JustPaste.it

OPERATION APT-28 by Anonymous

BEFORE READING, YOU SHOULD KNOW THAT ALL OF THIS INFORMATION HAS ALREADY BEEN DISSEMINATED BY MEDIA OR INDIVIDUALS. I DO NOT CLAIM TO BE THE ORIGINAL DISSEMINATOR OF THE INFORMATION BELOW.

THIS IS FOR INFORMATIONAL PURPOSES TO RAISED AWARENESS OF WHO THIS GROUP REALLY IS. NEVERTHELESS, ALL THE INFORMATION YOU SEE HERE HAS BEEN VERIFIED BY RELIABLE SOURCES, SOURCES THAT WILL OF COURSE BE CITED.

 IT TOOK ME A LOT OF TIME TO COMPILE AND VERIFY EVERYTHING. THANKS TO THIS AND THE SOURCES PROVIDED, YOU CAN BE CERTAIN THAT IT IS TRUE.

MADE BY : https://x.com/AnonymousBsns

Summary of information on APT28 (Fancy Bear) and its indicted members : 

APT28, also known as Fancy Bear, Sofacy, Sednit, Pawn Storm, Strontium, or Forest Blizzard, is a cyberespionage group affiliated with the GRU (Russian military intelligence service), specifically Unit 26165 and Unit 74455. Active since at least 2004, APT28 is involved in sophisticated cyberattacks targeting government, military, diplomatic, and strategic sectors for the purposes of espionage and destabilization. In July 2018, the U.S. Department of Justice indicted 12 GRU officers for their role in interfering in the 2016 U.S. presidential election, including the hacking of the Democratic National Committee (DNC) and the Clinton campaign. This document details information on each member, overall charges, arrest warrants, and additional data from reliable sources.


Confirmed identified members: 

Detailed information on each member

 

  1. Viktor Borisovich Netyksho
    Role: Commander of GRU Unit 26165, overseer of hacking operations against the DNC, DCCC, and Clinton campaign in 2016.
Charges:
  • Conspiracy against the United States
  • Computer hacking
  • Aggravated identity theft
  • Money laundering
  • False registration of domain names
FBI Wanted Notice: https://www.fbi.gov/wanted/cyber/viktor-borisovich-netyksho (link invalid but warrant confirmed via indictment).
Biographical Details: No public information on date of birth, appearance, or exact location, except a presumed location in Moscow.
Additional Information:
  • Leak by Kiber Sprotyv (May 2023): The Ukrainian hacktivist group Kiber Sprotyv hacked the email of Netyksho’s wife, Oksana Netyksho, and published personal data along with an alleged photo of Netyksho. This information includes limited details about his personal life but no passport, address, or other specific documents.
  • Verification: The photo is not authenticated by the FBI or other agencies, and it is not accessible in the consulted public sources (Cybernews, Cyber Security Connect, Cyber Daily).
  • Sources: Reports from Cybernews, Cyber Security Connect, and Cyber Daily.
  • Sanctions: Designated by OFAC (CAATSA Section 224) in December 2018 for cyber activities on behalf of the GRU.
  • Photo: No verified photo available; the Kiber Sprotyv photo remains unconfirmed.
  1. Boris Alekseyevich Antonov
    Role: GRU officer, Unit 26165, coordinator of spear-phishing attacks against the DNC and Clinton campaign.
Charges:
  • Conspiracy against the United States
  • Computer hacking
  • Aggravated identity theft
  • Money laundering
  • False registration of domain names
Biographical Details: No public information on date of birth, appearance, or exact location, except a presumed location in Moscow.
Additional Information:
  • Operational Role: Antonov created and sent spear-phishing emails containing malicious links to steal credentials from Clinton campaign officials.
  • No Leaks: No leaks of personal data (photo, passport, address) reported by Kiber Sprotyv or media outlets like Cybernews.
  • Sanctions: Designated by OFAC (CAATSA Section 224) in December 2018.
  • Photo: No photo available via the FBI or other public sources.
  1. Dmitriy Sergeyevich Badin
    Role: GRU officer, Unit 26165, malware analyst, involved in the development and deployment of malicious tools for attacks against the DNC.
Charges:
  • Conspiracy against the United States
  • Computer hacking
  • Aggravated identity theft
  • Money laundering
  • False registration of domain names
Biographical Details: No public information on date of birth, appearance, or exact location, except a presumed location in Moscow.
Additional Information:
  • No Leaks: No leaks of personal data (photo, passport, address) reported by Kiber Sprotyv or media.
  • Technical Role: Badin developed malware to exfiltrate data from compromised systems.
  • Sanctions: Designated by OFAC (CAATSA Section 224) in December 2018.
  • Photo: No photo available via the FBI or other public sources.
  1. Ivan Sergeyevich Yermakov
    Role: GRU officer, Unit 26165, hacking operator, involved in intrusions against the DNC and Clinton campaign, using pseudonyms “Kate S. Milton,” “James McMorgans,” and “Karen W. Millen.”
Charges:
  • Conspiracy against the United States
  • Computer hacking
  • Aggravated identity theft
  • Money laundering
  • False registration of domain names
Biographical Details:
  • Date of birth: April 10, 1986
  • Place of birth: Chelyabinskaya Oblast, Russia
  • Appearance: Brown hair, brown eyes, Caucasian
  • Nationality: Russian
  • Presumed location: Moscow
  • NCIC: W444340124
Additional Information:
  • No Leaks: No leaks of personal data (photo, passport, address) reported by Kiber Sprotyv or media.
  • Operational Role: Yermakov used compromised email accounts to send spear-phishing emails and exfiltrate data.
  • Sanctions: Designated by OFAC (CAATSA Section 224) in December 2018.
  • Photo: No photo available via the FBI or other public sources.
  1. Aleksey Viktorovich Lukashev
    Role: Senior Lieutenant of the GRU, Unit 26165, responsible for spear-phishing campaigns against the DNC and Clinton campaign, using pseudonyms “Den Katenberg” and “Yuliana Martynova.”
Charges:
  • Conspiracy against the United States
  • Computer hacking
  • Aggravated identity theft
  • Money laundering
  • False registration of domain names
  • Computer fraud
  • Wire fraud
Biographical Details: No public information on date of birth, appearance, or exact location, except a presumed location in Moscow.
Additional Information:
  • Key Role: Lukashev sent spear-phishing emails as early as March 2016, targeting Clinton campaign officials with malicious URLs.
  • No Leaks: No leaks of personal data (photo, passport, address) reported by Kiber Sprotyv or media.
  • Sanctions: Designated by OFAC (CAATSA Section 224) in December 2018.
  • Photo: No photo available via the FBI or other public sources.
  1. Sergey Aleksandrovich Morgachev
    Role: Lieutenant Colonel of the GRU, Unit 26165, overseer of the development and management of the X-Agent malware used in the 2016 cyberattacks.
Charges:
  • Conspiracy against the United States
  • Computer hacking
  • Aggravated identity theft
  • Money laundering
  • False registration of domain names
Biographical Details:
  • Date of birth: May 22, 1977
  • Place of birth: Kyiv, Ukraine
  • Residence: 6/8 Dekabristov Street, apt. 249, Korolev, Moscow Oblast, Russia
  • Passport: #4622 608349, issued July 12, 2022
  • Vehicle: Toyota RAV4, plate Р778CB750, license #9902 449278
Additional Information:
  • Leak by Kiber Sprotyv (April 2023): Kiber Sprotyv hacked Morgachev’s email and published detailed personal data:
    • Education: FSB Academy, Moscow (1994-1999).
    • Service: Unit 26165 (1999-2022), then employed at Special Technological Center LLC (STC) in 2023, a sanctioned entity.
    • Documents: Scans of personal documents, correspondence with STC, medical certificate from December 2022 for access to classified documents.
  • Source: InformNapalm.
  • Photo: Kiber Sprotyv claimed to have published photos of Morgachev, but they are not publicly accessible, and their authenticity is not verified by the FBI or other agencies.
  • Sanctions: Designated by OFAC (CAATSA Section 224) in December 2018.
  • Key Role: Morgachev oversaw the deployment of X-Agent for data exfiltration from the DNC.
  • Photo: No verified photo available; Kiber Sprotyv photos remain unconfirmed.
  1. Nikolay Yuryevich Kozachek
    Role: Lieutenant Captain of the GRU, Unit 26165, malware developer, involved in the creation and use of X-Agent, using pseudonyms “kazak” and “blablabla1234565.”
Charges:
  • Conspiracy against the United States
  • Computer hacking
  • Aggravated identity theft
  • Money laundering
  • False registration of domain names
Biographical Details: No public information on date of birth, appearance, or exact location, except a presumed location in Moscow.
Additional Information:
  • Technical Role: Kozachek developed components of X-Agent, essential for intrusions into DNC networks.
  • No Leaks: No leaks of personal data (photo, passport, address) reported by Kiber Sprotyv or media.
  • Sanctions: Designated by OFAC (CAATSA Section 224) in December 2018.
  • Photo: No photo available via the FBI or other public sources.
  1. Pavel Vyacheslavovich Yershov
    Role: GRU officer, Unit 26165, systems administrator, responsible for managing network infrastructure for the 2016 cyberattacks.
Charges:
  • Conspiracy against the United States
  • Computer hacking
  • Aggravated identity theft
  • Money laundering
  • False registration of domain names
Biographical Details: No public information on date of birth, appearance, or exact location, except a presumed location in Moscow.
Additional Information:
  • Operational Role: Yershov maintained servers and domains for command and control (C2) operations.
  • No Leaks: No leaks of personal data (photo, passport, address) reported by Kiber Sprotyv or media.
  • Sanctions: Designated by OFAC (CAATSA Section 224) in December 2018.
  • Photo: No photo available via the FBI or other public sources.
  1. Artem Andreyevich Malyshev
    Role: Second Lieutenant of the GRU, Unit 26165, malware developer, responsible for monitoring X-Agent, using pseudonyms “djangomagicdev” and “realblatr.”
Charges:
  • Conspiracy against the United States
  • Computer hacking
  • Aggravated identity theft
  • Money laundering
  • False registration of domain names
  • Computer fraud
  • Wire fraud
Biographical Details:
  • Date of birth: February 2, 1988
  • Place of birth: Bologoe-4, Kalininskiy Oblast, Russia
  • Appearance: Brown hair, blue eyes, Caucasian
  • Nationality: Russian
  • Presumed location: Moscow
  • NCIC: W814298888
Additional Information:
  • No Leaks: No leaks of personal data (photo, passport, address) reported by Kiber Sprotyv or media.
  • Technical Role: Malyshev monitored X-Agent infections for data exfiltration.
  • Sanctions: Designated by OFAC (CAATSA Section 224) in December 2018.
  • Photo: No photo available via the FBI or other public sources.
  1. Aleksandr Vladimirovich Osadchuk
    Role: GRU Colonel, commander of Unit 74455, responsible for disseminating stolen documents via DCLeaks and Guccifer 2.0.
Charges:
  • Conspiracy against the United States
  • Computer hacking
  • Aggravated identity theft
  • Money laundering
  • False registration of domain names
Biographical Details: No public information on date of birth, appearance, or exact location, except a presumed location in Moscow.
Additional Information:
  • Strategic Role: Osadchuk oversaw the creation of social media accounts and websites to disseminate stolen documents.
  • No Leaks: No leaks of personal data (photo, passport, address) reported by Kiber Sprotyv or media.
  • Sanctions: Designated by OFAC (CAATSA Section 224) in December 2018.
  • Photo: No photo available via the FBI or other public sources.
  1. Aleksey Aleksandrovich Potemkin
    Role: GRU officer, Unit 74455, overseer of network infrastructure for disseminating stolen documents and managing hacking operations.
Charges:
  • Conspiracy against the United States
  • Computer hacking
  • Aggravated identity theft
  • Money laundering
  • False registration of domain names
Biographical Details: No public information on date of birth, appearance, or exact location, except a presumed location in Moscow.
Additional Information:
  • Technical Role: Potemkin administered servers and domains for DCLeaks and Guccifer 2.0.
  • No Leaks: No leaks of personal data (photo, passport, address) reported by Kiber Sprotyv or media.
  • Sanctions: Designated by OFAC (CAATSA Section 224) in December 2018.
  • Photo: No photo available via the FBI or other public sources.
  1. Anatoliy Sergeyevich Kovalev
    Role: GRU officer, Unit 74455, involved in hacking a U.S. election commission, stealing data from 500,000 voters.
Charges:
  • Conspiracy against the United States
  • Computer hacking
  • Aggravated identity theft
  • Money laundering
  • Computer fraud
  • Wire fraud
  • Intentional damage to protected computers
Biographical Details: No public information on date of birth, appearance, or exact location, except a presumed location in Moscow.
Additional Information:
  • Operational Role: Kovalev targeted election infrastructure with spear-phishing techniques.
  • No Leaks: No leaks of personal data (photo, passport, address) reported by Kiber Sprotyv or media.
  • Sanctions: Designated by OFAC (CAATSA Section 224) in December 2018.
  • Photo: No photo available via the FBI or other public sources.

 

 

 

Comprehensive Charges

 The 12 members of APT28 were indicted on July 13, 2018, by a grand jury in the United States District Court for the District of Columbia (Docket 1:18-cr-00215) as part of Special Counsel Robert Mueller's investigation. The indictment, titled United States v. Netyksho et al., details the following charges :

Conspiracy against the United States (18 U.S.C. § 371): Coordination to interfere in the 2016 election.

Computer Hacking (18 U.S.C. § 1030): Unauthorized access to the systems of the DNC, the DCCC (Democratic Congressional Campaign Committee), and other targets.

Aggravated Identity Theft (18 U.S.C. § 1028A): Fraudulent use of stolen credentials.

Money Laundering (18 U.S.C. § 1956): Use of cryptocurrency to finance operations.

False Domain Name Claims: Creation of fraudulent domains for spear-phishing.

Computer and Wire Fraud (for some members): Manipulation of systems to steal data.

Intentional Damage to Protected Computers (for some members): Disruption of election systems.



Objectives of Attacks: Hack sensitive emails and documents, disseminate information via platforms such as DCLeaks and Guccifer 2.0, and influence American public opinion.

Primary Source : Indictment, available at:

Wikimedia Commons: https://upload.wikimedia.org/wikipedia/commons/d/d4/Netyksho_et_al_indictment.pdf

National Security Archive: https://nsarchive.gwu.edu/document/19924-united-states-district-court-district-columbia-us-v-viktor-borisovich-netyksho-et-al-indictment (UNAVAILABLE NOW)

 

 

ARREST WARRANTS : 

 

Issued by: United States District Court for the District of Columbia, July 2018.

Status: Active, but symbolic, as Russia does not extradite its citizens.

Wanted: Published by the FBI for each member (except Viktor Netyksho, whose relationship was invalidated on May 1, 2025).

Limitations: No international warrants (e.g., Interpol) are public, and no other jurisdiction (e.g., France, Germany) has issued warrants for these individuals.


Key Attacks and Campaigns

  1. 2016 U.S. Presidential Election Interference

    • Target: Democratic National Committee (DNC), Democratic Congressional Campaign Committee (DCCC), and Hillary Clinton’s presidential campaign.

    • Method: APT28 conducted spear-phishing campaigns to steal credentials, deploying malware such as X-Agent to exfiltrate sensitive data. They also used infrastructure like DCLeaks and Guccifer 2.0 to leak stolen emails and documents, aiming to influence the U.S. election.

    • Impact: The attacks exposed internal DNC communications, fueling political controversy. The U.S. government, through the Mueller investigation, attributed these attacks to APT28, leading to indictments of 12 GRU officers (as detailed in the provided member list).

    • Source: U.S. Department of Justice indictment (July 2018), FBI wanted notices.

  2. 2015-2016 Attacks on European Governments and NATO

    • Target: German Bundestag, French TV5Monde, NATO, and other European political entities.

    • Method: Spear-phishing emails with malicious attachments or links, exploiting vulnerabilities in Microsoft Office and Adobe Flash. APT28 deployed custom malware like Sofacy and X-Agent to maintain persistent access.

    • Impact: The 2015 Bundestag hack compromised sensitive parliamentary data, while the TV5Monde attack disrupted broadcasts, showcasing APT28’s ability to target critical infrastructure. These attacks raised alarms about Russian cyber interference in Western democracies.

    • Source: German BSI reports, FireEye threat intelligence.

  3. 2014-2018 Targeting of Ukrainian Infrastructure

    • Target: Ukrainian government, military, and energy sectors.

    • Method: APT28 used spear-phishing and malware like BlackEnergy and X-Agent to infiltrate systems, often focusing on espionage and data theft.

    • Impact: These attacks aligned with Russia’s geopolitical objectives during the Russo-Ukrainian conflict, disrupting operations and gathering intelligence. The Ukrainian hacktivist group Kiber Sprotyv later retaliated by leaking personal data of APT28 members (e.g., Netyksho, Morgachev).

    • Source: InformNapalm, Cybernews reports.

  4. 2018 Winter Olympics and WADA Attacks

    • Target: World Anti-Doping Agency (WADA), International Olympic Committee (IOC), and South Korean entities during the PyeongChang Winter Olympics.

    • Method: APT28 launched spear-phishing campaigns and deployed destructive malware like Olympic Destroyer to disrupt operations. They also leaked WADA athlete data to discredit Western anti-doping efforts.

    • Impact: The attacks aimed to retaliate against Russia’s Olympic ban for state-sponsored doping, highlighting APT28’s role in geopolitical cyber operations.

    • Source: Microsoft Threat Intelligence, U.S. Department of Justice.

  5. Global Espionage Campaigns (Ongoing)

    • Target: Think tanks, defense contractors, embassies, and NGOs worldwide, including in the U.S., Europe, and Asia.

    • Method: APT28 employs sophisticated techniques like zero-day exploits, custom malware (e.g., Sofacy, X-Agent, Zebrocy), and watering-hole attacks to gather intelligence.

    • Impact: These campaigns solidified APT28’s reputation as a persistent threat, with a focus on strategic intelligence collection for Russian interests.

    • Source: CrowdStrike, Palo Alto Networks Unit 42.

Techniques and Tactics

  • Spear-Phishing: APT28’s hallmark tactic involves tailored emails with malicious links or attachments, often impersonating trusted entities to trick targets into revealing credentials or executing malware.

  • Custom Malware: Tools like X-Agent, Sofacy, and Zebrocy are designed for espionage, enabling data exfiltration, keylogging, and persistent access.

  • Exploitation of Vulnerabilities: APT28 exploits software vulnerabilities (e.g., Microsoft Office, Adobe Flash) and occasionally uses zero-day exploits.

  • Information Warfare: Leaking stolen data through fronts like DCLeaks and Guccifer 2.0 to manipulate public opinion or destabilize targets.

  • Command and Control (C2): APT28 maintains robust C2 infrastructure using compromised servers and domain names, often registered falsely.




Reliable Sources:

Indictment (2018): https://commons.wikimedia.org/wiki/File:Netyksho_et_al_indictment.pdf

Wikimedia Commons: https://upload.wikimedia.org/wikipedia/commons/d/d4/Netyksho_et_al_indictment.pdf

National Security Archive: https://nsarchive.gwu.edu/document/19924-united-states-district-court-district-columbia-us-v-viktor-borisovich-netyksho-et-al-indictment (UNAVAILABLE NOW)

FBI Wanted Poster: Links provided for each member (except Netyksho, whose link is invalid).

OFAC Sanctions: https://home.treasury.gov/news/press-releases/sm577

InformNapalm report: https://informnapalm.org/en/hacked-russian-gru-officer/ (Morgachev leak)

InformNapalm report:

https://informnapalm.org/en/ukrainian-hacktivists-acquired-first-ever-photo-of-the-gru-hacker-unit-commander/ (leaked Viktor Borisovich Netyksho)

ANSSI report (2025): https://www.ssi.gouv.fr/uploads/2025/04/rapport_ANSSI_APT28_2025.pdf (UNAVAILABLE NOW)



Palo Alto Networks: https://www.paloaltonetworks.com/blog/2023/12/fighting-ursa-apt28/ (UNAVAILABLE NOW)



Media: Cybernews, Cyber ​​Security Connect, Cyber ​​Daily

 

 

 

Conclusion

The 12 APT28 members indicted in 2018 form a key core of GRU Units 26165 and 74455, responsible for major cyberattacks, including those against the 2016 US election. Available information is largely limited to their roles and accusations, with significant leaks only for Netyksho and Morgachev. No verified photos exist for any member, and leaked data should be treated with caution. The arrest warrants, although active, remain symbolic due to the impunity enjoyed by the accused in Russia. This document provides a solid foundation for understanding APT28's organization and activities.



NOTE:

As stated in the source articles, some of this information remains to be confirmed.

For the list of members I indicated: "No photo available via the FBI or other public sources." because the photos have not been officially verified by the relevant government agencies. 

Also, the 12 people on this list are people we can be certain are indeed part of the APT-28 group. All the evidence is provided in this document via all the sources provided. I know for sure that APT-28 is not made up of only 12 members, I am currently working hard to get more information on those I have doubts about. If I succeed, I will obviously post everything as for the others with the necessary evidence and sources.

Please do not believe everything and anything on the internet regarding this group, many people who share information do so without providing evidence, citing sources, or the methods of why or how they arrived at such a conclusion or such information.



We are Anonymous.
We are Legion.
We do not Forgive.
We do not Forget.
Expect us.

 


If you want to follow the news about APT-28, here are the main accounts to follow :

- https://x.com/AnonymousBsns
- https://x.com/YourAnonFrench_
- https://x.com/YourAnonSurge_