Go to listing page

Void Balaur Stayed Hidden for Years to Steal Sensitive Data in Emails

Void Balaur Stayed Hidden for Years to Steal Sensitive Data in Emails
Void Balaur, a hacker-for-hire group, has been stealing sensitive private data and selling them to customers for more than five years. The group offers its services on Russian underground forums and has targeted more than 3,500 email addresses around the world.

What has happened?

The business model of Void Balaur is simply to steal the private and sensitive data of businesses and individuals and then sell it to interested customers with financial and espionage goals.
  • The targets are individuals and organizations in various sectors such as telecommunications, retail, financial, medical, biotechnology, especially with access to a lot of private data.
  • Void Balaur constantly looks for access to cryptocurrency wallets of various exchange services (such as EXMO, YoBit, BitPay, and Binance), where it uses phishing sites to lure victims.

A brief about its past

Void Balaur started its paid ads in 2018 on Darkmoney (carding), Probiv, Tenec (stolen credentials), and Dublikat forums.
  • It offered services that included access to free webmail (Protonmail, Gmail, Yandex, Mail.ru, and VK), corporate email accounts, and Telegram. Additionally, the gang offered copies of hacked mailboxes.
  • In 2019, the group started selling sensitive private data of Russian individuals at prices between $21 and $124. The new services offered cellular services data such as phone numbers, SMS records, and more.

A connection to Fancy Bear?

Void Balaur was first spotted by Trend Micro when a source reported multiple phishing emails that were initially believed to be the work of Pawn Storm, the Russian threat group also known as Fancy Bear.
  • The emails were linked to Void Balaur, and researchers discovered an overlap between these two groups despite the hacker-for-hire group having more diverse targets and customers.
  • Researchers observed dozens of email addresses targeted by both Pawn Storm and Void Balaur. Additionally, both groups targeted religious leaders, diplomats, politicians, and a journalist.


Void Balaur has been operating for more than five years without getting noticed much. It offers its services to its customers who are willing to pay for that information. This once again highlights the importance of securing sensitive data and adhering to adequate data protection measures such as encryption to protect against such threats.

Cyware Publisher