Russian-Linked Hackers Breach Over 170 Ukrainian Email Accounts in Espionage Campaign
A coordinated cyber campaign attributed to Russian-linked hackers compromised at least 170 email accounts belonging to Ukrainian prosecutors, investigators, and government officials between September 2024 and March 2026. The operation, revealed by Reuters on April 15, targeted key institutions involved in anti-corruption efforts and investigations into Russian collaborators, including the Specialized Anti-Corruption Prosecutor’s Office, the Asset Recovery and Management Agency, and the Prosecutor Training Center in Kyiv.
The breach was uncovered after researchers at Ctrl-Alt-Intel, a UK- and US-based cyber threat group, accessed a dataset inadvertently exposed by the hackers, containing logs of successful intrusions and thousands of stolen emails. Analysts described the leak as a "major operational failure" by the attackers.
In total, 284 email accounts were compromised, with the majority in Ukraine, though the campaign also extended to Romania, Greece, Bulgaria, and Serbia. Among the victims were 44 accounts at the Prosecutor Training Center, including that of deputy director Oleh Duka, as well as a senior anti-corruption official linked to high-profile investigations. Additional targets included a municipal hospital in Pokrovsk and a local finance committee, suggesting broader infiltration beyond central government bodies.
Outside Ukraine, the operation breached 67 accounts tied to the Romanian Air Force, some linked to NATO airbases, and 27 accounts belonging to Greece’s General Staff of National Defense. Researchers believe the campaign aimed to monitor investigations into Russian espionage or extract sensitive information on Ukrainian officials.
The disclosure follows a recent joint operation by Ukraine’s Security Service (SBU), the FBI, and European partners, which disrupted a GRU-linked cyber operation exploiting vulnerable Wi-Fi routers to intercept data. The effort dismantled over 100 servers and removed hundreds of routers from Russian control.
General Catalyst cybersecurity rating report: https://www.rankiteo.com/company/general-catalyst
"id": "GEN1776257553",
"linkid": "general-catalyst",
"type": "Breach",
"date": "9/2024",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"{'affected_entities': [{'industry': 'Law Enforcement/Judicial',
'location': 'Ukraine',
'name': 'Specialized Anti-Corruption Prosecutor’s '
'Office',
'type': 'Government'},
{'industry': 'Law Enforcement/Finance',
'location': 'Ukraine',
'name': 'Asset Recovery and Management Agency',
'type': 'Government'},
{'customers_affected': '44 accounts compromised',
'industry': 'Education/Law Enforcement',
'location': 'Kyiv, Ukraine',
'name': 'Prosecutor Training Center in Kyiv',
'type': 'Government'},
{'industry': 'Healthcare',
'location': 'Pokrovsk, Ukraine',
'name': 'Municipal Hospital in Pokrovsk',
'type': 'Healthcare'},
{'industry': 'Finance',
'location': 'Ukraine',
'name': 'Local Finance Committee',
'type': 'Government'},
{'customers_affected': '67 accounts compromised',
'industry': 'Defense',
'location': 'Romania',
'name': 'Romanian Air Force',
'type': 'Military'},
{'customers_affected': '27 accounts compromised',
'industry': 'Defense',
'location': 'Greece',
'name': 'Greece’s General Staff of National Defense',
'type': 'Military'}],
'attack_vector': 'Email compromise',
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': 'Thousands of emails, 284 '
'accounts compromised',
'personally_identifiable_information': "Yes (officials' "
'identities, '
'investigative '
'details)',
'sensitivity_of_data': 'High (government, military, and law '
'enforcement communications)',
'type_of_data_compromised': 'Emails, logs of successful '
'intrusions'},
'date_detected': '2026-03',
'date_publicly_disclosed': '2026-04-15',
'description': 'A coordinated cyber campaign attributed to Russian-linked '
'hackers compromised at least 170 email accounts belonging to '
'Ukrainian prosecutors, investigators, and government '
'officials between September 2024 and March 2026. The '
'operation targeted key institutions involved in '
'anti-corruption efforts and investigations into Russian '
'collaborators, including the Specialized Anti-Corruption '
'Prosecutor’s Office, the Asset Recovery and Management '
'Agency, and the Prosecutor Training Center in Kyiv. The '
'breach was uncovered after researchers at Ctrl-Alt-Intel '
'accessed a dataset inadvertently exposed by the hackers, '
'containing logs of successful intrusions and thousands of '
'stolen emails.',
'impact': {'brand_reputation_impact': 'Major operational failure by '
'attackers, potential erosion of trust '
'in government institutions',
'data_compromised': 'Thousands of stolen emails, logs of '
'successful intrusions',
'identity_theft_risk': 'High (personally identifiable information '
'of officials)',
'operational_impact': 'Compromised investigations into Russian '
'collaborators and anti-corruption efforts',
'systems_affected': 'Email accounts'},
'initial_access_broker': {'high_value_targets': 'Ukrainian prosecutors, '
'investigators, military '
'officials, NATO-linked '
'entities'},
'investigation_status': 'Ongoing',
'motivation': 'Monitor investigations into Russian espionage, extract '
'sensitive information on Ukrainian officials',
'post_incident_analysis': {'corrective_actions': 'Disruption of GRU-linked '
'infrastructure, removal of '
'compromised routers',
'root_causes': 'Inadvertent exposure of attack '
'logs by hackers, vulnerable email '
'systems'},
'references': [{'date_accessed': '2026-04-15', 'source': 'Reuters'},
{'source': 'Ctrl-Alt-Intel'}],
'response': {'containment_measures': 'Disruption of GRU-linked cyber '
'operation, removal of hundreds of '
'routers from Russian control',
'law_enforcement_notified': 'Ukraine’s Security Service (SBU), '
'FBI, European partners',
'third_party_assistance': 'Ctrl-Alt-Intel (cyber threat '
'researchers)'},
'threat_actor': 'Russian-linked hackers (GRU-linked)',
'title': 'Russian-Linked Hackers Breach Over 170 Ukrainian Email Accounts in '
'Espionage Campaign',
'type': 'Espionage'}