Menu
Browse

Cyber Threat Actor: BadWolf

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Nation State
Russia
3 incidents
Profile

The threat actor known as Dmitry Badin, also operating under the alias BadWolf, is associated with Russian‑based cyber activity. Public reporting links the actor to operations originating from Russia, although precise geographic details beyond that are not disclosed. The actor has been identified in open sources as responsible for a series of data‑exposure and intrusion events. These activities have drawn attention from federal authorities in the United States and from German officials. The actor’s aliases appear in forum posts claiming responsibility for leaked information. Overall, the actor is characterized by a pattern of targeting governmental and law‑enforcement entities.

In one incident, the actor was tied to the publication of confidential property records belonging to approximately four thousand law‑enforcement personnel, prosecutors and judges in a Florida county. The leak was described as retaliation against a local sheriff’s office accused of surveilling critics. In a separate episode, the actor was linked to the compromise of German Chancellor Angela Merkel’s email accounts and the Bundestag network, where attackers used Sofacy/APT28 malware to exfiltrate years of correspondence. The German intrusion was characterized as espionage and part of a broader Russian state‑sponsored campaign of cyber‑disinformation. Together, these cases show a focus on law‑enforcement and government sectors in the United States and Europe. The actor’s objectives therefore include retaliation in the Florida case and intelligence gathering in the German case. Technical details associated with the actor’s operations reference the Sofacy/APT28 malware family, which was observed in the German email compromise. No specific initial‑access vectors or exploit kits are disclosed in the available sources for either incident. The actor’s tooling style appears consistent with the use of established espionage‑oriented malware rather than custom ransomware or financially motivated payloads. Attribution to Russian state‑sponsored actors is repeatedly cited, with the Sofacy group (APT 28) named as the responsible entity in the German case and a suspect also implicated in U.S. election interference mentioned in the same reporting. The actor is therefore linked to a broader nexus of state‑aligned cyber activity rather than an independent criminal syndicate. Representative operations include the 2015 Bundestag email intrusion and the 2016 Florida law‑enforcement records disclosure.

Incidents
Attributed incidents available to members
3 incidents
Sources
Sources available to members
0 sources