When Vladimir Putin launched his invasion of Ukraine in February 2022, Russian cyber warfare was supposed to be a game-changer. Intelligence agencies worldwide expected devastating digital attacks to cripple Ukrainian power grids, government systems, and military communications within hours.
Instead, the cyber offensive largely failed – and now exclusive leaked documents reveal why. GRU Unit 29155, Putin’s most notorious kill squad responsible for poisoning dissidents with Novichok and bombing weapons depots across Europe, had secretly built a hacking unit specifically for this moment. But their digital army was undone by the very traits that define modern Russia: corruption, incompetence, and personal scandals.
A year-long investigation by The Insider reconstructed this hidden history with surprising ease. By examining call logs, travel records, and leaked internal chats, investigators identified dozens of GRU hackers—convicted cybercriminals, young university recruits, and seasoned saboteurs with no technical training.
Their common weakness? Extraordinary sloppiness.
Many used personal phones and real identities when conducting operations or arranging meetings with mistresses and sex workers. The investigation reveals for the first time how Unit 29155’s hackers prepared for the invasion – and why their own incompetence doomed them to fail.
The spies who couldn’t keep secrets
Unit 29155’s cyber operations began modestly in 2012 under Tim Stigal (real name probably Timur Magomedov), an ethnic Chechen blogger from Dagestan recruited by then-GRU director Igor Sergun. Operating under the alias “Key,” Stigal initially focused on disinformation in Azerbaijan before expanding to more ambitious false-flag operations.
In 2016, they penetrated Qatar’s largest state bank, stealing 1.5 GB of customer data and falsely attributing the hack to Turkish nationalists. They impersonated Ukraine’s Right Sector, a far-right nationalist group, to inflame tensions with Poland, and created fake “Anonymous” accounts to target Bellingcat, an independent investigative outlet known for exposing Russian intelligence operations.
Their most valuable asset became Dilyana Gaytandzhieva, a Bulgarian journalist who, according to investigators, maintained contact with GRU operatives and published material advancing Kremlin disinformation—most notably, conspiracy theories accusing the US of running secret bioweapons labs in Eastern Europe. In 2019, she launched ArmsWatch.com, a site styled as an investigative outlet but used to publish hacked documents and reinforce Russian intelligence narratives in the run-up to the war in Ukraine.
Preparing for war
By 2021, as Russia prepared for its invasion, Unit 29155’s cyber efforts in Ukraine escalated sharply. The unit paid locals $1–5 to spray anti-Zelenskyy graffiti across Ukrainian cities and infiltrated nationalist groups like the Azov Battalion, with Stigal impersonating Akhmed Zakayev, a pro-Ukrainian Chechen separatist leader living in exile in London, to gain the trust of nationalist groups and individuals—one of whom is now serving in the Ukrainian Armed Forces.
They compiled dossiers on key Ukrainian officials, including Ihor Zhovkva, deputy chief of President Zelenskyy’s office. In October 2021, a Molotov cocktail was thrown at Zhovkva’s home in Kyiv by a 20-year-old who said he had been promised $7,000—the exact sum recorded in Unit 29155’s expense logs for “processing Zhovkva.”
When Colonel Yuriy Denisov, the overseer of Unit 29155’s hackers, saw news of the attack, he left a telling comment in a chat group: “idiots.”
Server records show the hackers spoofed websites for Zelenskyy’s office and Ukrainian ministries, setting up spear-phishing campaigns and credential theft targeting energy providers, anti-corruption agencies, and military infrastructure.
The new generation
Starting in 2019, Unit 29155 began recruiting from university coding competitions in Russia’s Voronezh. These recruits — nicknamed “eaglets” — were managed by GRU officer Roman Puntus and paid salaries of 400,000 rubles ($5,100) per month.
The first recruit, Vitaly Shevchenko, a 22-year-old Moldova-born hacker, successfully breached Estonia’s Ministry of Defense. He and five others — Borovkov, Denisenko, Goloshubov, Korchagin, and Amin Stigal (Tim’s son) — were later indicted by the US Department of Justice for the WhisperGate campaign, a pre-invasion cyberattack that deployed data-wiping malware across Ukrainian government and infrastructure networks.
Sex, lies, and cyber warfare
As the war neared, the cyber unit began to collapse. Stigal resigned or was sidelined due to COVID-19 illness, replaced by Puntus, who turned out to be more invested in romantic escapades than cyber sabotage.
The affair that doomed a cyber war: GRU officer Roman Puntus began a long-term relationship with accountant Darya Kulishova, whom he installed as the nominal head of a shell company called Aegaeon-Impulse. He made frequent luxury trips from Moscow to Sochi to visit her. By November 2023, Kulishova had given birth to his son—while Puntus funneled GRU funds through the company to support his second family.
Meanwhile, Colonel Yuri Denisov left a massive digital footprint: over 687 Telegram messages full of racism, anti-LGBT hate, and criticism of military leadership. He reused a single phone number across four cover identities — exposing the unit’s entire hacker network.
The failed invasion
When the invasion began in February 2022, Unit 29155’s cyber efforts fizzled. Rather than disabling Ukraine’s power grid, they managed only cosmetic website defacements. On January 13–14, they falsely claimed to have deleted government databases — which Ukrainian authorities later confirmed remained intact.
Their main server, Aegaeon, was left unprotected and discovered by hacktivists. Its mythological namesake — a traitorous titan punished for betrayal — proved painfully apt.
A broader shadow war
Though Unit 29155’s cyber operatives failed spectacularly in Ukraine, they haven’t vanished. Intelligence sources say they’ve repurposed their flawed tactics for a broader shadow war across Europe. Using playbooks first developed for Ukraine, GRU agents now recruit saboteurs via Telegram, offering cryptocurrency payments for arson attacks on NATO facilities and critical infrastructure.
The Insider’s investigation exposes how one of Russia’s most feared covert units, built for hybrid warfare, collapsed under the weight of corruption, dysfunction, and internal betrayal. Their mission didn’t fall to enemy fire — it failed from within.
In the end, Russia’s greatest cyber threat wasn’t the West. It was Russia itself.