Hackers with ties to Russia have hacked into more than 170 email accounts of prosecutors and investigators across Ukraine in the past few months, as well as emails from Romania, Bulgaria, Greece and Serbia, according to an exclusive report by Reuters.
The data was inadvertently exposed on the internet by hackers and discovered by Ctrl-Alt-Intel, a collective of British and American researchers specializing in cyber threats according to the scoop by Raphael Satter, an experienced journalist who covers cybersecurity, surveillance, and disinformation for Reuters.
Ctrl-Alt-Intel said that data left on the server — including logs of successful hacking operations and thousands of stolen emails — showed that hackers compromised at least 284 mailboxes between September 2024 and March 2026.
“They left the front door wide open”
Most of the victims of the cyberattacks were from Ukraine, but targets from Romania and other NATO countries neighboring Ukraine and the Balkans, including Serbia, were also targeted.
The operation was first described last month in a Ctrl-Alt-Intel blog post. Reuters analyzed the basic data and publishes details of the cyberattacks for the first time, including the identities of more than a dozen compromised European agencies and officials.
Ctrl-Alt-Intel explained that the mistake made by the hackers provided a rare opportunity to examine how a Russian espionage campaign worked.
The hackers “simply made a huge operational mistake. They left the front door wide open, Ctrl-Alt-Intel claimed.
Dozens of accounts of the Romanian Air Force, hacked by hackers
The data shows that, apart from Ukraine, dozens of officials from neighboring NATO member countries have also been victims of cyberattacks.
In Romania, hackers compromised at least 67 Romanian Air Force email accounts, including several belonging to NATO air bases and at least one high-ranking military officer account. Romania’s Defense Ministry did not respond to requests for comment.
The new information comes after last Wednesday the president of the Nicușor Dan and the US Department of Justice announced that the FBI, together with several institutions in 15 states, including the Romanian Intelligence Service, dismantled a prolonged cyberattack on the sensitive infrastructure of several Western states.
According to Romania’s intelligence agency, the SRI, the Russian intelligence service GRU “compromised a wide range of entities globally, including in Romania, targeting in particular critical infrastructure and intelligence in the military and governmental fields.”
“Russia continues, therefore, the hybrid war against Western countries and only those who are in bad faith do not see it. Romania must improve its cybersecurity and continue to collaborate with Western partners,” Nicușor Dan said last week.
Greece, Bulgaria and Serbia also on the list
The data also shows that the spies compromised 27 mailboxes managed by the General Staff of the Greek National Defense, Greece’s highest military body.
Among those hacked were Greek military attachés in India and Bosnia, as well as the public mailbox of the Joint Armed Forces Mental Health Center in Greece.
In Bulgaria, hackers broke into at least four email boxes belonging to local officials in Plovdiv province, where Russian interference allegedly disabled satellite navigation services ahead of a visit by European Commission President Ursula von der Leyen last year.
The data also shows that the spies hacked the accounts of academics and military officials in Serbia, a traditional ally of Russia. Serbia’s Defense Ministry did not respond to requests for comment.
“An alleged close relationship with Moscow does not constitute a guarantee against Russian espionage,” said Keir Giles of the London-based think-tank Chatham House, which analyzed a list of victims of the cyberattack.
“Fancy Bear”, the main suspect
Ctrl-Alt-Intel attributed the cyberattack campaign to the “Fancy Bear” group, one of the nicknames given to a well-known Russian military team of hackers.
Two researchers who independently analyzed the Ctrl-Alt-Intel analysis — Matthieu Faou of cybersecurity company ESET and Feike Hacquebord of cybersecurity company TrendAI — agreed that the hackers had ties to Moscow.
However, Faou said that he could not verify the involvement of “Fancy Bear”, and Hacquebord disputed the involvement of Fancy Bear.
In last week’s announcement, the U.S. Department of Justice and the FBI said that, “at least since 2024, cyber actors from the GRU’s 85th Main Special Services Center (85 GTsSS) — also known as APT28, Fancy Bear, and Forest Blizzard — have been collecting authentication data and exploiting vulnerable routers worldwide, including compromising TP-Link routers using the CVE-2023-50224 vulnerability.”
What targets did they have in Ukraine
The hackers likely targeted Ukrainian law enforcement either to be one step ahead of investigators working to unmask Moscow’s spies or to gather potentially compromising information about senior officials in Kyiv, Keir Giles said.
The data showed that hackers had broken into accounts managed by the Specialized Defense Prosecutor’s Office, a war body set up to fight corruption and expose spies in the Ukrainian military.
They also targeted the Agency for the Recovery and Management of Assets of Ukraine (ARMA), which oversees assets seized from Russian criminals and collaborators, as well as the Kyiv Prosecutors’ Training Center.
Among the victims was Yaroslava Maksymenko, who was the head of the ARMA at the time, the analyzed data show. At the Prosecutors’ Training Center, data shows that hackers broke into the email accounts of 44 employees, including one belonging to the center’s deputy director, Oleg Duka.
The Russians allegedly stole data from at least one high-ranking employee of the Specialized Anticorruption Prosecutor’s Office (SAPO), which investigated some of Ukraine’s most high-profile corruption scandals, including one that led to the resignation of Andrii Yermak, President Volodymyr Zelensky’s chief negotiator, in November.
Ukraine’s cyber emergency response team said it was aware of the cyberattack and had already investigated some of the compromised cyber targets identified by Reuters.
