Over 284 mailboxes were compromised between September 2024 and March 2026 — that's the figure cited by British-American researchers from Ctrl-Alt-Intel, who discovered the breach. Hackers linked to Russia made a critical error themselves: a server containing logs of successful breaches and thousands of stolen emails was left accessible on the open internet. This is how it was exposed — not by counterintelligence, not by CERT-UA, but by an independent research group.

Who was compromised: from anti-corruption officials to a hospital in Pokrovsk

Among the victims are several sensitive institutions. Hackers compromised accounts in the Specialized Prosecution Office for the Defense Sector — a military body that investigates corruption and espionage in the Armed Forces. At least one employee of the Specialized Anti-Corruption Prosecution (SAP) was also on the victims' list, though Reuters did not disclose the name.

The Agency for Asset Recovery and Management (ARMA) was also targeted — a structure that manages assets confiscated from corrupt officials and collaborators. According to Reuters, among the compromised mailboxes was the account of ARMA's then-head Yaroslava Maksymenko. At the Center for Prosecutors' Training, 44 mailboxes were breached, including the account of deputy director Oleh Duka.

The scope of the attack extended beyond Ukraine. According to Ctrl-Alt-Intel, hackers also compromised at least 67 accounts of the Romanian Air Force — including accounts at NATO airbases and at least one senior officer. Additionally, attacks were registered in Greece, Bulgaria, and Serbia.

"The hackers likely monitored investigators to get ahead of those exposing Moscow's agents, or were gathering compromising information on Kyiv officials"

Keir Giles, associate research fellow at Chatham House (London), who reviewed the victims' list

Technique — phishing, attribution — disputed

Ctrl-Alt-Intel links the operation to the known group Fancy Bear (APT28, Russian GRU). However, two independent researchers — Matthieu Faou from ESET and Feike Hacquebord from TrendAI — confirmed the Moscow connection but disagreed on the specific group: Faou stated he cannot verify Fancy Bear's involvement, while Hacquebord denied it.

• The attack lasted at least from September 2024 through March 2026
• Over 170 mailboxes were compromised in Ukraine, with at least 284 total across various countries
• The hackers left the server with evidence in open access — this allowed researchers to document the operation
• CERT-UA confirmed awareness of some of the breaches and reported conducting investigations

Faou from ESET warns against exaggeration: the exposed operation, in his words, is "only a small part of the entire Russian espionage ecosystem". In other words, what became known is not the full scale, but only the fragment where the perpetrators made a mistake.

What this means for anti-corruption investigations

The SAP conducts cases that directly affect those in power: among its high-profile investigations is the case that in November 2024 led to the resignation of President Zelensky's chief negotiator Andriy Yermak. If the correspondence of investigators and prosecutors from this institution has truly been compromised — this is not merely a data leak, but potentially an opportunity for Moscow to anticipate the actions of anti-corruption bodies or prepare pressure on key case figures.

All the named organizations — Maksymenko, Duka, ARMA, SAP, and the prosecution offices — did not respond to Reuters' requests for comment.

If CERT-UA already "investigated some of the breaches," as the agency reports — why were victims not notified or other institutions with similar risk profiles not publicly warned? The answer to this question will determine whether this episode was an operational failure only by the hackers — or also by Ukraine's system for responding to cyber threats.