Over the past few months, Russian-linked hackers have breached more than 170 email accounts of prosecutors and investigators across Ukraine. In particular, employees of ARMA, the Kyiv Training Center for Prosecutors, the Specialized Prosecutor's Office in the Sphere of Defense, and the SAP could have been targeted. This is reported by Reuters, according to UNN.
Over the past few months, Russian-linked hackers have breached more than 170 email accounts of prosecutors and investigators across Ukraine. This operation demonstrates how Moscow's spies are monitoring Ukrainian officials whose task is to eradicate corruption and expose Russian collaborators
– the publication writes.
The data was reportedly accidentally exposed online by hackers and discovered by Ctrl-Alt-Intel, a collective of British and American cyber threat researchers. The organization stated that the data left on the server – including logs of successful hacking operations and thousands of stolen emails – indicates that hackers breached at least 284 mailboxes between September 2024 and March 2026.
It is also alleged that most of the victims were in Ukraine, with others from neighboring NATO countries and the Balkans.
The operation was first reported last month in a blog post by Ctrl-Alt-Intel. Reuters analyzed the raw data and is now publishing details of these hacks for the first time, including the names of more than a dozen European agencies and officials who were targeted. Ctrl-Alt-Intel noted that this error provided a rare opportunity to examine the mechanisms of a Russian espionage campaign. The hackers "simply made a huge operational mistake." They left their front door wide open
– the publication adds.
Ctrl-Alt-Intel attributed this hacking campaign to "Fancy Bear" – one of the pseudonyms used to refer to a well-known Russian military hacking group. The data showed that hackers breached accounts managed by the Specialized Prosecutor's Office in the Sphere of Defense – a wartime body created to combat corruption and expose spies in the Ukrainian army. They also targeted Ukraine's National Agency for Identification, Tracing and Management of Assets Derived from Corruption and Other Crimes (ARMA), which controls assets seized from criminals and Russian collaborators, as well as the Kyiv Training Center for Prosecutors.
According to the data, among the victims was Yaroslava Maksymenko, who headed ARMA at the time. Regarding the Prosecutor Training Center, the data shows that hackers breached the mailboxes of 44 employees, including the mailbox of the center's deputy director, Oleh Duka.
It is also reported that the Russians stole data from at least one high-ranking employee of the Specialized Anti-Corruption Prosecutor's Office, which investigated some of Ukraine's most high-profile corruption scandals, including one that led to the resignation of Andriy Yermak, head of the Presidential Office, in November.
The SAP press service informed the UNN journalist that "currently, no facts of data theft from SAP have been established. Checks are ongoing."
The Ukrainian Computer Emergency Response Team stated that it was aware of the breach and had already investigated some of the security incidents identified by Reuters.
In addition, it is alleged that hackers may have breached the mailbox of the Central City Hospital in Pokrovsk, as well as the city's financial committee's mailbox.
The data also shows that accounts of dozens of officials in neighboring NATO countries were breached. In Romania, hackers breached at least 67 email accounts belonging to the Romanian Air Force, including several accounts associated with NATO airbases, and at least one account of a high-ranking military officer.
The data also shows that spies breached 27 mailboxes managed by the Hellenic National Defence General Staff, the country's highest military body.
Among those breached were Greek military attachés in India and Bosnia, as well as the public mailbox of the Joint Mental Health Center of the Greek Armed Forces.
Recall
The State Service of Special Communications and Information Protection of Ukraine stated that Russian tactics in cyberattacks have changed. They noted that the enemy constantly changes its approaches, which requires an immediate reaction from defenders.
