Evgenii Serebriakov now runs the most aggressive hacking team of Russia’s GRU military spy agency. To Western intelligence, he’s a familiar face.

FOR YEARS, THE hacking unit within Russia’s GRU military intelligence agency known as Sandworm has carried out some of the worst cyberattacks in history—blackouts, fake ransomware, data-destroying worms—from behind a carefully maintained veil of anonymity. But after half a decade of the spy agency’s botched operations, blown cover stories, and international indictments, perhaps it’s no surprise that pulling the mask off the man leading that highly destructive hacking group today reveals a familiar face.

Passport of EVGENII MIKHAYLOVICH SEREBRIAKOV
The passport Evgenii Serebriakov used to enter the Netherlands in 2018. PHOTOGRAPH: DEPARTMENT OF JUSTICE
The commander of Sandworm, the notorious division of the agency’s hacking forces responsible for many of the GRU’s most aggressive campaigns of cyberwar and sabotage, is now an official named Evgenii Serebriakov, according to sources from a Western intelligence service who spoke to WIRED on the condition of anonymity. If that name rings a bell, it may be because Serebriakov was indicted, along with six other GRU agents, after being caught in the midst of a close-range cyberespionage operation in the Netherlands in 2018 that targeted the Organization for the Prohibition of Chemical Weapons in the Hague.

Content
To honor your privacy preferences, this content can only be viewed on the site it originates from.

In that foiled operation, Dutch law enforcement didn’t just identify and arrest Serebriakov and his team, who were part of a different GRU unit generally known as Fancy Bear or APT28. They also seized Serebriakov’s backpack full of technical equipment, as well as his laptop and other hacking devices in his team’s rental car. As a result, Dutch and US investigators were able to piece together Serebriakov’s travels and past operations stretching back years and, given his newer role, now know in unusual detail the career history of a rising GRU official.

According to the intelligence service sources, Serebriakov was placed in charge of Sandworm in the spring of 2022 after serving as deputy commander of APT28, and now holds the rank of colonel. Christo Grozev, the lead Russia-focused investigator for open source intelligence outlet Bellingcat, has also noted Serebriakov’s rise: Around 2020, Grozev says, Serebriakov began receiving phone calls from GRU generals who, in the agency’s strict hierarchy, only speak to higher-level officials. Grozev, who says he bought the phone data from a Russian black market source, says he also saw the GRU agent’s number appear in the phone records of another powerful military unit focused on counterintelligence. “I realized he must be in a command position,” says Grozev. “He can’t just be a regular hacker anymore.”

The fact that Serebriakov appears to have attained that position despite having been previously identified and indicted in the failed Netherlands operation suggests that he must have significant value to the GRU—that he’s “apparently too good to dump,” Grozev adds.