Dmitri Badin

Background

Dmitri Sergeyevich Badin, born November 15, 1990, is a Russian intelligence officer suspected of conducting a series of high-profile cyberattacks on behalf of the GRU, Russia's state military intelligence service. He is believed to be a member of the Sofacy Group, also known as "Fancy Bear," a threat actor widely attributed to GRU Unit 26165, which specializes in cryptography.

Investigative journalism platform Bellingcat confirmed Badin's date of birth and his association with Unit 26165 through open-source research. Supporting evidence included a vehicle registered in his name at a Moscow address linked to the GRU, as well as Skype accounts, a VKontakte (vk.com) profile, an email address, and a telephone number that corroborated these findings.

Alleged Cyberoperations

Badin is suspected of authoring malware used in several significant intrusion campaigns. According to Bellingcat's findings, this malware was deployed against the email servers of the Democratic National Committee, the German Bundestag, the MH-17 joint investigative team, and Bellingcat itself.

The 2015 attack on the German Bundestag resulted in the exfiltration of at least 16 gigabytes of data, including material from an office associated with Chancellor Angela Merkel. The Sofacy Group has been attributed responsibility for this intrusion, and Badin is specifically alleged to have played a role in it.

Badin is also suspected of involvement in efforts to manipulate the 2016 US presidential election and in attacks targeting the servers of the World Anti-Doping Agency (WADA).

Legal Status

The FBI has sought Badin since 2018 under an international arrest warrant, citing his suspected role in the 2016 US election interference and the WADA server attacks. In early May 2020, the German federal prosecutor (Generalbundesanwalt) obtained a separate international arrest warrant in connection with the 2015 Bundestag hack. As of the available source material, Badin remains at large and wanted by both US and German authorities.