thephuketnews.com
By The Phuket News
Friday 14 November 2025 10:13 AM

PHUKET: Multiple international outlets are reporting that the 35-year-old Russian man arrested in Phuket by Thai cyber police earlier this week is likely GRU military intelligence officer Aleksey Lukashev.

The Cyber Crime Investigation Bureau (CCIB) confirmed the arrest on Wednesday (Nov 12), following a coordinated investigation with the FBI, Phuket Immigration, Region 8 Crime Suppression Division, Phuket Provincial Police, the Tourist Police Bureau, the Police Forensic Science Office, and the Office of the Attorney General.

Local Phuket agencies have not posted any reports of the arrest.

According to the CCIB report, Thai authorities were alerted to Lukashev’s presence after CCIB Commissioner Pol Lt Gen Surapol Prembut received intelligence from the FBI that a “world-class hacker” – previously linked to cyberattacks on government institutions in Europe and the US – had entered Thailand and was hiding in Phuket.

The man arrived at Phuket International Airport on Oct 30, 2025, and checked into a hotel in Thalang, said the report. Of note, Thalang District covers the entire north half of the island and includes areas such as Bang Tao and Cherng Talay.

An investigation team from Phuket Immigration tracked his movements before coordinating with prosecutors to issue an arrest warrant under the Extradition Act of 2008, said the CCIB report.

A Criminal Court search warrant was then executed at the hotel, where officers seized laptops, mobile phones and “digital wallets” for forensic examination.

FBI agents were present as observers. The suspect has been formally charged as a person requested for extradition by the United States and has been handed over to the Office of the Attorney General for the formal extradition process, the report noted.

Since then UK media outlet ‘The Sun US’ reported that Thai police have likely detained GRU officer Aleksey Lukashev, linking him to two high-profile operations: the hacking of Hillary Clinton’s 2016 presidential campaign and the GRU operation surrounding the Skripal Novichok poisonings

The report notes that blurred images from the arrest show a strong resemblance to the FBI’s wanted notice for Lukashev, and that FBI personnel were present in Phuket during the operation.

Lukashev, a senior lieutenant in Russia’s GRU Unit 26165 (also known as APT28 or ‘Fancy Bear’), is accused of:

• hacking computers belonging to US political organisations during the 2016 election

• phishing the email account of Hillary Clinton’s campaign chairman John Podesta

• involvement in cyber activity linked to the Skripal case

• conducting attacks on government bodies across Europe and the US

Lukashev appears on the FBI’s Most Wanted list and is under UK sanctions.

Overnight, Russia-based investigative outlet ‘The Insider’ independently reported that only one GRU hacker on the FBI’s wanted list matches the age released by Thai police – Aleksey Viktorovich Lukashev.

According to The Insider:

• Lukashev, born in Murmansk, is wanted in the US for conspiracy to commit computer intrusions, identity theft, domain fraud, and money laundering.

• He used multiple aliases, including ‘Den Katenberg’ and ‘Yuliana Martynova’.

• A US federal court issued a warrant for his arrest in 2018.

• The hacker group he worked with, APT28/Fancy Bear, has been linked to attacks on the White House, NATO, the IOC, WADA, the German Bundestag, and ministries across Europe.

• The same group also targeted Russian opposition figures, NGOs and journalists, including reporters from The Insider.

OPERATION 293

As part of the wider ‘Operation 293’, Thai cyber police also reported seizing digital assets linked to the suspect.

Investigators said malware linked to the man had stolen authentication keys and crypto trading credentials from Thai victims. More than B14 million in cryptocurrency was recovered and returned in cooperation with Tether and Thai exchange Bitkub. At least six Thai victims were identified with total losses exceeding 100,000 USDT.

CCIB in its report stressed that the arrest was made under Thailand’s extradition law rather than through immigration offences or visa cancellation.

The suspect remains in custody and has not been publicly named as the investigation is ongoing.

The CCIB in its report said the case marked a significant step in expanding operational cooperation with the FBI in the global fight against transnational cybercrime.

PHUKET: Multiple international outlets are reporting that the 35-year-old Russian man arrested in Phuket by Thai cyber police earlier this week is likely GRU military intelligence officer Aleksey Lukashev.
Friday 14 November 2025 10:13 AM

Russian GRU Unit 29155 is best known for its long list of murder and sabotage ops, which include the Salisbury poisonings in England, arms depot explosions in Czechia, and an attempted coup d’etat in Montenegro. But its activities in cyberspace remained in the shadows — until now. After reviewing a trove of hidden data, The Insider can report that the Kremlin’s most notorious black ops squad also fielded a team of hackers — one that attempted to destabilize Ukraine in the months before Russia’s full-scale invasion.
For members of Russia’s most notorious black ops unit, they look like children. Even their photographs on the FBI’s “wanted” poster show a group of spies born around the time Vladimir Putin came to power in Russia. But then, hacking is a young man’s business.

In August 2024, the U.S. Justice Department indicted Vladislav Borovkov, Denis Denisenko, Dmitriy Goloshubov, Nikolay Korchagin, Amin Stigal and Yuriy Denisov for conducting “large-scale cyber operations to harm computer systems in Ukraine prior to the 2022 Russian invasion,” using malware to wipe data from systems connected to Ukraine’s critical infrastructure, emergency services, even its agricultural industry, and masking their efforts as plausibly deniable acts of “ransomware” – digital blackmail. Their campaign was codenamed “WhisperGate.”

The hackers posted the personal medical data, criminal records, and car registrations of untold numbers of Ukrainians. The hackers also probed computer networks “associated with twenty-six NATO member countries, searching for potential vulnerabilities” and, in October 2022, gained unauthorized access to computers linked to Poland’s transportation sector, which was vital for the inflow and outflow of millions of Ukrainians – and for the transfer of crucial Western weapons systems to Kyiv.

More newsworthy than the superseding indictment of this sextet of hackers was the organization they worked for: Unit 29155 of Russia’s Main Intelligence Directorate of the General Staff, or GRU. In the past decade and a half, this elite team of operatives has been responsible for the Novichok poisonings of Russian ex-spy Sergei Skripal and Bulgarian arms manufacturer Emilian Gebrev, an abortive coup in Montenegro, and a series of explosions of arms and ammunition depots in Bulgaria and Czechia.

Unit 29155 is Russia’s kill and sabotage squad. But now they were being implicated for the first time as state hackers. Moreover, the U.S. government made a compelling case that Unit 29155 was engaged in cyber attacks designed to destabilize Ukraine in advance of Russian tanks and soldiers stealing across the border – if this were true, it would mean that at least one formidable arm of Russian military intelligence knew about a war that other Russian special services were famously kept in the dark about. This hypothesis is consistent with prior findings by The Insider showing that members of 29155 were deployed into Ukraine a few days before the full-scale invasion.

"All the Justice Ministry's data has been saved. Recovery is underway," Deputy PM and Justice Minister Olha Stefanishyna said.

The hackers were working with a unit in the Russian Main Intelligence Directorate, according to the DOJ.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) assess that cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020. GRU Unit 29155 cyber actors began deploying the destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13, 2022. These cyber actors are separate from other known and more established GRU-affiliated cyber groups, such as Unit 26165 and Unit 74455.

Russian military intelligence, the G.R.U., is behind arson attacks aimed at undermining support for Ukraine’s war effort, security officials say.

Multiple self-proclaimed hacktivist groups are conducting attacks in support of Russian interests.

The Cyclops Blink botnet was controlled by the Russian Fed. Intelligence Directorate (GRU) and compromised thousands of devices worldwide.

In this exclusive and groundbreaking report, Free Russia Foundation has translated and published five documents from the GRU, Russia’s military intelligence agency. The documents, obtained and analyzed by Free Russia Foundation’s Director of Special Investigations Michael Weiss, details the...