17.07
29min
Passwords Under Control: How “European” Software with an FSB License Made Its Way into EU Government Systems
Author
Share article
Table of contents
Contents:

This investigation was produced with contributions from OCCRP journalists and StateWatch volunteers Matvii Liadov and Nazar Holianych

As Europe pours resources into security, innovation, and support for Ukraine, access to critical data may still be in hands of software with  Russian roots. Passwork, a password manager licensed by Russia’s Federal  Security Service (FSB), is used by organisations linked to the EU public sector. Journalists from StateWatch and OCCRP found that behind the image  of a “European company” lies a business operating under Russian jurisdiction, with ties to clients in Russia’s military-industrial complex, and subject to laws requiring cooperation with Russian security services.

Brussels. Home to the European Union’s key institutions and NATO headquarters. The digital infrastructure of the Brussels-Capital Region’s public sector is managed by Paradigm, an organisation that provides IT solutions for regional administrations, ministerial offices, municipalities, and other public institutions. It oversees information systems, coordinates the region’s digital ecosystem, and keeps essential government digital services running smoothly.

Iris Tower, Brussels – Paradigm's office (photo from the Internet)

Imagine our surprise when we discovered that Paradigm still relies on Passwork – a password manager developed by a Russian company from Arkhangelsk – to store and manage its passwords. Password managers are used to centrally store credentials and control access to information systems. For organisations responsible for managing public sector digital infrastructure, they are a cornstone of cybersecurity.

We contacted  Paradigm for comment. In its response, the organisation confirmed that it has been using Passwork for more than five years.

“We have been using it since May 2021 and continue to do so today. Passwork helps us manage a large number of passwords associated with the various clients we support. At present, 41 Paradigm employees have access to the system,” the organisation said.

This means that while sensitive data flows through Brussels, the Russian-developed Passwork continues to quietly manage access to those systems.

 

Cybersecurity is not optional – it is a necessity. Without it, even state secrets can fall into the hands  of hostile intelligence services. Sensitive data of all kinds is stolen, sold, used for blackmail, and exploited to exert political and economic influence. Russian intelligence agencies have repeatedly demonstrated how this works in practice: infiltrating the German Bundestag’s IT systems, attacking government and corporate networks across the EU, leaking data obtained through Telegram, and exploiting digital vulnerabilities to advance Russia’s political and economic interests. The FSB and similar agencies have both the capability and the incentive to target digital channels where critical information is stored. Using Russian software – even in an otherwise neutral corporate environment – creates opportunities for such risks. Every password, every database, and every server is a potential point of entry.

A Global Network of Companies Under the Watchful Eye of the FSB?

Passwork is an encrypted password system that is hosted on the customer’s own servers. The service enables organisations to  manage corporate passwords centrally while giving employees streamlined  access to the credentials they need. The software was originally developed by Russian programmers in Arkhangelsk in 2014. A decade later, in 2024, the same Russian-developed product began being marketed to international customers through the Spanish company PASSWORK EUROPE S.L. Today, it is promoted as a secure solution for business .

But how secure can it really be when the Russian company’s website prominently features an FSB license, alongside two additional licenses issued by Russia’s Federal Service for Technical and Export Control (FSTEC)?

Screenshot from the Internet

Until June 2026, Passwork’s official LinkedIn page featured a list of clients from around the world. Among them were a number of government institutions, public authorities, and universities, including:

  • Germany’s Federal Ministry for Research, Technology and Space;
  • The Government of Ireland;
  • The Hildesheim District Administration (Germany);
  • The University of Zurich (Switzerland);
  • Dresden University of Technology (Germany).

According to the same LinkedIn page, the software was also used by a number of major international companies, including:

  • Deutsche Post / DHL – logistics (Germany);
  • Orange Telecom – telecommunications (France);
  • PHC Tailored Telecom & IT – IT services (the Netherlands);
  • TDK – electronics (Japan);
  • Turbine Kreuzberg – technology (Germany);
  • HAROPA PORT – logistics (France);
  • EPEX SPOT – energy exchange (France);
  • Maxon – software development (Germany);
  • Foundry – software development (United Kingdom);
  • ArcelorMittal – steel manufacturing (Luxembourg);
  • Komatsu – industrial machinery (Japan);
  • BOGNER – fashion and retail (Germany);
  • Frontier Developments – video game development (United Kingdom);
  • Sunreef Yachts – shipbuilding (Poland);
  • SolarEdge Technologies – renewable energy (Israel);
  • Enel Group – energy (Italy).
Screenshot from the Internet
Screenshot from the Internet

At first glance, it appears to be  a successful international product, especially given that  it’s registered well  beyond Russia’s borders. However, after we began sending inquiries to the companies on these lists, references  to  the password manager’s users were removed from the company’s official LinkedIn page.

Screenshot from the Internet

At the same time, several organisations that had previously been identified on Passwork’s social media as users of the product told us they do not use it. These include Germany’s Federal Ministry for Research, Technology and Space (Bundesministerium für Forschung, Technologie und Raumfahrt), the logistics company Deutsche Post, the Dutch telecommunications company PHC (now Yielder), the Dutch public-sector organisation BIJ12, the Municipality of Heerenveen (Gemeente Heerenveen), the Italian energy company Enel, the Japanese electronics manufacturer TDK, and the German software company Maxon.

At the same time, we also obtained official confirmations that Passwork is used by a number of major European organisations, including companies, universities, and public institutions. These include the French telecommunications operator Orange, Dresden University of Technology (Germany), the Dutch regional broadcaster RTV Noord, the Dutch energy company Novar, Paradigm, the digital agency of the Brussels-Capital Region, the British software company Foundry (which used the product until 2024), the German sportswear manufacturer Bogner, and the Hildesheim District Administration (Landkreis Hildesheim).

A Spanish Back Office for a Company from Arkhangelsk

Passwork’s LinkedIn page identifies Barcelona as the company’s headquarters. Corporate records support this claim:, according to Spain’s commercial register, PASSWORK EUROPE S.L. was incorporated on 30 August 2024 in Barcelona, Spain with aregistered share capital of just €3,000. The company’s sole shareholder and director is Alex Muntyan, who is also listed as Passwork’s CEO on the company’s website.

Screenshot from the Internet
Screenshot from the Internet

Two years earlier, in November 2022, a company with the same name, Passwork LLC (ООО “Пассворк”), was incorporated in Arkhangelsk, Russia. Its primary registered business activity is computer software development.

The ownership of the Russian company has remained unchanged since its incorporation: Andrey Pyankov, the company’s General Director, and Ilya Garakh each hold a  50% stake. The company’s financial performance in Russia is striking. Despite having only  three employees, it reported revenue of 197 million rubles and a net profit of 97.6 million rubles in 2024,  equivalent to nearly US$1 million in profit.

Screenshot from the Internet

Passwork’s Russian Clients: Weapons Manufacturers and Sanctioned Companies

One might assume this is the story of Russian entrepreneurs who condemned the war and relocated their business out of the aggressor state. But that is certainly not the case with Passwork’s founders.

While the company’s Spanish office presents itself as a European startup, the Russian version of Passwork’s website proudly displays the logos of companies from Russia’s military-industrial complex in its “Clients” section. Most of them are under U.S. and EU sanctions for manufacturing weapons used in Russia’s war against Ukraine.

Among the listed users of the Russian password manager are:

  • Almaz-Antey – the manufacturer of the S-300 and S-400 surface-to-air missile systems and one of the largest suppliers of weapons for Russia’s so-called “special military operation” (“SMO”).
  • NPO Almaz – a developer of air defence systems.
  • Kometa Corporation for Special-Purpose Space Systems – a defence industry enterprise specialising in the research, development, production, and operation of space-based command, control, and intelligence systems.
  • JSC NII Submikron – a leading Russian company specialising in the development and manufacture of equipment for aviation and spacecraft control systems, satellite navigation, and radar data processing.
  • Avangard Moscow Machine-Building Plant (MMZ Avangard) – the key manufacturer of missiles for the S-300 and S-400 air defence systems.
  • United Shipbuilding Corporation (JSC USC) – Russia’s largest builder of military warships and submarines.

Passwork is also used by several other sanctioned Russian companies, including Gazprom Neft, Aeroflot, Metrovagonmash, and Rusal.

Screenshot from the Internet

An FSB License and Russian Law

In 2025, Passwork obtained a license from Russia’s Federal Security Service (FSB) authorising it to carry out activities involving cryptographic (encryption) tools. Although, the license is formally issued for an unlimited period,  it can be revoked if an inspection finds that the company has failed to comply with FSB requirements.

The license is not mandatory for operating in Russia. However, it enables a company to work with Russian state-owned enterprises and government clients. There is, however, an important caveat. By obtaining this license, a company also assumes legal obligations under Russian law to provide access to data in its possession when required by the authorities.

The relevant legal provisions include:

  • Russian Government Resolution No. 313 (2012) – regulates the licensing of cryptographic activities, placing licensed companies under FSB oversight.
  • Federal Law No. 144-FZ “On Operational-Search Activities” – authorises Russian security services to require access to information systems and obliges organisations to assist in operational-search activities.
  • Federal Law No. 149-FZ “On Information, Information Technologies and Information Protection” – requires data operators to provide information to state authorities upon lawful request.
  • SORM and the Yarovaya Package – a technical and legislative framework that enables the authorities to compel the disclosure of metadata, the contents of communications, and encryption keys.
Screenshot from the Internet

In 2024, Passwork also obtained additional licenses from FSTEC (Russia’s Federal Service for Technical and Export Control). These licenses authorise the company to develop and deploy software and technical solutions for information security, work with corporate password management systems, and provide such solutions to state-owned enterprises and large corporations, for which these licenses are mandatory.

“Given the broad powers of the Russian security services, if such materials or source code were to attract the FSB’s attention, there is a significant risk that state authorities could gain access to them through legal mechanisms provided by Russian law or through the state’s de facto powers of coercion,” said Oleksandr Frolov, a partner at the international law firm Kinstellar, who specialises in sanctions and risk matters.

Who Founded Passwork?

Passwork co-founders Ilya Garakh and Andrey Pyankov. Photo from the Internet

Very little public information is available about Passwork’s founders. However, we were able to uncover some details.

Andrey Pyankov is the director of the Russian legal entity. His social media accounts have been deleted, and he has no public profile. Until 2023, he lived in Russia’s Vladimir Region.

Ilya Garakh, Passwork’s co-founder, lived in Arkhangelsk until 2023. He occasionally publishes technical articles related to his professional work. One of them  is titled “How to Hack the Biometric Data Stored in a Passport.”

Screenshot from the Internet

Alex Muntyan is the public face of Passwork in the West, serving as the head of its Barcelona office.

Photo from the Internet

On social media, he goes by Alex and describes himself as CEO of Passwork Europe. He spent his childhood and early adulthood  in Moscow, where he attended school, university, and business school. He also played for the Moscow ice hockey team Bely Shkval.

Photo from the Internet

He now lives in Spain, although it is unclear when he left Russia. Since 2020, he has been listed as the founder and director of the Moscow-based company Communa Interim LLC, which provides business and management consulting services.

How Passwork from Arkhangelsk Became a “Spanish Company”: A Chance Meeting Outside a Restroom Opened the Door to Europe for the FSB

Although the Russian company was formally incorporated only in 2022, the origins of  Passwork date back to 2014. Its first version was called Password Share, and it immediately attracted public criticism.

In a later interview with Russian media, the founders recalled:

“The very idea of storing passwords in the cloud triggered an uncontrollable wave of hatred among the average commenter. We were called everything from ‘Putin’s password-stealing project’ to ‘an unofficial department of the FSB.'”

These reactions may well explain why the company later rebranded the product and changed its domain name. However, Arkhangelsk remained its place of registration. And, as it turned out, the public’s concerns were not entirely unfounded.

Screenshot from the Internet

In 2017, the company expanded its operations into neighboring Finland

The founders later described that period of the company’s development as follows:

“People don’t really trust products from Russia, so to promote Passwork in the West, we needed an official company in a ‘normal’ country.”

The meeting that changed everything took place while waiting in line for a restroom. During a startup roadshow in Arkhangelsk, Ilya Garakh approached Pekka Viljakainen, a Finnish millionaire, adviser to the Skolkovo Foundation, and a businessman who had received state awards from Vladimir Putin.

Screenshot from the Internet
Screenshot from the Internet

Viljakainen later recalled the encounter:

“I was standing in line for the restroom. A young guy came up to me and started telling me about his startup. His name was Ilya, and he was so convincing that I decided to invest in his team.”

Ilya Garakh, however, tells the story somewhat differently. According to the Passwork co-founder, the “life-changing” meeting took place in the lobby of a university, where he approached Viljakainen while the Finnish businessman was attending the event as a speaker.

That meeting ultimately led to the creation of the Finnish company Passwork Oy.

“There’s a huge difference between selling a product on behalf of a sole proprietor from Arkhangelsk and selling it through a Finnish company,” Garakh later explained.

2023–2024: A Spanish Shell

In one interview, Garakh and Pyankov described the transition as follows:

“At first, Passwork was financed by a Finnish investor. But after years of steady growth, we made the deliberate decision to buy back 100% of the shares. After the buyout, we moved our legal base to Spain while keeping the entire team intact,” 

Ownership of Passwork Europe S.L. was transferred to Alex Muntyan.

Today, Passwork repeatedly emphasizes its supposed “European roots” through slogans such as:

  • “We are a fully European organisation legally registered in Spain.”
  • “Our company reflects European values.”
  • “Built worldwide. Rooted in Europe.”
  • “We are proud of our European foundation.”

There is no mention of Arkhangelsk.

Yet in the very same year that Passwork was publicly promoting its “European values,” the Russian legal entity Passwork LLC obtained its FSTEC licenses.

Alex Muntyan, CEO of Passwork Europe S.L., told StateWatch’s partner OCCRP that there is no corporate or operational relationship between Passwork Europe S.L. and the Russian company.

“There are no corporate, contractual, operational, infrastructure, or data-sharing relationships between Passwork Europe S.L. and the Russian Passwork,” he wrote.

Muntyan also said that all data belonging to European customers is stored exclusively within the European Union. However, in the same email, he confirmed facts pointing to the products’ shared origin.

According to Muntyan, Passwork Europe acquired the software from Passwork FZ-LLC, a company registered in the United Arab Emirates. Under the agreement, the UAE company will continue providing the European company with source code updates and knowledge transfer until 30 August 2026.

Moreover, Muntyan explicitly acknowledged that the European and Russian products share a “common codebase origin” He said this is why updates for both products are often released almost simultaneously and contain nearly identical release notes.

“Both products share a common codebase origin. As a result, updates may sometimes be released within a short interval and contain similar descriptions,” Alex Muntyan wrote.

Another important detail is that, according to Muntyan, Passwork co-founder Ilya Garakh is involved in transferring source code updates and technical knowledge as an employee of Passwork FZ-LLC. The company’s other co-founder, Andrey Pyankov, heads the UAE entity. According to Muntyan, both founders currently reside in the United Arab Emirates.

In other words, despite insisting that Passwork Europe has no relationship with the Russian Passwork, the CEO of Passwork Europe S.L. confirmed that the European product shares a common codebase with its Russian counterpart and continues to receive source code updates and technical know-how from a company headed by one of the Russian Passwork co-founders.

We also established that Alex Muntyan, Ilya Garakh, and Andrey Pyankov all list Passwork Europe S.L. as their employer on their social media profiles.

Screenshots from the Internet

Russian Passwork co-founders Ilya Garakh and Andrey Pyankov did not respond to multiple requests for comment.

What Cybersecurity Experts Say

Ukrainian cybersecurity experts, who agreed to speak on condition of anonymity, describe the use of Passwork by European institutions and public bodies as a systemic risk, even in the absence of direct evidence that data has been transferred.

“Although I cannot see any obvious mechanism in the code that transfers passwords, one question remains unanswered: can the server obtain or reconstruct the encryption keys? If control remains entirely on the client’s side, the risk is lower. But the system could potentially suppress suspicious activity in a way that the customer would never notice,” one expert said.

Another expert stressed the importance of an independent security audit:

“The on-premises version of Passwork stores encryption keys on the customer’s infrastructure, while the cloud versions require an independent audit. In theory, any software that receives updates can become an attack vector, as SolarWinds and M.E.Doc have already demonstrated. More broadly, using Russian software introduces additional risks, including sanctions-related, reputational, and targeted cyberattack risks.”

A third expert said our findings are consistent with the legal risks associated with operating under  Russian jurisdiction:

“Under Russian law, the company is obliged to provide various types of information to state authorities and to pay taxes that indirectly finance government programmes. Therefore, even without direct evidence that passwords have been accessed, the fact that Passwork operates under Russian jurisdiction and holds an FSB license creates a systemic risk. An independent security audit remains the only reliable way to assess the product’s actual security.”

We also consulted several independent international experts in cybersecurity and cryptography, who analysed the technical links between the Russian and European versions of Passwork.

Bart Preneel, Professor of Cryptography at KU Leuven, concluded that the combination of technical indicators we identified is sufficient to suggest that the infrastructure is controlled by a single entity. These indicators include historical and current links between the domains, shared infrastructure components, and other technical artefacts.

Independent cybersecurity researcher Lukasz Olejnik reached a similar conclusion. He confirmed that the Russian domain passwork.ru and the European domain passwork.pro use the same installation script and described the overall situation as “high risk.” According to him, the greatest concern is not any single technical similarity, but the hidden chain of control behind the product.

“In cybersecurity, trust is not just a marketing slogan,” said Alessandra Chirico, an expert in EU cybersecurity law and policy.

“The stronger the narrative of trust, the greater the corresponding obligation of transparency required to support it.”

Meanwhile, Ronald Prins, one of the founders of the Dutch cybersecurity company Fox-IT, pointed to another concern. In his view, the publicly disclosed technical vulnerabilities in Passwork are already serious enough that he does not understand why European organisations continue to use the product. According to Prins, separating the company into different legal entities does not eliminate the risk of Russian access.

How Passwork Leaves the Door Open to Data Access

To better understand how secure Passwork really is, we asked a Germany-based IT specialist to analyse the software. He agreed to discuss his findings on condition of anonymity. According to the expert, even n the absence of clear evidence of a breach or data leak, the product’s architecture itself creates potential risks of unauthorised access.

“The problems begin during installation. The software connects to an external server and receives a unique identifier, along with the client’s IP address and information about the organisation. This allows the vendor to identify every installation. For a product marketed as being entirely self-hosted, such functionality appears difficult to justify,” the expert explained.

The expert found no evidence during testing of direct data exfiltration. However, he identified numerous technical connections through which information could, in theory, be transmitted. He also noted that the system includes tools capable of providing full access to stored passwords and internal data. In addition, the software update mechanism could potentially serve as a channel for covert access – similar to the SolarWinds hack, a large-scale cyberattack widely attributed to a Russia-linked threat actor that compromised thousands of organisations worldwide, including multiple U.S. federal government agencies, resulting in a series of data breaches.

Summarising his assessment, the expert identified three key risks:

“First, the software’s concealed Russian origin and the apparent effort to mislead Western customers. Second, the software’s architecture, which creates dependence on the vendor despite promises of fully local deployment. Third, if the product is compromised, it provides access to an organisation’s entire collection of passwords, certificates, and other secrets in other words, its most valuable digital assets.

A Russian state intelligence service would not even need to actively compromise such a system. It would be enough for this capability to exist and for the company to be legally compelled to cooperate. Based on these findings, Passwork cannot be recommended for organisations with high security requirements, government institutions, or operators of critical infrastructure.”

The expert’s conclusions are also supported by technical evidence.

According to data from DomainTools Iris, a service used to investigate domains, websites, and IP addresses, the domain passwork.pro was registered in 2014 by Andrey Pyankov, co-owner of the Russian company Passwork.  The registration records listed an address in Arkhangelsk and Russian contact details, with no reference to any European entity.

This suggests that the product originated in Russia, while the “European” company appeared only years later.

Screenshot from the Internet

We found no evidence that Passwork has been used for espionage or to transfer data to Russian intelligence services. What we did establish, however, is that a Russian-developed product used by European public institutions remains connected to Russia’s legal and technical ecosystem. And when that product is a password manager – a tool that effectively controls access to an organisation’s digital infrastructure – even a potential risk matters.

The Passwork case also highlights a broader pattern. Russian companies may present themselves as European businesses while remaining subject to the jurisdiction of the Russian state and its security services. This creates an inherent risk whenever software marketed as a “European” IT solution is, in fact, linked to the jurisdiction of the aggressor state. The mere existence of a legal obligation to cooperate with the FSB, combined with software that manages access to passwords, creates a vulnerability that cannot be ignored. In today’s world, where information is power, the question is not whether a breach has already occurred. The question is who holds the keys.

If you spot a typo, highlight it with your cursor and click "Report"
Share article
Author
4
Close
Error in text

Error: Contact form not found.

Thanks
Error message sent successfully
Close
You're subscribed
Thank you for joining us.
Monthly reviews coming soon!
Close
E-mail Confirmation
Thank you for joining us.
A confirmation e-mail has been sent to the address provided.
Close