Russian Hackers to the Front, Hacked! Part II

After admins played down the damage, new images have emerged to show the extent of the network compromise.

The incident initially occurred in 2025, when an unknown cyber actor appeared to gain access to the ‘Russian Hackers to the Front’ (RHF) network.
RHF are a group of volunteers, who program and distribute firmware for Russian drones, known as ‘1001’. This firmware allows civilian drones to be converted for military use in Ukraine.

Pro-Russian UAV support channels suggest that RHF was set up by US-sanctioned cyber security company, Positive Technologies. The company had previously been sanctioned for developing weaponized exploits for the Russian Government and intelligence services to facilitate their cyber campaigns.

RHF operate a number of their own Telegram channels, providing users with regular updates and locations of workshops in order to get drones ‘flashed’ with the latest firmware.

Following the initial cyber attack, the group rapidly played down the incident, suggesting that while defensive precautions were being taken, there was no widespread damage to the network. What has since become clear from the images we have acquired, is that the cyber actor was able to monitor RHF workshops through hacked webcams.

The full file of images we have can be accessed here: https://drive.proton.me/urls/4NBZM07CJ4#DUjWqC5ScOW7

These images show the diverse range in operating environments of the drone network’s workshops. While some of them appear to be in well-lit office buildings, others look to be underground or in makeshift accommodation in rudimentary conditions. More workstations appear to be in regular housing or apartments, with closets and beds visible, whereas others come complete with camouflage netting obscuring windows, possibly a sign of their proximity to the frontline, or at least being within range of Ukrainian drones.

Volunteers of RHF appear in some of the images, some wearing pseudo-military uniforms. Within their workspaces, on the walls are numerous flags, including those of the Russian state, Russian Naval Infantry and a Russian Army Unmanned Forces flag, depicting a cartoon drone portrayed as a Wasp or Bee. The flags could suggest an existing relationship with these units, regarding the militarization of drones, or that RHF volunteers are former members or affiliates themselves.

Following the incident, RHF network administrators claimed that firmware was not compromised, despite issuing urgent protective measures via Telegram to their followers. They would not, or could not, confirm the extent of the cyber intrusion, and these new images confirm that the attacker was able to monitor them for some time.

Furthermore, as recently as February 2026, RHF, via the Proshivka 1001 Telegram channel, confirmed that their technical support bot was hijacked in yet another cyber attack, and ‘paralyzed its operations, affecting terminal users’. The announcement proceeded to state that the cyber attack was of ‘dual purpose: disrupting technical support operations and exerting psychological pressure on those involved in the firmware update process’.

Whilst it remains unclear as to whether the webcam hack and Telegram bot hijack are connected, these two events will surely concern RHF. By their own admission, these attacks are designed to psychologically pressure operators, which these may well achieve, especially as they learn they were monitored by webcam for a considerable amount of time.

The extent of this incident further highlights the technical weaknesses within the Russian drone enterprise, as the compromise was clearly far more significant than the administrators understood. RHF have now been subject to multiple cyber attacks, which highlights their significance as a target within the wider scope of the conflict.