Food delivery leak exposes Russian security guards

Russian tech giant Yandex blamed one of its employees for the hack and subsequent leak of data from Yandex fooda popular food delivery service in Russia.

Among the many affected users are on-duty officers of the Russian security services and military, who in several cases even ordered food from their workplaces using their official email addresses.

This 1.2 gigabyte leak includes user emails and passwords, as well as a large number of phone numbers, addresses and orders placed on the platform. Russian media watchdog Roskomnadzor has strongly attempted block its proliferation.

Some investigators have already uncovered leads for corruption investigations from this data leak, namely Russian President Vladimir Putin’s 170 million ruble (~US$2 million) apartment.secret girl”.

Bellingcat analyzed the data to verify its authenticity and uncover new lines of inquiry. By cross-referencing the data points of this leak with independent sources, including social media profiles and other leaked databases, we can confirm that it is indeed authentic. However, as with most data leaks, the vast majority of this information does not have legitimate research purposes, which is why we do not link the data itself. Personal details have been obscured in screenshots throughout this article.

We only used this leak to explore further information about the subjects of previous investigations – many of whom are members of the Russian security services and military.

What’s in the leak?

The main part of the data leak includes the order information, as well as some personal information collected from the user. These include their Yandex.Food ID, address, contact details, delivery instructions, billing information, and metadata.

An address Bellingcat is looking for is Dorozhnaya Street 56 in Moscow. This installation is linked to the Russian National Guard (Rosgvardia), which took an active part in the invasion of Ukraine.

First, here’s an example of how the personal details of users who ordered food are displayed in the leak.

The first name is a required field, but the full name is often left blank. Below is a fictional Andrey Andreyev placing his order. The email field is also optional, although the phone number is required. In some cases, user data with phone number, name and email address will be included even if no order has been placed – probably from when a user has registered but has not placed an order on the app.

Data containing generic personal information, for illustrative purposes

The delivery address – not to be confused with the user’s home address, which is not included in this data – is also included, along with delivery instructions. These delivery instructions, as detailed later in this article, are some of the most fascinating data points in this leak.

In the case below, showing address data and delivery instructions that reflect an actual Yandex.Food order, the customer specified that the order was sent to military unit 3792 and that he should call the number given on arrival to pick it up at the front door. This military unit number matches to the 681st Special Motorized Regiment of Rosgvardia.

Entry of an order sent to a Rosgvardia base, with anonymized phone number and name for information only

The last fields are the latitude and longitude of the user at the time of the order, the amount charged for the order (738 rubles, which equals approximately 8.76 USD), the operating system or browser used, the time of the order and finally any comments from the user concerning a digicode.

For searchers, contact information is probably the only useful field here, as contact information is usually the shipping address. In this case, they coincide with the address Dorozhnaya 56 in Moscow.

Input from a command sent to a Rosgvardia database, with de-identified OS data

The vast majority of this data relates to ordinary Russian citizens whose ordering habits are not extremely useful for investigative research. However, the specific targeting of addresses, phone numbers, names, and notes in delivery instructions pointed our researchers in some interesting leads.

GRU to MFA?

We have researched phone numbers in the leak for a range of individuals linked to the GRU, Russia’s foreign military intelligence service, that we have uncovered over the past few years.

One of these numbers is for a man named Yevgeny who was linked to the GRU Academy and was a contact of high-ranking GRU officer Andrei Ilchenko. After looking up his phone number, we found an order he placed at 1 Neopalimovsky Lane 12 in Moscow. This address is publicly listed as possesses by the Consular Service of the Ministry of Foreign Affairs. Further investigation of this individual through leaked vehicle registration information from Moscow Oblast revealed a license plate from a luxury car, which was photographed in Kyiv in 2019.

It is unclear if Yevgeny is still linked to the GRU or if he has a new job at the MFA, but thanks to the information revealed in his food delivery order, it has become possible to dig deeper into his recent activities.

User information pointing to a Ministry of Foreign Affairs building

FSB contact identified

During our investigation into the poisoning of Alexey Navalny by a team of FSB officers, we analyzed numerous calls made by phone numbers linked to those conducting and planning the operation.

A number that came up quite often concerned a research institute in Dubna, a northern suburb of Moscow. We were unable to identify the owner of this phone number until it was searched for in the Yandex.Food leak, which revealed the name of this person, who spoke frequently with FSB agents planning the Navalny poisoning. It is unclear what role this person played in organizing and carrying out the poisoning of Navalny, but he was on the phone with one of the FSB team members the night of the poisoning and the following morning when Navalny was redirected to Omsk.

Additionally, he used his work email address when signing up for the service, making it clear that it is the same person and not just a recycled phone number with a new owner.

Military and security services identities

Perhaps the most obvious use of this database (at least for Bellingcat) is to cross-reference users’ personal data with facility functions at addresses used for orders – in other words, to find spies and soldiers.

Let’s start with something simple: the address of the GRU headquarters in Moscow, at Khoroshovskoye Shosse 76.

Searching for this address brings up four results (two each for two different users named Danila). These are just a few results for what is a large installation, suggesting either restraint on the part of GRU personnel, or a number of dining options within walking distance nearby.

Four orders sent to GRU headquarters in northwest Moscow

We cannot attribute the same restraint or choice of food options to the FSB.

The search for the FSB special operations center in the Moscow suburb of Balashikha yields 20 hits. One of the reasons for this could be the more remote location of this facility, relative to the GRU headquarters. These results often contain detailed instructions on how the delivery driver should get the food to the user; one user wrote, “Climb the three arrow barriers near the blue stand and call. After the 110 bus stop until the end”.

Another user wrote: “Territory closed. Go up to the checkpoint. Call [number] ten minutes before your arrival! This number is probably a second number linked to the same user.

A selection of orders sent to the FSB special operations center on the outskirts of Moscow

Fishing for interesting addresses

In addition to finding known addresses that are already of interest – military bases, FSB and GRU offices, etc. – you can also search through the delivery instructions to find new places that might be worth digging. For example, when searching for войсковая часть (military unit) in the delivery instructions field, a few dozen results appeared which warned that the delivery location is a military base and requires drop off at a checkpoint upon entry. In some cases, the user notes the specific military unit number in the instructions.

Delivery instructions to facilities related to military units in Kazan and Yekaterinburg

The leaks continue unabated

This leak marks another entry in a long list of massive data breaches for Russian citizens, some of the most significant of which include vehicle registration data, social media platform (VK) user information and complete records of air travel.

Regular streams of data flow out of Russia for a number of reasons, but the most obvious include petty corruption, pervasive human error, and comprehensive state surveillance laws backfiring.

Following the “Lois Yarovaya” adopted in 2016, Russian telecom operators were required to retain customer data. This data was intended only for security services, but is also often illegally sold to online buyers. Thus, a law intended to strengthen the FSB and other security services was used against them when Bellingcat and other investigative bodies acquired the retained telecommunications data of FSB agents to reveal wrongdoing.

With the increase in cyberattacks from Ukrainian and pro-Ukrainian hacker organizations, we should expect to see more leaks of government and customer databases, some of which could be useful for investigating matters of public interest.


Additional research by Michael Sheldon, Logan Williams and the Bellingcat Technical Investigation Team