“World-class” Russian hacker wanted by FBI and arrested in Thailand is likely GRU officer Aleksey Lukashev

On Nov. 12, Thai cyber police announced the arrest of a 35-year-old Russian citizen on the island of Phuket, adding that the unnamed suspect stands wanted in the United States on charges of hacking government institutions in Europe and the U.S. The Russian national was detained in a joint operation with the FBI, which had informed Thai authorities that he had entered the country on Oct. 30 and checked into a hotel in the Thalang District.

According to the press release put out by Thailand’s Cyber Crime Investigation Bureau (CCIB), the man is a “world-class” hacker who had previously breached secure systems and carried out attacks on various government agencies. Authorities stressed that the arrest was made under the country’s 2008 extradition law, rather than through administrative means such as visa cancellation.

The independent outlet Vot Tak noted that among the GRU hackers officially wanted by the FBI, only one matches the age stated by Thai police — Aleksey Lukashev.

According to the FBI’s wanted notice, Aleksey Viktorovich Lukashev, a senior lieutenant in Russia’s Main Intelligence Directorate (GRU) assigned to Unit 26165, is wanted by the United States for his alleged role in interfering in the 2016 presidential election. The FBI says the Murmansk-born officer was one of 12 GRU agents accused of hacking computers belonging to American political organizations and state election boards, stealing documents and leaking stolen data. Lukashev — who also used the aliases “Den Katenberg” and “Yuliana Martynova” — faces charges of conspiracy to commit computer intrusions, aggravated identity theft, domain name fraud, and money laundering. A U.S. federal court in Washington, D.C., issued a warrant for his arrest in 2018.

The operation to arrest the suspect was conducted by Thai CCIB officers along with immigration and tourist police, prosecutors, and local authorities. Laptops, phones, and “digital wallets” were seized from the hotel room in question for forensic examination. FBI representatives were present during the arrest as observers.

As part of the same Operation 293, Thai cyber police also reported seizing digital assets allegedly linked to the suspect. According to the CCIB, victims in Thailand lost funds after their computers were infected with malware that stole authentication keys and seed phrases for trading accounts. The stolen assets were converted into cryptocurrencies USDT and Bitcoin, then moved across several wallets.

In cooperation with Tether and the Thai crypto exchange Bitkub, the authorities managed to freeze and return cryptocurrency worth more than 14 million baht (about $432,000) to the affected victims. Police identified at least six Thai victims with total losses exceeding 100,000 USDT. After his arrest, the suspect was taken into custody. The case has been sent to the Thai attorney general’s office to begin extradition proceedings. He has not been publicly identified, as authorities say the investigation is ongoing.

The hacker group Lukashev worked with is known as APT28, also referred to as Fancy Bear or Pawn Storm. In 2017, The Insider revealed that the group consisted of personnel from GRU Unit 26165. The following year, the U.S. Justice Department confirmed these findings, formally charging the group.

APT28/Fancy Bear’s most notorious operation involved the 2016 breach of Democratic Party servers — part of an effort to help Donald Trump defeat Hillary Clinton in the U.S. presidential election. Trump openly welcomed the leaks at the time, even urging Russian hackers to release more of Clinton’s emails.

Other APT28 targets have included the White House and U.S. government agencies, as well as foreign ministries in the Czech Republic, Poland, Germany, Italy, Latvia, Estonia, Ukraine, Norway, and the Netherlands; the defense ministries of Denmark, Italy, and Germany; the German Bundestag; NATO; the OSCE; the International Olympic Committee; WADA; the MH17 investigative team; and multiple media outlets, including TV5Monde and Al Jazeera.

The same group also carried out attacks on dozens of Russian opposition figures, NGO members, and journalists — including reporters from The Insider — as confirmed independently by four cybersecurity companies.

Fancy Bear typically relied on basic phishing tactics, sending out mass emails and waiting for someone to click a malicious link and surrender their credentials. Their main goal was to access sensitive information for political purposes: stolen documents were often doctored with compromising details and then published on websites run by pro-Kremlin activists before being amplified by state media and online troll networks.