A major cyberattack has compromised the email accounts of Ukrainian prosecutors and investigators. According to data reviewed, more than 170 accounts were breached over several months. The attack highlights growing concerns about cyber espionage during an ongoing conflict.
The hackers targeted multiple government bodies in Ukraine. These included the Specialized Prosecutor’s Office in the Field of Defense, the Asset Recovery and Management Agency (ARMA), and the Kyiv-based Prosecutor’s Training Center. These institutions play a key role in investigating corruption and identifying Russian collaborators.
The data shows that several senior officials were also affected. Among them was Yaroslava Maksymenko, who served as the chief of ARMA at the time. At the Prosecutor’s Training Center, 44 employees had their mailboxes compromised, including deputy director Oleg Duka.
The hackers also accessed at least one senior employee’s account from the Specialized Anti-Corruption Prosecutor’s Office (SAPO). This office has handled some of Ukraine’s most sensitive corruption cases, including one involving Andriy Yermak.
Exposed server reveals scale and timeline of the cyber operation
The cyberattack came to light after hackers accidentally exposed their own data online. This information was discovered by a group of cyber threat researchers known as Ctrl-Alt-Intel. The exposed server contained logs of hacking activity and thousands of stolen emails.
The data revealed that at least 284 email accounts were compromised between September 2024 and March 2026. Most of the victims were Ukrainian officials, but others were from European countries.
Researchers described the exposure as a major operational mistake. According to Ctrl-Alt-Intel, the hackers “left their front door wide open.” This allowed investigators to study how the cyber operation worked in detail.
Two cybersecurity experts, Matthieu Faou from ESET and Feike Hacquebord from TrendAI, reviewed the findings. Both agreed that the operation was linked to Russia, although there was some disagreement over whether the group known as Fancy Bear was directly involved.
DeFi giant Drift Protocol loses nearly half of total value locked in coordinated cyberattack
Hackers likely aimed to monitor investigations and gather intelligence
Experts believe the main goal of the cyberattack was to gather intelligence. By accessing email accounts, the hackers could monitor ongoing investigations and internal discussions within Ukrainian agencies.
Keir Giles, an associate fellow at Chatham House, said the attackers may have wanted to stay ahead of Ukrainian investigators. These investigators are responsible for exposing Russian spies and corruption networks. Access to their communications could provide valuable insights.
The hackers may also have been searching for sensitive or damaging information. Such data could be used to influence decisions or create pressure on officials.
Researchers noted that this operation is likely only a small part of a much larger espionage effort. This suggests that similar cyber activities may still be ongoing and undetected.
Hong Kong emerges as a key link in China’s quantum technology plans despite US restrictions
Cyber campaign extends to European military and government targets
The cyberattack was not limited to Ukraine. The leaked data shows that several other countries were also affected, including Romania, Greece, Bulgaria, and Serbia.
In Romania, at least 67 email accounts linked to the Romanian Air Force were compromised. Some of these accounts were connected to NATO airbases and included at least one senior military officer.
In Greece, 27 email accounts from the Hellenic National Defense General Staff were accessed. These included accounts of defense attaches in India and Bosnia, as well as a public inbox for the Joint Armed Forces Mental Health Center.
In Bulgaria, hackers broke into at least four email accounts belonging to local officials in Plovdiv province. This region had previously been linked to incidents involving interference with satellite navigation systems.
Serbia was also affected, despite its traditionally close relationship with Russia. The data shows that academics and military officials were among those targeted.
The hackers even accessed accounts outside military and government circles. These included an email account from the Central City Hospital in Pokrovsk and a city finance committee inbox.
The wide range of targets shows that cyber espionage efforts are not limited by borders or alliances. Russia has denied involvement in such hacking activities, but cybersecurity experts continue to track patterns linking these operations to Moscow.
