ALPS blog

Void Balaur and the Rise of the Cybermercenary Industry

Cybercriminals have different motivations: for example, some malicious actors have disruptive political attacks as their objective, while others might be more inclined towards cyberespionage and gathering information on their victims. Of course, financial gain remains a powerful cybercrime motivation — perhaps even the most common one. Some malicious actors, such as ransomware operators, earn directly from their cyberattacks. Others, however, prefer to act as “cybermercenaries,” selling their services to anyone willing to pay.

One of the most prolific cybermercenaries is Void Balaur, a Russian-speaking threat actor group that has launched attacks against different sectors and industries all over the world. Although Void Balaur offers a wide range of services, the group’s bread and butter is cyberespionage and information theft, selling highly sensitive information on individuals in underground forums and websites such as Probiv.

The group primarily targets email accounts and mailboxes. While it offers standard mailbox copies that was likely stolen with the help of credential phishing, Void Balaur also offers copies of mailboxes that have not been interacted with — for a higher price. This option is particularly interesting since it would be extremely difficult under normal circumstances to gather the contents of a mailbox without any user interaction, which points to possibilities such as insider assistance or even the compromise of the email provider’s systems.

Figure 1. Countries in which Void Balaur email targets were located
Figure 1. Countries in which Void Balaur email targets were located

In addition, Void Balaur also offers their customers access to a large amount of private data, which includes information such as flight and travel data (passports and ticket purchases); criminal records; financial records and credit histories; pension funds; and even printouts of SMS messages. It’s easy to see why the services of a cybermercenary like Void Balaur is in demand — these types of information can be very useful for a group or an individual who wants to launch an attack on specific targets.

Void Balaur’s high-profile targets

What makes Void Balaur’s attacks particularly noteworthy is the often-lofty status of its targets. While the threat actor has been known to offer its services to a more general audience — as seen in its online advertisements in the underground — research from groups such as and Amnesty International show that Void Balaur is likely also involved in attacks against higher profile victims, ranging from human rights activists and journalists to politicians and even presidential candidates. One of the group’s more notable campaigns involved attacks that targeted the private email addresses of government officials and politicians in an Eastern European country in September 2021.

Living up to its cybermercenary label, Void Balaur does not limit itself to the geopolitical scene. Organizations that have access to a large amount of private information are also frequent victims of the group. These targets belong to different industries such as the telecommunications, retail, financial, medical, and even the biotech sectors. Organizational leaders and employees that are heavily involved with the company’s core business are among the threat actor’s favored targets, since these individuals will likely have access to the kind of information the group seeks.

Curtailing cybermercenary attacks

Given what we’ve seen of cybermercenaries like Void Balaur, it is likely that these groups have access to a large number of tools and infrastructure that allows them to launch attacks even against prominent individuals and organizations. However, this does not mean that practicing and implementing the right security safeguards will not help in defending against cybermercenary attacks. The following security best practices can help both individuals and organizations thwart cybermercenary attacks (and cyberattacks in general):

  • Employ the services of a reputable provider that places high priority on security.
  • Consider using dedicated two-factor authentication apps or devices such as Yubikey instead of relying on SMS.
  • Use encryption systems for communication, especially when it involves sensitive information.
  • Encrypt the drives of all computers and other machines that are used to store sensitive information.
  • Practice good security hygiene by deleting old emails and messages to minimize the chances of an attacker gaining access to private information.

Learn more about the activities and targets of Void Balaur in our research paper, Void Balaur: Tracking a Cybermercenary’s Activities.


Featured News