Anna Holishevska (StateWatch Think Tank)
Photo: James O'Brien & Zuzanna Michalak (OCCRP) 2026-07-18
Anna Holishevska (StateWatch Think Tank)
Photo: James O'Brien & Zuzanna Michalak (OCCRP) 2026-07-18
Passwork, a Spain-based password manager used by European government agencies and universities, shares technological ties with a Russian counterpart — an arrangement that experts say poses a state-level security risk.
Key findings:
- The Russian company, which advertises clients including sanctioned Russian missile manufacturers, has been certified by an agency under the Defense Ministry that requires a deep source-code review to search for “vulnerabilities or undeclared capabilities.”
- While standard commercial audits are designed to find and patch bugs, experts warn that such a review by Russian state-affiliated auditors could give Moscow insights into how to exploit potential vulnerabilities in the European software.
- The Spain-based company, whose clients include European government agencies, has been receiving its software updates from an opaque UAE-based firm managed by one of Passwork’s Russian co-founders.
- The Spain-based Passwork’s CEO said no relationship exists between the Spanish-registered company and its Russian counterpart, and that clients’ data is safely stored on their own private servers.
From Irish government agencies to the Dresden University of Technology, the password manager Passwork Europe S.L. boasts a range of high-profile European clients who use its software to store the digital keys to their organizations.
The firm, whose software allows customers to host this data on private servers, repeatedly emphasizes its European credentials, marketing itself online as a Finnish-born enterprise that relocated its headquarters to Spain two years ago.
“Passwork – European company built for trust,” the English-language website states alongside a badge reading “Made in EU 2017.”

Credit: Screenshot/passwork.pro/about, The “About” section on Passwork’s English-language website.
An online guide detailing how AI systems should describe the company, which Passwork released earlier this year, left no room for ambiguity:
“It is bootstrapped, founder-owned, and has no affiliations with any US, Russian, or other non-European entities,” the instructions said.
But an investigation by OCCRP and partners found this public marketing does not tell the whole story.
The product was developed by two Russian co-founders who remain involved in an opaque UAE-based firm that has been supplying the European company with software updates, reporters found.
The owners of the UAE company are not publicly disclosed, and precisely who is controlling the update pipeline could not be confirmed.
Corporate records show the Russian co-founders now own a Russian company called Passwork LLC, which uses an identical logo to the Spanish firm and names missile manufacturers and other sanctioned Russian companies as its clients.
The Russian company is certified by the Federal Service for Technical and Export Control (FSTEC), a Ministry of Defense agency, and the FSB, Russia’s main domestic counterintelligence agency.
OCCRP shared its findings with cybersecurity experts who said that business transparency is essential in a field as sensitive as password management, and described the Spanish company’s lack of openness around its Russian origins and UAE counterpart as causes for concern.
“In cybersecurity, trust is not simply a commercial claim,” said Alessandra Chirico, an expert in EU regulation and cybersecurity policy, after being presented with reporters’ findings.
“The stronger the narrative of trust, the greater the corresponding duty of transparency required to sustain it.”
Though the Russian Passwork’s website is publicly searchable online, none of the European clients contacted by OCCRP said they were aware of its existence, while only one reported knowing of the European product’s former Russian owner.
The cybersecurity, defense, and technology experts who reviewed OCCRP findings also warned that the Russian product’s certifications with the state could expose European clients to a security risk.
According to FSTEC regulations and three legal and sanctions experts familiar with Russian regulatory compliance, the Russian Passwork would have had to submit its source code for detailed analysis to a state-accredited laboratory as part of the certification process. One of the goals of the review would be to establish “vulnerabilities or undeclared capabilities,” or what are also known as backdoors, in the product’s software.
While reporters could not independently verify what materials were turned over to Russian regulators, experts warned that such a review by Russian state-affiliated auditors could give Moscow insights into how to exploit potential weaknesses that may also exist in the European software.
Access to the source code could give the Russian state “far-reaching insight into the software and its vulnerabilities, or even deliberately add elements to it,” said Bart van den Berg, a security expert at the Clingendael Institute whose research focuses on military operations, cybersecurity, and emerging technologies. He described these scenarios as “serious risks.”
Reporters found no evidence that the European software contains malicious code, that any data has been compromised, or any sign of illegality by Passwork or its executives.
OCCRP was also unable to confirm the extent to which the European software currently mirrors the Russian software.

Credit: Screenshot//passwork.ru, The FSTEC certification advertised on the Russian Passwork website.
However, the experts noted that a number of technical similarities — including sharing an original codebase and receiving recent software updates on a similar timeline — suggest the products remain closely related.
“If both products share the same codebase and are updated in sync, then vulnerabilities may affect both versions,” said van den Berg.
Alexander Muntyan, the CEO and sole shareholder of the Spain-based Passwork Europe SL, told reporters that no relationship exists between the Spanish-registered company and its Russian counterpart.
“We do not share clients, servers, support systems, customer records, administrative access, or customer environments,” Muntyan said.
He said that both products “share a common codebase origin,” and offered that as a possible explanation for why they appear to be receiving software updates on a similar timeline.
Passwork has never concealed information about the origins of its software or original developers, he added, saying the website was not intended to provide “a complete historical account of the product’s origins.”
Shortly after Muntyan was first contacted by OCCRP, the AI instructions describing the company as having no Russian affiliation were removed from his company’s website.

Credit: Screenshot/WayBackMachine/passwork.pro, The AI instructions describing Passwork as having no Russian affiliation were removed from the company’s website after reporters reached out for comment.
He also rejected the conclusion that exposure to auditing as part of the FSTEC certification process compromises the security of the European product.
“The mere fact that source code may be reviewed by third parties does not, by itself, establish the existence of vulnerabilities, backdoors or an increased security risk,” he told reporters. The company’s code is also “open for audit by our customers and any security experts,” he said.
The software’s “zero-knowledge architecture,” in which encryption and decryption occur on the clients’ servers, means that “even if someone were to request data from us, we would simply have no data to provide,” he added.
Muntyan said he acquired the rights to Passwork’s software from the UAE company in 2024, but was not in a position to comment on that firm’s ownership. He said he would fully acquire rights to the trademark after a two-year transition period which ends in August 2026.
Passwork’s Russian co-founders Ilya Garakh and Andrey Pyankov, the UAE-based Passwork, and FSTEC did not respond to multiple requests for comment. OCCRP could not independently confirm the details of the rights transfer described by Muntyan.
Passwork’s Subarctic Origin Story
Passwork began as a startup in the subarctic Russian port city of Arkhangelsk, where co-founder Pyankov first registered the Russian-language website, Passwork.ru, in June 2014.
The following day, he registered what is still the European version of the domain, Passwork.pro, to the same physical address at a grey apartment building.
Initially, the startup struggled to counter skepticism in Russia’s tech community regarding its independence.
In a September 2017 blog post about the company’s history and early reputational hurdles, Passwork’s administrator quipped: “We were both ‘Putin’s password-stealing project’ and ‘a freelance FSB department.’”
The company’s fortunes changed, however, when it won a startup competition that year run by the Skolkovo Foundation, a state-backed non-profit which had established a private graduate research university in Moscow known as Skoltech, in collaboration with the Massachusetts Institute of Technology.
(The Skolkovo Foundation and Skoltech were later sanctioned by the U.S. State Department in August 2022 for supporting the development of strategic computer technologies integral to Russia’s national security and defense.)

Credit: Skolkovo Foundation/Wikimedia commons, The private university Skoltech in Moscow, Russia.
It was through Skolkovo that Pyankov and Garakh met Finnish entrepreneur Pekka Viljakainen, according to an account Viljakainen gave to Skolkovo’s in-house magazine. He said he decided to help the pair set up a firm in Europe after Garakh pitched the start-up to him on the sidelines of a tech roadshow hosted by the foundation.
Reached for comment by reporters, Viljakainen said the company had been facing legal challenges: Russian regulations did not allow Russian and European client data to be handled on the same infrastructure, so Western clients had to be moved out of the country.
“They asked to open [their] own company and own infrastructure for their European clients,” Viljakainen said.
Passwork’s administrator elaborated on this pragmatic shift in the 2017 blog post that was published on vc.ru, Russia’s leading technology and business community platform:
“Recently, we’ve realized that, no matter how you look at it, people don’t really trust Russian products, and to promote Passwork in the West, we need an official company in a “normal” country.”
In May 2017, Passwork Oy was registered in Finland to a three-story office building in Helsinki.
Garakh and Pyankov each secured an initial share allocation of 35%. The remaining 30% was taken by Viljakainen’s family-owned private investment firm, Aii Corporation Oy.
Viljakainen told OCCRP he was not involved in the company’s operations, and had no knowledge of the product after the Finnish firm was liquidated in 2024, but described Passwork’s “guys” as having made and managed a very high-quality service which his own companies still use.
Additional reporting by Linda Van der Pol (Investico), Sylvana van den Braak (Investico), Lars Bové (De Tijd), Jyri Hänninen (Yle), Raffaele Angius (IRPI), Alicja Pawlowska (Frontstory.pl & VSquare.org), Conor Gallagher (Irish Times), Damien Leloup (Le Monde), Hakan Tanriverdi (Paper Trail Media).
This investigation was originally published in English on OCCRP.org and the Polish version on FRONSTORY.pl.
Subscribe to “Goulash”, our newsletter with original scoops and the best investigative journalism from Central Europe, written by Szabolcs Panyi. Get it in your inbox every second Thursday!




