By Raphael Satter
WASHINGTON, April 15 (Reuters) - Russia-linked hackers broke into more than 170 email accounts belonging to prosecutors and investigators across Ukraine during the last several months, according to data reviewed by Reuters, a campaign that shows how Moscow’s spies are keeping tabs on the Ukrainian officials tasked with rooting out corruption and Russian collaborators.
The data was inadvertently exposed to the internet by the hackers and discovered by Ctrl-Alt-Intel, a collective of British and American cyber threat researchers. Ctrl-Alt-Intel said data left on the server - including logs of successful hacking operations and thousands of stolen emails - showed that the hackers compromised at least 284 inboxes between September 2024 and March 2026.
Most of the victims were in Ukraine; others are from neighboring NATO countries and the Balkans.
The operation was first described last month in a Ctrl-Alt-Intel blog post. Reuters reviewed the underlying data and is publishing details of the hacks for the first time, including the identities of more than a dozen compromised European agencies and officials.
Ctrl-Alt-Intel said the mistake provided a rare opportunity to examine the workings of a Russian espionage campaign.
The hackers “just made a huge operational blunder,” Ctrl-Alt-Intel said. “They left their front door wide open.”
The Russian embassy in Washington did not respond to requests for comment. Moscow has repeatedly denied it engages in hacking operations against other countries.
HACKERS TIED TO MOSCOW
Ctrl-Alt-Intel attributed the hacking campaign to “Fancy Bear,” one of the nicknames assigned to a well-known Russian military hacking squad. Two researchers who independently reviewed Ctrl-Alt-Intel’s work - Matthieu Faou, with the cybersecurity company ESET, and Feike Hacquebord, with the cybersecurity company TrendAI - agreed the hackers were tied to Moscow. However, Faou said he could not verify Fancy Bear was involved, and Hacquebord disputed Fancy Bear's involvement.
The hackers likely targeted Ukrainian law enforcement either to stay ahead of investigators working to expose Moscow’s spies or to gather potentially embarrassing information about top officials in Kyiv, said Keir Giles, an associate fellow at London’s Chatham House think tank, who reviewed a list of the victims.
The data showed the hackers broke into accounts managed by the Specialized Prosecutor's Office in the Field of Defense, a wartime body established to fight corruption and unmask spies in the Ukrainian military. They also targeted Ukraine’s Asset Recovery and Management Agency (ARMA), which oversees assets seized from criminals and Russian collaborators, and the Kyiv-based Prosecutor's Training Center.
Among the victims were Yaroslava Maksymenko, who was the chief of ARMA at the time, the data shows. At the Prosecutor's Training Center, the data shows the hackers broke into the mailboxes of 44 employees, including one belonging to the center’s deputy director, Oleg Duka.
The Russians allegedly stole data from at least one senior employee of the Specialized Anti-Corruption Prosecutor's Office (SAPO), which has investigated some of Ukraine’s most high-profile corruption scandals, including one that prompted the resignation of President Volodymyr Zelenskiy’s chief peace negotiator Andriy Yermak in November.
Maksymenko, Duka, ARMA, SAPO, and the prosecutors did not respond to requests for comment. Ukraine's Computer Emergency Response Team said it was aware of the hack and had already investigated some of the compromises identified by Reuters.
HACKERS SPIED ON KREMLIN FOES - AND FRIEND
The hack uncovered by Ctrl-Alt-Intel represents "a small set of activity in regards to the whole Russia-aligned espionage ecosystem,” said Faou, the ESET researcher.
The data shows the hackers broke into the email inbox of the Central City Hospital in Pokrovsk, a railway hub Russia has been trying to cement its control over, as well as an inbox belonging to the city’s finance committee.
Scores of officials in surrounding NATO countries were also hacked, the data shows.
In Romania, the hackers compromised at least 67 email accounts maintained by the Romanian Air Force, including several belonging to NATO airbases and at least one senior military officer. The Romanian Ministry of Defense did not respond to requests for comment.
The data also shows the spies compromised 27 email inboxes managed by Hellenic National Defense General Staff, Greece’s top military body. Among those hacked were Greek defense attaches in India and Bosnia and the public-facing inbox for Greece’s Joint Armed Forces Mental Health Center. The General Staff did not answer a detailed list of questions.
In Bulgaria, the hackers broke into at least four inboxes belonging to local officials in Plovdiv province, where Russian interference was alleged to have disabled satellite navigation services ahead of a visit by European Commission President Ursula von der Leyen last year. Bulgarian officials did not respond to comment requests.
The data also shows the spies hacked academics and military officials in Serbia, a traditional Russian ally. Serbia’s Ministry of Defense did not respond to requests for comment.
“A supposedly close relationship with Moscow is no insurance against Russian espionage," Giles said.
(Reporting by Raphael SatterEditing by Rod Nickel)
