Cyber strike in Ukraine: Prosecutors and institutions compromised by Russian hackers. The bug that exposed the entire spy operation
Prosecutors, investigators and anti-corruption institutions in Ukraine were the main targets of a hacking operation attributed to Russia. The attack also targeted NATO countries, such as Romania, where dozens of accounts managed by the Air Force and NATO bases were hacked.
Russian hackers hacked dozens of photo accounts: archive, the truth
A Reuters investigation, based on data accidentally discovered online by cybersecurity researchers, shows that hackers compromised at least 284 email accounts between September 2024 and March 2026.
Most of the victims are from Ukraine, where more than 170 accounts belonging to prosecutors, investigators and institutions involved in the fight against corruption and identifying Russian collaborators were hacked.
According to the analyzed data, among the institutions targeted are the Specialized Prosecutor's Office in the field of Defense, a body created in the context of the war to fight corruption and detect spies in the Ukrainian army, the Asset Recovery and Administration Agency (ARMA), but also the Training Center for Prosecutors in Kyiv.
High-ranking officials were also among the victims. The hackers also compromised the account of Yaroslava Maksymenko, who headed ARMA at that time, as well as the inboxes of 44 employees of the Prosecutors' Training Center, including that of deputy director Oleg Duka.
Also, the attackers allegedly obtained data from the account of a senior employee of the Specialized Anti-Corruption Prosecutor's Office (SAPO), an institution that investigated some of the most important corruption scandals in Ukraine.
Romania and other NATO states, in sight
The operation was not limited to Ukraine. The data shows that the hackers also targeted several NATO and Balkan states.
In Romania, at least 67 email accounts managed by the Romanian Air Force were allegedly compromised, including some belonging to NATO air bases and at least one senior military officer.
In Greece, attackers breached 27 accounts managed by the National Defense Staff, including addresses used by military attaches in India and Bosnia.
In Bulgaria, at least four accounts belonging to local officials in Plovdiv province, an area where there were allegations of Russian interference with satellite navigation systems last year, were compromised.
The data also show that military officials and academics from Serbia, a traditional ally of Moscow, were also targeted.
The bug that exposed the entire cyber espionage operation
The campaign was discovered after the hackers made what researchers say was a major operational error, leaving a server containing logs of successful operations and thousands of stolen emails exposed on the Internet.
The discovery was made by Ctrl-Alt-Intel, a collective of British and American researchers specializing in cyber threats.
The platform attributed the attacks to the “Fancy Bear” group, one of the most notorious hacking structures associated with Russia's military intelligence service, the GRU.
Two independent cyber security experts, from ESET and TrendAI, confirmed the operation's connection to Moscow, although opinions differ on Fancy Bear's exact involvement.
“They left their front door wide open”the researchers said, referring to the accidentally exposed server.
The revelations come shortly after intelligence and law enforcement agencies in the US, Canada, Ukraine, Romania, Germany, Italy and Poland announced the bust of another spy operation attributed to the GRU, which used poorly protected Wi-Fi routers.
MApN reaction: the incident was detected and contained within 24 hours
The Ministry of National Defense reported that the security incident that targeted the e-mail infrastructure was detected in March 2025, it was about the compromise of “several dozen email addresses”while for another 30 addresses the exploitation attempt was not successful.
According to MApN, the incident was identified, analyzed by the competent structures and isolated within 24 hours.
The institution specifies that unclassified data, used for current administrative activities and for the circulation of public information, were targeted, so that “there was no possibility of accessing or exfiltrating classified data”.
In order to limit the occurrence of similar situations, MApN announced that cyber security has been fully taken over at the central level starting from March 2026, and the infrastructures are constantly monitored to eliminate possible vulnerabilities.
