespread success.

Microsoft also identified targeting overlaps with other Russian state actors, including GRU-aligned groups, suggesting shared intelligence-collection priorities.

Ctrl-Alt-Intel has previously exposed Moscow linked actors using phishing for espionage purposes

Indictment & Affidavits

In June 2026, US authorities released indictments and affidavits alleging that Obrezko had a history of involvement with Russian intelligence. According to the indictment, “between approximately 2012 and 2017, OBREZKO worked in an unknown capacity for […] the Federal Security Service,” or FSB.

1

FBI indictment

The indictment further alleges that, from at least 2024, Obrezko worked as deputy director of the Russian technology company Yutek-NN, which US authorities link to Void Blizzard’s operations.

Public records show that Yutek-NN holds an FSB-issued licence covering regulated surveillance-related technology.

The FBI affidavit identifies Obrezko and lists infrastructure, IP addresses, domains, email addresses and a mobile number allegedly connected to him.

1

FBI affidavits

Indicators Linked to Obrezko

Throughout the affidavit, the FBI identified three email addresses and one mobile number linked to Obrezko:

  • wisperrrrr[@]gmail.com
  • w1sper[@]mail.ru
  • denis.obrezko[@]gmail.com
  • +79263799902

These identifiers allowed Ctrl-Alt-Intel to examine breached datasets for additional evidence concerning Obrezko’s professional history and connections to the Russian state.

Denis Obrezko

Data from the 2012 VK breach contains an account associated with the email address w1sper[@]mail.ru and mobile number +79263799902:

  • Full name: Денис Wisperrrrr Обрезко (Denis Wisperrrrr Obrezko)
  • Username: wisperrrrr
  • University: МГТУ им. Баумана (Bauman Moscow State Technical University)
  • Faculty: Информатики и систем управления (Informatics and Control Systems)
  • Speciality: Информационная безопасность (Information Security)

The account listed Information Security as Obrezko’s university speciality as early as 2012. We can recover a photo of Ozbreko from his public Kaggle account:

1

Ozbreko Kaggle Profile

Ministry of Emergency Situations (EMERCOM)

Russia’s Ministry of Emergency Situations, commonly known as EMERCOM, was formally established in 1994. Its full translated name is the Ministry of Civil Defence, Emergencies and Disaster Relief of the Russian Federation:

1

EMERCOM emblem

EMERCOM contains a sub-department, ИАЦ МЧС РОССИИ, the “Information and Analytical Center”, which is reportedly responsible for the internal IT & information-security of EMERCOM. For brevity, we refer to it as IAC EMERCOM.

In data attributed to a 2023 Alfa-Bank breach, we identified an additional telephone number associated with Obrezko:

1

AlfaBank 2023 data

Highlighted in Yellow are previously known pieces of data, linked already to Obrezko. The new number +74994457578 allowed us to pivot through additional breached data

OneClickMoney Breach

OneClickMoney is a Russian online lending service. Applicants may provide details about their salary, employer, workplace and work telephone number during financial checks. OneClickMoney was also subject to a breach which gave us additional data to query.

Pivoting on the new mobile number, +74994457578, we identified three applicants who listed it as their work telephone number. We are not naming these individuals. All three supplied the same employer and workplace information:

  • Work: ФГБУ "ИАЦ МЧС РОССИИ" - Federal State Budgetary Institution “Information and Analytical Center of the EMERCOM of Russia”
  • PlaceOfWork: г Москва, ул Давыдковская, д 7 стр 2
  • WorkPhone: +74994457578

Additionally, from a CDEK (Russian version of DHL) data breach, we could find corroborating evidence to suggest the mobile number +74994457578 was linked to IAC EMERCOM.

We assess with high-confidence this is not a mobile number used by Obrezko but rather an office/work number linked to IAC EMERCOM

1

Correlation Diagram #1

Highlighted in purple are the identifiers revealed by the FBI, with the new mobile number highlighted in red

Obrezko’s use of an IAC EMERCOM-associated number in the Alfa-Bank data supports an employment connection, but does not provide conclusive evidence by itself.

To test this connection further, we examined leaked datasets attributed to the Russian food-delivery services Yandex Food and Delivery Club.

On the 1st March 2021 at 15:30 Moscow time, from an iOS device linked to the IP address 31.173.86[.]36, the Obrezko email address [email protected] ordered from McDonald’s:

  • a Lipton Iced Tea
  • 9 Chicken McNuggets
  • a McChicken Burger

This order was delivered to the below address:

Москва, Давыдковская улица, 7А (7A Davydkovskaya Street, Moscow)

We can visit this exact address on Google Maps and verify it is the entrance of an EMERCOM VNIIGOChS building

1

McDonald's Delivery Location

Highlighted in red is the EMERCOM title & emblem we previously shared

This department building is associated with “All-Russian Research Institute for Civil Defense and Emergencies”, rather than the headquarters

In the year of 2021, from Obrezko linked identifiers we can observe the below interesting deliveries to near identical addresses.

Date Time Day Source Address Link to Obrezko
2021-03-01 15:30:26 Monday DeliveryClub Москва, Давыдковская улица, 7А [email protected]; 79263799902
2021-07-12 15:14:22 Monday YandexFood Москва, Давыдковская улица, д. 7к10 79263799902
2021-09-06 15:08:32 Monday YandexFood Москва, Давыдковская улица, д. 7к10 79263799902
2021-09-07 16:36:26 Tuesday YandexFood Москва, Давыдковская улица, д. 7к10 79263799902
2021-09-10 14:18:42 Friday YandexFood Москва, Давыдковская улица, д. 7к1 79263799902
2021-09-17 17:02:28 Friday YandexFood Москва, Давыдковская улица, д. 7к10 79263799902
2021-09-20 14:42:27 Monday YandexFood Москва, Давыдковская улица, д. 7к10 79263799902
2021-09-23 15:08:09 Thursday YandexFood Москва, Давыдковская улица, д. 7к10 79263799902
2021-09-24 14:23:27 Friday YandexFood Москва, Давыдковская улица, д. 7к10 79263799902
2021-10-07 15:14:25 Thursday YandexFood Москва, Давыдковская улица, д. 7к10 79263799902
2021-10-12 14:51:04 Tuesday YandexFood Москва, Давыдковская улица, д. 7к10 79263799902
2021-10-29 15:15:03 Friday YandexFood Москва, Давыдковская улица, д. 7к10 79263799902
2021-12-16 15:49:57 Thursday YandexFood Москва, Давыдковская улица, д. 7к10 79263799902

In total, Obrezko made 13 deliveries to addresses right outside the EMERCOM government buildings

These orders were made during weekdays, from 14:15pm - 17:00pm, suggesting Obrezko often likes an afternoon snack at work.

Yutek-NN

The FBI indictment alleges that, from at least 2024, Obrezko worked as deputy director of the Russian technology company Yutek-NN. The FBI further alleges that Yutek-NN was responsible for the Void Blizzard intrusions:

1

Yutek-NN logo

ЮТЕК-НН, or Yutek-NN, is a Russian technology company, founded in 2011, with the public facing website on utech-nn.com:

1

utech-nn.com services

Looking on the translated website, 3 broad categories of services are publicly advertised:

  • IT product development
  • Project management
  • IT consulting

There is no indication of cybersecurity, penetration testing, or services that relate to “espionage” on the public facing website, so what is really happening here?

Licensed by the FSB

Public records report that in April 2013, effective from December 2013, Yutek-NN was given a license, ЛСЗ №0007002 1Т. This was given by the Nizhny Novgorod department of the Federal Security Services (FSB), that allowed for the “covert acquisition of information”:

1

FSB license

Such a licence places Yutek-NN inside a regulated market for surveillance-adjacent equipment. It does not, by itself, prove that the company conducted espionage. This is alleged by the FBI, but has not been independently verified by Ctrl-Alt-Intel using open-source intelligence collection techniques.

Free Navalny!

This is not the first time Yutek-NN has been placed under the spotlight. In May 2021, Meduza and Current Time mentioned the company while investigating the theft and exploitation of approximately 529,000 email addresses belonging to supporters of Alexey Navalny. The attackers enriched the data with personal and employment information before sending threats to victims and their employers.

Current Time reported that Zasekin.ru owner Dmitry Loboiko suspected the attack infrastructure could be connected to Mikhail Dudin, although it explicitly noted that he had no direct evidence. Meduza made a stronger allegation, citing unnamed sources who claimed Dudin was involved in attacks against both Navalny supporters and Zasekin.ru. Dudin did not respond to Meduza’s questions.

Open-source records show Dudin was Yutek-NN’s founder and owner from January 2011 until October 2018, while Vadim Gaisin was its director from June 2018 until November 2020. They therefore overlapped at Yutek-NN for several months. Meduza described them as long-term business partners and reported that Gaisin became head of the presidential administration’s GlavNIVTs research centre on 14th April 2021, one day before the threatening email campaign began.

Neither investigation identified a Yutek-NN domain, IP address, employee or product as part of the operation. We assess Yutek-NN appeared as a circumstantial link through Dudin, Gaisin and its FSB-issued license - but the 2021 scrutiny shows the company was already under the spotlight years before the FBI linked it to Void Blizzard.

Our OSINT findings independently connect Obrezko to IAC EMERCOM, a Russian government institution not mentioned in the FBI indictment or affidavit.

The US filings allege that Obrezko previously worked for the FSB and later served as deputy director of Yutek-NN. They do not mention EMERCOM.

Public career data suggests that the relationship between Yutek-NN and IAC EMERCOM extends beyond Obrezko. At the time of review, the Habr Career profile for Yutek-NN showed one individual who joined Yutek-NN from IAC EMERCOM and two who later moved from Yutek-NN to IAC EMERCOM.

1

Personnel movements shown by Habr Career

These records establish three publicly declared career transitions between the organisations.

Habr Career relies on information published by its users, so this should be treated as a visible minimum rather than a complete account of personnel movement. Obrezko, for example, is not included in the Habr data.

1

Correlation Graph

Conclusion

The US filings allege that Obrezko previously worked for the FSB, later became deputy director of Yutek-NN, and participated in Void Blizzard cyberespionage. Ctrl-Alt-Intel has not independently verified those operational allegations, but our OSINT provides additional context that is absent from the indictment and affidavit.

Identifiers attributed to Obrezko by the FBI appear alongside an IAC EMERCOM-associated work number and repeated weekday food deliveries to EMERCOM facilities during 2021. Taken together, these findings support our high-confidence assessment that Obrezko worked at, or regularly operated from, IAC EMERCOM.

Public records add further context around Yutek-NN: an FSB-issued licence for surveillance-adjacent equipment, and publicly declared personnel movements in both directions between Yutek-NN and IAC EMERCOM. None of these findings independently proves that Yutek-NN conducted cyberespionage. Collectively, however, they show that the company has deeper connections to Russian state and security institutions than its public-facing website suggests.

A McChicken order does not prove cyberespionage. Combined with FBI filings, corporate records, professional histories and repeated activity at government facilities, however, it can expose relationships that official documents leave unstated.