Russia-Linked Hackers Breach Ukrainian Prosecutors’ Emails in Broad Espionage Campaign

Russia-linked hackers compromised over 170 email accounts belonging to Ukrainian prosecutors and investigators, as well as dozens of officials across NATO member states, newly exposed data reveals.

According to data reviewed by Reuters, at least 284 inboxes were compromised between September 2024 and March 2026, with victims spanning Ukraine, Romania, Greece, Bulgaria, and Serbia. The operation was uncovered after hackers inadvertently left their server exposed online, giving British-American research collective Ctrl-Alt-Intel a rare window into the workings of a Russian espionage campaign. “They left their front door wide open,” the collective told Reuters.

Targeting Ukraine’s Anti-Corruption Infrastructure

The campaign appears specifically designed to monitor Ukrainian officials involved in rooting out corruption and identifying Russian collaborators. Among the institutions targeted were the Specialised Prosecutor’s Office in the Field of Defence, Ukraine’s Asset Recovery and Management Agency (ARMA), and the Kyiv-based Prosecutor’s Training Centre.

The data reviewed by Reuters shows that Yaroslava Maksymenko, who served as ARMA’s chief at the time, had her inbox compromised, as did 44 employees at the Prosecutor’s Training Center — including its deputy director, Oleg Duka. Hackers also allegedly obtained data from at least one senior employee of the Specialised Anti-Corruption Prosecutor’s Office (SAPO), which has handled some of Ukraine’s most high-profile corruption cases.

The hackers likely targeted Ukrainian law enforcement either to stay ahead of investigators working to expose Moscow’s spies or to gather potentially compromising information on senior Kyiv officials, Keir Giles, associate fellow at London’s Chatham House think tank, told Reuters.

How the Operation Was Uncovered

Ctrl-Alt-Intel attributed the campaign to “Fancy Bear”, the widely used nickname for a Russian military hacking unit. Two independent researchers – Matthieu Faou of ESET and Feike Hacquebord of TrendAI – agreed the operation was tied to Moscow, though Faou said he could not confirm Fancy Bear’s specific involvement, and Hacquebord disputed that attribution entirely.

NATO Allies Also in the Crosshairs

The operation’s reach extended well beyond Ukraine. In Romania, at least 67 email accounts belonging to the Romanian Air Force were compromised, including inboxes linked to NATO airbases and at least one senior military officer. Romania’s Defence Ministry, as reported by Digi24, said only 30 of those 67 accounts were successfully breached, with the remainder blocked by the army’s cyber defences.

The ministry also stated that the affected accounts were used for administrative purposes only, not for transmitting classified information, and announced the centralisation of all cyber defence procedures under direct ministerial oversight — a measure that came into force last month.

In Greece, 27 inboxes managed by the Hellenic National Defence General Staff were accessed, including those belonging to Greek defence attachés in India and Bosnia. In Bulgaria, at least four accounts held by local officials in Plovdiv province were breached — the same region where Russian interference was alleged to have disrupted satellite navigation services ahead of a European Commission president, Ursula von der Leyen, visit last year. Academics and military officials in Serbia, a traditional Russian ally, were also among the targets.

“A supposedly close relationship with Moscow is no insurance against Russian espionage,” Giles told Reuters. The campaign is described by ESET researcher Matthieu Faou as “a small set of activity regarding the whole Russia-aligned espionage ecosystem”, suggesting the full scale of Moscow’s intelligence operations across Europe remains significantly larger than what this single exposure revealed.