Hackers linked to Russia have broken into more than 170 email accounts belonging to prosecutors and investigators across Ukraine in recent months, according to data reviewed by Reuters, in a campaign that shows Moscow spies are monitoring Ukrainian officials tasked with exposing corruption and Russian collaborators.
The data was accidentally exposed online by hackers and was discovered by Ctrl-Alt-Intel, a collective of British and American cyber threat researchers. Ctrl-Alt-Intel said the data left on the server - including records of successful hacking operations and thousands of stolen emails - showed that hackers compromised at least 284 mailboxes between September 2024 and March 2026.
Most of the victims were in Ukraine, while the rest were from neighboring NATO countries and the Balkans.
The operation was first described last month in a blog post by Ctrl-Alt-Intel. Reuters has reviewed the underlying data and is publishing details of the intrusions for the first time, including the identities of more than a dozen European agencies and officials whose accounts were compromised.
Ctrl-Alt-Intel said the error provided a rare opportunity to look into the workings of the Russian espionage campaign.
The hackers, they said, "made a huge operational error."
"They left the front door wide open," Ctrl-Alt-Intel announced.
The Russian embassy in Washington did not respond to requests for comment. Moscow has consistently denied conducting hacking operations against other countries.
Hackers linked to Moscow
Ctrl-Alt-Intel attributed the hacking campaign to "Fancy Bear," one of the nicknames of a notorious Russian military hacking group. Two researchers who independently reviewed Ctrl-Alt-Intel's work - Mathieu Faou of cybersecurity firm ESET and Fejke Hackebord of TrendAI - agreed that the hackers were linked to Moscow. However, Faou said he could not confirm that Fancy Bear was involved, while Hackebord disputed their connection to the group.
The hackers likely targeted Ukrainian law enforcement agencies to stay one step ahead of investigators working to expose Moscow spies or to gather potentially compromising information about senior officials in Kiev, said Keir Giles, a fellow at London-based Chatham House, who reviewed the list of victims.
The data shows that hackers broke into accounts managed by the Specialized Defense Prosecutor's Office, a wartime body set up to fight corruption and expose spies in the Ukrainian military. The Ukrainian Agency for Asset Recovery and Management (ARMA), which oversees assets seized from criminals and Russian collaborators, as well as the Kiev-based Prosecutors' Training Center, were also targeted.
Among the victims was Yaroslava Maksimenko, who was the head of ARMA at the time, the data shows. At the Prosecutors' Training Center, the data shows that hackers broke into the mailboxes of 44 employees, including the account of the center's deputy director, Oleg Duke.
The Russians have allegedly stolen the data of at least one senior official of the Specialized Anti-Corruption Prosecutor's Office (SAPO), which has investigated some of Ukraine's most high-profile corruption scandals, including the one that led to the resignation of President Volodymyr Zelensky's chief peace negotiator, Andriy Yermak, in November.
Maksimenko, Duka, ARMA, SAPO and prosecutors did not respond to requests for comment. Ukraine's Computer Emergency Response Team said it was aware of the attack and had already investigated some of the compromises identified by Reuters.
Hackers spied on Kremlin opponents - and friends
The attack discovered by Ctrl-Alt-Intel represents "a small part of the activity within the overall espionage ecosystem aligned with Russia," ESET researcher Faou said.
The data shows that hackers broke into the email account of the Central City Hospital in Pokrovsk, a railway hub over which Russia is trying to consolidate control, as well as the account of the city's finance committee.
Numerous officials in surrounding NATO countries have also been compromised, the data shows.
In Romania, hackers compromised at least 67 Romanian Air Force email accounts, including several belonging to NATO air bases and at least one senior military officer. The Romanian Defense Ministry did not respond to requests for comment.
The data also shows that spies compromised 27 email accounts managed by the Greek National Defense General Staff, the country's highest military body. Among the hacked accounts were those of Greek military attaches in India and Bosnia, as well as a public account of the Joint Center for Mental Health of the Greek Armed Forces. The General Staff did not respond to a detailed list of questions.
In Bulgaria, hackers broke into at least four mailboxes of local officials in the Plovdiv region, where Russian interference was alleged to have disabled satellite navigation services last year ahead of a visit by European Commission President Ursula von der Leyen. Bulgarian officials did not respond to requests for comment.
The data also shows that spies have hacked academics and military officials in Serbia, a traditional Russian ally. The Serbian Defense Ministry did not respond to requests for comment.
"The supposedly close relationship with Moscow is no protection against Russian espionage," Giles said.
See more:
Download the app and follow the news
FOLLOW US ON
