Cyber threat analysts say a hacking campaign tied to Russian actors penetrated scores of inboxes used by Ukrainian prosecutors, investigators and officials, according to material recovered from an internet-exposed server. The dataset, discovered by a collective of British and American cyber researchers called Ctrl-Alt-Intel, contained logs of successful operations and thousands of stolen emails that point to a sustained espionage effort across Ukraine and parts of Eastern Europe.
Ctrl-Alt-Intel reported that the files left accessible on the server show the hackers compromised at least 284 email accounts between September 2024 and March 2026. Within that total were more than 170 accounts belonging specifically to prosecutors and investigators operating in Ukraine over the last several months, with additional victims located in neighboring NATO countries and nations in the Balkans.
The group described the exposure of the files as a significant operational error by the attackers. "They just made a huge operational blunder," Ctrl-Alt-Intel said, adding that the intrusion into the server effectively left "their front door wide open." The disclosure provided researchers with a rare look into the mechanics of the campaign and the profiles of the targeted institutions.
Attribution and independent review
Ctrl-Alt-Intel attributed the campaign to an actor commonly referred to as "Fancy Bear," a name associated with a Russian military-linked hacking group. Two independent cybersecurity researchers who reviewed Ctrl-Alt-Intel's findings - Matthieu Faou of the firm ESET and Feike Hacquebord of TrendAI - agreed the activity was linked to Moscow, though both raised caveats about precisely assigning the operation to Fancy Bear. Faou said he could not verify Fancy Bear's involvement, while Hacquebord disputed that specific attribution.
Faou also characterized the exposed material as representing only "a small set of activity in regards to the whole Russia-aligned espionage ecosystem," signaling that while the leak is significant, it may be one component of a broader set of operations.
Targets within Ukraine
The compromised accounts included inboxes overseen by bodies established to combat corruption and to identify collaborators within the military. The dataset shows intrusions into accounts managed by the Specialized Prosecutor's Office in the Field of Defense, a wartime entity charged with rooting out corruption and unmasking spies within the Ukrainian armed forces. Also targeted was Ukraine's Asset Recovery and Management Agency (ARMA), which handles assets seized from criminals and alleged Russian collaborators, and the Prosecutor's Training Center in Kyiv.
Among named victims in the dataset was Yaroslava Maksymenko, identified as the chief of ARMA at the time covered by the files. At the Prosecutor's Training Center, the hackers reportedly accessed the mailboxes of 44 employees, including the inbox of the center's deputy director, Oleg Duka. The dataset further indicates that the attackers exfiltrated material from at least one senior employee of the Specialized Anti-Corruption Prosecutor's Office (SAPO), an agency that has investigated several high-profile scandals, including one that led to the resignation of President Volodymyr Zelenskiy's chief peace negotiator, Andriy Yermak, in November.
Maksymenko, Duka, ARMA, SAPO and the prosecutors identified in the files did not respond to requests for comment. Ukraine's Computer Emergency Response Team (CERT) said it was aware of the intrusion and had already investigated some of the compromises identified within the exposed dataset.
Wider regional footprint
The leak also documents intrusions outside Ukraine, affecting military and civilian organizations across the region. The data shows the attackers accessed an email account at the Central City Hospital in Pokrovsk, a railway hub that has been contested on the ground, as well as an inbox belonging to the city's finance committee.
In Romania, the exposed material indicates at least 67 email accounts maintained by the Romanian Air Force were compromised, including multiple accounts tied to NATO airbases and at least one held by a senior military officer. The Romanian Ministry of Defense did not respond to requests for comment.
Researchers also found evidence that the hackers accessed 27 email inboxes administered by the Hellenic National Defense General Staff, Greece's top military authority. Affected addresses reportedly included defense attaches stationed in India and Bosnia and the public-facing inbox for Greece's Joint Armed Forces Mental Health Center. The General Staff did not provide answers to a detailed set of questions submitted by researchers.
In Bulgaria, at least four local official inboxes in Plovdiv province were shown to have been breached; that region had previously been linked in allegations to disruptions of satellite navigation services ahead of a high-level visit. Bulgarian officials did not reply to requests for comment.
The dataset further indicated that academics and military officials in Serbia were among those compromised. Serbia's Ministry of Defense did not respond to inquiries. Commenting on that finding, Keir Giles, an associate fellow at Chatham House who reviewed the list of victims, said: "A supposedly close relationship with Moscow is no insurance against Russian espionage." Giles suggested the attackers likely targeted Ukrainian law enforcement either to stay ahead of investigators seeking to expose Moscow's networks or to obtain material that could be used to embarrass senior officials in Kyiv.
Implications and next steps
Ctrl-Alt-Intel said the exposure of the server gave analysts an uncommon window into operational logs and stolen communications. The material continues to be examined by security researchers to assess the full scope of the intrusions and the specific data that was removed from compromised mailboxes. The Russian embassy in Washington did not respond to requests for comment; Moscow has repeatedly denied conducting hacking operations against other countries.
"They just made a huge operational blunder," Ctrl-Alt-Intel said of the exposed server.
The revelations underline the degree to which state-linked cyber operations can target judicial and anti-corruption institutions as part of intelligence-gathering and influence activities. At this stage, investigators and the affected organizations are continuing assessments of the breaches documented in the leaked material.