{ "id": "9333c7e7-d648-4621-9ba1-1072c97e610c", "created_at": "2026-04-06T00:07:07.896665Z", "updated_at": "2026-04-10T03:30:41.343332Z", "deleted_at": null, "sha1_hash": "4ca012b8c3ecc86b04343ed8006bd53cc4ef7f89", "title": "Pro-Ukraine hackers leak Russian data in hopes someone will make sense of it", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 185317, "plain_text": "Pro-Ukraine hackers leak Russian data in hopes someone will\r\nmake sense of it\r\nBy Daryna Antoniuk\r\nPublished: 2023-02-03 · Archived: 2026-04-05 14:28:43 UTC\r\nIn October, investigative journalists at Bellingcat identified a secretive group of Russian military engineers\r\nresponsible for programming the flight paths of high-precision cruise missiles. Their attacks on Ukraine’s critical\r\nand civilian infrastructure had left millions of Ukrainians without electricity and heating and caused hundreds of\r\ncivilian deaths and injuries.\r\nBellingcat used open-source intelligence and leaked information from Russia’s underground data markets to\r\nidentify people in this group.\r\nSuch leaks have proven useful for investigative journalism groups – although it isn’t obvious what to do with\r\nterabytes of unstructured data, which is extremely difficult to analyze and verify, according to Aric Toler, director\r\nof training and research at Bellingcat.\r\n“Most big data dumps have a few interesting nuggets for every hundred or thousand boring, mundane, useless data\r\npoints,” Toler told The Record.\r\nSince the start of the war in Ukraine, Bellingcat has seen a \"gigantic surge\" of new leaks from pro-Ukrainian\r\nhackers against Russia, according to Toler. American investigative reporter Emma Best, a founder of the\r\nwhistleblower site Distributed Denial of Secrets (DDoSecrets), told The Record in July that hackers had leaked\r\nover 12 million Russian documents to the organization since February.\r\n“Ukrainian hackers have data on almost every resident of Russia, even those who do not use a computer,” said\r\nSean Townsend, spokesperson at the Ukrainian Cyber Alliance.\r\nUkrainian hackers and their allies publish Russian data leaks almost daily. Among their targets are state agencies,\r\nsuch as the Central Bank of Russia and the media monitoring service Roskomnadzor, as well as civil companies\r\nsuch as the taxi aggregator Citymobil or the service for tour operators Level Travel.\r\nRussian hackers also leak data from Ukrainian networks, but these operations often have little strategic value to\r\neither side and are primarily useful from a propaganda perspective, said Gavin Wilde, an expert on Russia and\r\ninformation warfare.\r\nhttps://therecord.media/pro-ukraine-hackers-leak-russian-data-in-hopes-someone-will-make-sense-of-it/\r\nPage 1 of 6\n\nEliot Higgins, the founder of Bellingcat. Image: The Norwegian Foundation for a Free and Investigative Press\r\n“The apparently opportunistic and uncoordinated nature of these operations also creates difficulty in separating\r\npotentially valuable insights from useless chaff,” he told The Record.\r\nFor Ukrainian hackers, the value and practicality of leaked data are not necessarily the most important thing —\r\nthey leak data to anger the Kremlin, draw attention to their activities, attract new members and distract their\r\nadversaries from more disruptive operations. \r\nHackers usually leave it up to journalists and intelligence agencies to decide what to do with troves of leaked\r\ndocuments. \r\n“Successful hacking and exfiltration is often the easy part,” said Wilde. “Making sense of mountains of\r\nunstructured data is an entirely different ballgame — these collectives seem content to simply pass that burden\r\nonto anyone else.”\r\nRegardless of their effect, hack-and-leak operations are a central component of this cyberwar. \"These cyberattacks\r\ndraw out actors driven by everything from pure ego to sincere patriotism, who might have otherwise been\r\nreluctant to engage in hacktivism,” Wilde said.\r\nSome of these data leaks can be valuable for journalists or intelligence services down the road.\r\n“Not all of the data is immediately helpful, but it adds to the huge repository of data that already exists in Russia,\r\nlinking together addresses, names, and phone numbers,”  Toler said.\r\nAngry hackers\r\nFor many Ukrainian tech specialists, hacking Russia is an emotional thing — they do it out of anger or despair\r\nwhen other ways to fight the enemy are not available. \r\nhttps://therecord.media/pro-ukraine-hackers-leak-russian-data-in-hopes-someone-will-make-sense-of-it/\r\nPage 2 of 6\n\nWhen Russia launched a massive missile attack on Ukrainian cities on New Year's Eve, Ukrainian hackers wrote\r\non Telegram that they would attack Russian digital infrastructure in response.\r\nThe most common types of cyberattacks among Ukrainian hackers and hacktivists are distributed denial-of-service, defacements, and data leaks — these attacks don't require as much skill as more destructive operations,\r\nseveral cybersecurity experts said.\r\nDespite the lack of noticeable influence, hacktivists’ attacks can annoy the Russian government. The Kremlin said\r\nin December that it intends to impose fines of up to $7 million on companies affected by data breaches, as well as\r\ndevelop a system that will detect leaked data published on Telegram.\r\nIn 2022, hackers leaked more than 1.5 billion lines of personal data of Russian citizens, according to Moscow-based cybersecurity company Kaspersky Lab.\r\nInstead of selling the leaked data on darknet forums, pro-Ukrainian hackers publish it in Telegram channels, such\r\nas NLB, DumpForums, or Data1eaks. The most common response from the Russian government to these leaks is\r\nto dismiss them – claiming they contain outdated information or data that was already in the public domain.\r\nThis is not always true. For example, after hackers from the pro-Ukrainian group NLB published 17 million lines\r\nof data leaked from Moscow's e-schooling service earlier in December, the Russian government denied that the\r\ndatabase contained data of real users. However, BBC Russia wrote that its reporters looked through the database\r\nand found information about their own children inside.\r\nLegitimate targets\r\nThe data of Russian schoolchildren is unlikely to help Ukraine win the war, but pro-Ukrainian hackers told The\r\nRecord that when it comes to Russia, all their targets are “legitimate.”\r\n“Why are the Russians' data hacked? This is because their compatriots came to Ukraine to kill and steal,”\r\nTownsend, from the Ukrainian Cyber Alliance, wrote on Telegram. “Anything ending in .ru is a legitimate target.”\r\nA hacktivist group from Belarus called the Cyber Partisans also follows this rule when they pass on Russian data\r\nto journalists.\r\n“Russia provoked a war that is supported by the majority of the population, so from a moral point of view, we are\r\nnot worried about the privacy of the data of Russian citizens,” the group’s spokesperson Yuliana Shemetovets told\r\nThe Record.\r\nWhen Cyber Partisans leaks the data of Belarusian citizens, they are more careful. “We do not share highly\r\nsensitive information, such as passport data of Belarusians, with journalists. Even most Cyber Partisans do not\r\nhave access to this information,” Shemetovets said.\r\nAnd while government and intelligence services are a priority for hackers, sometimes the information they get\r\nfrom civilian companies also turns out to be useful. \r\nFor example, among the many users affected by a data leak from Yandex Food, a popular food delivery service in\r\nRussia, are agents of Russia’s security services and military, who in several cases ordered food to their workplaces\r\nhttps://therecord.media/pro-ukraine-hackers-leak-russian-data-in-hopes-someone-will-make-sense-of-it/\r\nPage 3 of 6\n\nusing their official email addresses, according to Bellingcat.\r\nI took a look at the Yandex Food (basically Russian Doordash) leak to see what investigative leads\r\ncould be found within. Turns out: a lot of FSB officers like to have food delivered to their work, with\r\ndetailed delivery instructions.\r\nNew on @bellingcat: https://t.co/I97rtYNvL6— Aric Toler (@AricToler) April 1, 2022\r\nTo verify the authenticity of this leak, Bellingcat cross-referenced data points to independent sources including\r\nsocial media profiles and other leaked databases. Bellingcat's staff and contributors in more than 20 countries use\r\npublicly-available data, social media posts, and leaked documents to investigate a variety of subjects – war crimes,\r\nhuman rights abuses, and organized crime. One of its high-profile investigations helped to identify a key suspect\r\nin the Malaysian Airlines Flight 17 accident in 2014. \r\n“A successful data leak is not about hacking one big target, it is about the amount of data obtained,” Townsend\r\ntold The Record. “With a lot of data, you can find anyone.”\r\nUkraine’s government uses data obtained from hackers to assemble the so-called “Book of Executioners,” listing\r\nRussian soldiers who kill and allegedly torture Ukrainians. Ukraine-based OSINT company Molfar cooperates\r\nwith hackers to obtain leaked Russian databases, such as those of FSB employees, which it then verifies and sends\r\nto journalists.\r\nAnalyzing data\r\nWhen hackers leak data, they rarely care what happens to it next. \r\n“My main task is to gather data and give it to those who know what to do with it,” said Yaroslav Garaguts, founder\r\nof the Clarity Project open database. Leaked data is usually used by journalists to conduct investigations or law\r\nenforcement agencies to identify suspects, he said.\r\nAccording to Shemetovets from Cyber Partisans, hacktivists don't have the time or resources to investigate all the\r\ndata, so they give it to journalists they trust.\r\n“Hacking large databases is a big responsibility,” she said. “This data should be protected by the government, but\r\nit fell on the shoulders of Cyber Partisans. We were just lucky that it got into the hands of people with the right\r\nvalues.”\r\nNot all hackers can handle leaked data responsibly. With large data dumps, hackers usually have “a very loose\r\nidea of what is in there due to the sheer amount of data (hundreds of gigabytes, at times), along with a possible\r\nlack of language and cultural understanding of the content,” Toler said.\r\nSome leaks, on the other hand, are over-curated. “You have to be really careful about verification and considering\r\nwhat the objective of the leakers may be,” Toler told The Record.\r\nVerification of leaked data is a laborious process, according to him. It's not really possible for the giant-mega-ultra\r\ndumps of information to be entirely fabricated, but it is possible to sneak a fake bit of data into it. \r\nhttps://therecord.media/pro-ukraine-hackers-leak-russian-data-in-hopes-someone-will-make-sense-of-it/\r\nPage 4 of 6\n\nDestructive attacks\r\nThe fact that both Russian and Ukrainian hacktivists are mostly involved in DDoS, defacement, and hack-and-leak\r\noperations suggests the limits of both their capabilities and risk tolerance, according to Wilde. “More sophisticated\r\noffensive cyber operations are hard to pull off and might draw too much of the wrong kind of attention,” he said.\r\nSome experts believe that these operations are only the tip of the iceberg and that hackers simply do not talk about\r\nmore serious cyberattacks.\r\nThe transition from espionage and data leaks to destructive attacks requires time and sufficient skills, according to\r\nTownsend.\r\n“There are many hackers behind Ukraine and they will become more organized and move on to more serious\r\noperations that will cause more damage to the Russian IT infrastructure. But this is a slow process,” he said.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/pro-ukraine-hackers-leak-russian-data-in-hopes-someone-will-make-sense-of-it/\r\nPage 5 of 6\n\nDaryna Antoniuk\r\nis a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in\r\nEastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for\r\nForbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.\r\nSource: https://therecord.media/pro-ukraine-hackers-leak-russian-data-in-hopes-someone-will-make-sense-of-it/\r\nhttps://therecord.media/pro-ukraine-hackers-leak-russian-data-in-hopes-someone-will-make-sense-of-it/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://therecord.media/pro-ukraine-hackers-leak-russian-data-in-hopes-someone-will-make-sense-of-it/" ], "report_names": [ "pro-ukraine-hackers-leak-russian-data-in-hopes-someone-will-make-sense-of-it" ], "threat_actors": [ { "id": "4f472ea8-b147-486d-8533-88f8036343a6", "created_at": "2024-01-23T13:22:35.081084Z", "updated_at": "2026-04-10T02:00:03.520098Z", "deleted_at": null, "main_name": "Cyber Partisans", "aliases": [], "source_name": "MISPGALAXY:Cyber Partisans", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4a73cb62-be05-49d2-9dbb-1298606ec0a3", "created_at": "2025-03-07T02:00:03.799095Z", "updated_at": "2026-04-10T02:00:03.827106Z", "deleted_at": null, "main_name": "Ukrainian Cyber Alliance", "aliases": [ "UCA" ], "source_name": "MISPGALAXY:Ukrainian Cyber Alliance", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "98cd3bc4-fd41-4087-be03-f6f8f3be7b67", "created_at": "2025-05-29T02:00:03.220566Z", "updated_at": "2026-04-10T02:00:03.871851Z", "deleted_at": null, "main_name": "Cyber Alliance", "aliases": [], "source_name": "MISPGALAXY:Cyber Alliance", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434027, "ts_updated_at": 1775791841, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4ca012b8c3ecc86b04343ed8006bd53cc4ef7f89.pdf", "text": "https://archive.orkl.eu/4ca012b8c3ecc86b04343ed8006bd53cc4ef7f89.txt", "img": "https://archive.orkl.eu/4ca012b8c3ecc86b04343ed8006bd53cc4ef7f89.jpg" } }