# Passwork Shares Data with State-Certified Russian Firm

> Source: <https://www.occrp.org/en/investigation/european-password-manager-shares-origins-and-updates-with-state-certified-russian-firm>
> Published: 2026-07-17 07:21:59+00:00

#### Reported by

From Irish government agencies to the Dresden University of Technology, the password manager Passwork Europe S.L. boasts a range of high-profile European clients who use its software to store the digital keys to their organizations.

The firm, whose software allows customers to host this data on private servers, repeatedly emphasizes its European credentials, marketing itself online as a Finnish-born enterprise that relocated its headquarters to Spain two years ago.

“Passwork - European company built for trust,” the English-language website states alongside a badge reading “Made in EU 2017.”

An online guide detailing how AI systems should describe the company, which Passwork released earlier this year, left no room for ambiguity:

“It is bootstrapped, founder-owned, and has no affiliations with any US, Russian, or other non-European entities,” the instructions said.

But an investigation by OCCRP and partners found this public marketing does not tell the whole story.

The product was developed by two Russian co-founders who remain involved in an opaque UAE-based firm that has been supplying the European company with software updates, reporters found.

The owners of the UAE company are not publicly disclosed, and precisely who is controlling the update pipeline could not be confirmed.

Corporate records show the Russian co-founders now own a Russian company called Passwork LLC, which uses an identical logo to the Spanish firm and names missile manufacturers and other sanctioned Russian companies as its clients.

The Russian company is certified by the Federal Service for Technical and Export Control (FSTEC), a Ministry of Defense agency, and the FSB, Russia’s main domestic counterintelligence agency.

OCCRP shared its findings with cybersecurity experts who said that business transparency is essential in a field as sensitive as password management, and described the Spanish company’s lack of openness around its Russian origins and UAE counterpart as causes for concern.

“In cybersecurity, trust is not simply a commercial claim,” said Alessandra Chirico, an expert in EU regulation and cybersecurity policy, after being presented with reporters’ findings.

“The stronger the narrative of trust, the greater the corresponding duty of transparency required to sustain it.”

Though the Russian Passwork’s website is publicly searchable online, none of the European clients contacted by OCCRP said they were aware of its existence, while only one reported knowing of the European product’s former Russian owner.

The cybersecurity, defense, and technology experts who reviewed OCCRP findings also warned that the Russian product’s certifications with the state could expose European clients to a security risk.

According to FSTEC regulations and three legal and sanctions experts familiar with Russian regulatory compliance, the Russian Passwork would have had to submit its source code for detailed analysis to a state-accredited laboratory as part of the certification process. One of the goals of the review would be to establish "vulnerabilities or undeclared capabilities,” or what are also known as backdoors, in the product’s software.

While reporters could not independently verify what materials were turned over to Russian regulators, experts warned that such a review by Russian state-affiliated auditors could give Moscow insights into how to exploit potential weaknesses that may also exist in the European software.

Access to the source code could give the Russian state “far-reaching insight into the software and its vulnerabilities, or even deliberately add elements to it,” said Bart van den Berg, a security expert at the Clingendael Institute whose research focuses on military operations, cybersecurity, and emerging technologies. He described these scenarios as “serious risks.”

Reporters found no evidence that the European software contains malicious code, that any data has been compromised, or any sign of illegality by Passwork or its executives.

OCCRP was also unable to confirm the extent to which the European software currently mirrors the Russian software.

However, the experts noted that a number of technical similarities — including sharing an original codebase and receiving recent software updates on a similar timeline — suggest the products remain closely related.

“If both products share the same codebase and are updated in sync, then vulnerabilities may affect both versions,” said van den Berg.

Alexander Muntyan, the CEO and sole shareholder of the Spain-based Passwork Europe SL, told reporters that no relationship exists between the Spanish-registered company and its Russian counterpart.

“We do not share clients, servers, support systems, customer records, administrative access, or customer environments,” Muntyan said.

He said that both products “share a common codebase origin,” and offered that as a possible explanation for why they appear to be receiving software updates on a similar timeline.

Passwork has never concealed information about the origins of its software or original developers, he added, saying the website was not intended to provide “a complete historical account of the product’s origins.”

Shortly after Muntyan was first contacted by OCCRP, the AI instructions describing the company as having no Russian affiliation were removed from his company’s website.

He also rejected the conclusion that exposure to auditing as part of the FSTEC certification process compromises the security of the European product.

“The mere fact that source code may be reviewed by third parties does not, by itself, establish the existence of vulnerabilities, backdoors or an increased security risk,” he told reporters. The company’s code is also “open for audit by our customers and any security experts,” he said.

The software’s “zero-knowledge architecture,” in which encryption and decryption occur on the clients’ servers, means that “even if someone were to request data from us, we would simply have no data to provide,” he added.

Muntyan said he acquired the rights to Passwork’s software from the UAE company in 2024, but was not in a position to comment on that firm’s ownership. He said he would fully acquire rights to the trademark after a two-year transition period which ends in August 2026.

Passwork’s Russian co-founders Ilya Garakh and Andrey Pyankov, the UAE-based Passwork, and FSTEC did not respond to multiple requests for comment. OCCRP could not independently confirm the details of the rights transfer described by Muntyan.

## Passwork’s Subarctic Origin Story

Passwork began as a startup in the subarctic Russian port city of Arkhangelsk, where co-founder Pyankov first registered the Russian-language website, [Passwork.ru](http://passwork.ru), in June 2014.

The following day, he registered what is still the European version of the domain, [Passwork.pro](http://passwork.pro), to the same physical address at a grey apartment building.

Initially, the startup struggled to counter skepticism in Russia’s tech community regarding its independence.

In a September 2017 blog post about the company’s history and early reputational hurdles, Passwork’s administrator quipped: “We were both ‘Putin's password-stealing project’ and ‘a freelance FSB department.'”

The company’s fortunes changed, however, when it won a startup competition that year run by the Skolkovo Foundation, a state-backed non-profit which had established a private graduate research university in Moscow known as Skoltech, in collaboration with the Massachusetts Institute of Technology.

(The Skolkovo Foundation and Skoltech were later sanctioned by the U.S. State Department in August 2022 for supporting the development of strategic computer technologies integral to Russia’s national security and defense.)

It was through Skolkovo that Pyankov and Garakh met Finnish entrepreneur Pekka Viljakainen, according to an account Viljakainen gave to Skolkovo’s in-house magazine. He said he decided to help the pair set up a firm in Europe after Garakh pitched the start-up to him on the sidelines of a tech roadshow hosted by the foundation.

Reached for comment by reporters, Viljakainen said the company had been facing legal challenges: Russian regulations did not allow Russian and European client data to be handled on the same infrastructure, so Western clients had to be moved out of the country.

“They asked to open [their] own company and own infrastructure for their European clients,” Viljakainen said.

Passwork’s administrator elaborated on this pragmatic shift in the 2017 blog post that was published on [vc.ru](http://vc.ru), Russia’s leading technology and business community platform:

“Recently, we've realized that, no matter how you look at it, people don't really trust Russian products, and to promote Passwork in the West, we need an official company in a "normal" country.”

In May 2017, Passwork Oy was registered in Finland to a three-story office building in Helsinki.

Garakh and Pyankov each secured an initial share allocation of 35%. The remaining 30% was taken by Viljakainen’s family-owned private investment firm, Aii Corporation Oy.

Viljakainen told OCCRP he was not involved in the company’s operations, and had no knowledge of the product after the Finnish firm was liquidated in 2024, but described Passwork’s “guys” as having made and managed a very high-quality service which his own companies still use.

## Shed No.23

Russia’s full-scale invasion of Ukraine in February 2022 changed Europe's business climate.

Western governments, recalling the U.S.’s 2017 ban on antivirus software from the Russian firm Kaspersky Lab due to espionage concerns, grew increasingly wary of Russian-developed code.

In the following months, Passwork went through a series of changes that separated the Russian co-founders from the European firm.

First, Pyankov and Garakh sold their shares in Passwork Oy to Viljakainen’s Aii Corporation Oy in May 2022. Two months later, in July, a new firm named Passwork FZ-LLC was registered at “Shed No.23” in the United Arab Emirates’ Ras Al Khaimah Economic Zone.

Though its shareholders and beneficial owners are shielded by the jurisdiction’s corporate secrecy, the UAE business registry lists co-founder Pyankov as manager. Furthermore, public domain registry data lists Garakh as both the official owner and contact for the Emirati domain, [passwork.ae](http://passwork.ae).

Later that year, in November 2022, Pyankov and Garakh formed a Russian-registered company, Passwork LLC in their hometown of Arkhangelsk. According to its website, that firm serves dozens of Russian clients that have been sanctioned by the West, including missile manufacturers and developers of space technology.

Viljakainen, the former shareholder of the Finnish company, told reporters over email that after the outbreak of the war in Ukraine, he “immediately decided (like basically all Russia related companies in Finland/ EU) to cut these contact[s] and businesses,” a choice he said had “nothing to do with Passwork as such.”

The “war and related sanctions” made business too difficult, he said.

A month after the Finnish firm went into liquidation in July 2024, Passwork Europe S.L. was registered in Spain by Russian national Muntyan, who serves as CEO and sole shareholder of the company.

When asked about this rebirth, Viljakainen said he had no knowledge of the Spanish setup or relationship with the firm, stating his understanding was that “operations were moved to the UAE.” He has never worked with the Russia-based Passwork, he added.

Muntyan said Passwork Europe is entirely independent of the Russian enterprise, and that any commonalities — including certain marketing materials and documentation — are administrative holdovers rather than evidence of joint management.

He said Passwork’s co-founder Garakh “does not manage Passwork Europe S.L. and has no access to customer systems,” but has been providing “limited product related knowledge-transfer support” through the UAE-based Passwork during the European company’s transition period, which ends in August 2026.

Citing a non-disclosure agreement, he declined to disclose financial and legal details of how he acquired the software rights from the UAE-based firm.

## A ‘Shallow’ Split

The Russian and European Passwork websites reveal substantial commonalities, which the cybersecurity experts consulted by reporters said could be of concern for European customers given that the Russian product would have had to submit its software for testing as part of the FSTEC certification.

Online, publicly available user manuals for the latest versions of both the Russian and European products are virtually indistinguishable aside from the language they are written in, indicating that they share near identical product features.

Both websites also show that the companies’ past six software updates have been announced on a similar timeline, with near-identical descriptions of the new features and releases.

On April 6, 2026, for instance, the passwork.ru domain announced the release of software update version 7.6. The following day, the European website passwork.pro announced that Passwork Pro version 7.6 was launched with the same description of the update’s features.

Lukasz Olejnik, a security and privacy technology researcher who reviewed Passwork’s Russian and European websites upon OCCRP’s request, said these and other overlaps raise questions about the strength of the firewall between Passwork’s European and Russian shopfronts, and that the subject “warrants a review.”

“The EU/RU split as of today appears technically shallow,” Olejnik said, pointing to 517 lines of what he characterized as “basically identical” installer script, which refers to the set of instructions that automates the deployment, configuration, and setup of software on a user's device.

When confronted with the synchronized timelines, Passwork CEO Muntyan denied that the Russian and Spanish companies actively coordinate software updates. But he acknowledged that because they share “ a common codebase origin,” it is possible that the UAE entity Passwork FZ-LLC is delivering updates to multiple parties on a similar timeline.

Those updates are reviewed by Passwork Europe SL’s technical team before incorporation, he added.

Van den Berg, the security expert at the Clingendael Institute, noted that the overall opacity around Passwork and any connections to the software of its Russian counterpart should raise questions for clients about what level of uncertainty they are comfortable with.

Particularly when it concerns something as sensitive as "where the keys to your digital home lie," he said.

The mechanism by which updates are pushed is of particular concern, because compromised or malicious software updates remain one of the most effective methods for hostile actors to penetrate otherwise secure networks.

“The update mechanism is the most elegant and hardest-to-detect attack vector: a single prepared update could selectively trigger a [password] vault dump at targets deemed of interest and then disappear completely without a trace,” said Donald Ortmann, a German security researcher who advises businesses on cybersecurity and provides risks training to IT professionals.

Ortmann pointed to the example of the 2019-2020 hack of the U.S. software company SolarWinds, one of the largest and most significant cyberattacks in history, where Russian operatives are believed to have infiltrated the company’s systems to inject a trojan horse code that was included in one of its software updates.

After the update had been pushed to SolarWinds’ clients, the attackers had access via a backdoor to infected computers, compromising the email systems of the U.S. Treasury Department and Department of Justice.

As in many other countries, including the U.S., the Russian state has the authority to compel those under its jurisdiction, such as the Russian Passwork's owners, to cooperate with national intelligence agencies in executing such intelligence operations.

"Given the broad powers of the Russian security services, if such materials or source code were to become of interest to the FSB, there is a significant risk that state authorities could gain access to them through mechanisms provided for by law or through de facto mechanisms of state influence," said Oleksandr Frolov, a Kyiv-based partner at the international law firm Kinstellar who specializes in sanctions and risk.

On its website, the Russian Passwork confirmed that “the product architecture, cryptographic algorithms, access control, and logging mechanisms have undergone all stages of detailed verification for compliance with the requirements of FSTEC Order No. 76 of June 2, 2020.”

## Clients in the Dark

Muntyan told reporters Passwork Europe SL has never concealed information about the origins of Passwork's software or its original developers.

Its servers are based in Europe, Muntyan said, adding that he didn’t immediately re-brand the product “so that existing customers wouldn’t be disrupted by a new design.”

Yet for several of the software’s European users, Passwork’s Russian backstory came as a surprise.

OCCRP contacted around 30 apparent clients, including those advertised on Passwork’s European website and LinkedIn.

More than a dozen confirmed that at least some staff were using it, and all but one of these clients appeared to be unaware of Passwork’s Russian heritage, or the certification of the Russian-market version of the product by the FSB and FSTEC.

The Irish government’s Office of Public Works (OPW), an agency that manages much of the state’s property portfolio, said it was only aware of the Spain-registered Passwork, and that it had not identified any security risks with the use of the product.

Ireland’s State Laboratory, a chemistry laboratory that services a range of government departments and public sector clients, said it was also unaware of the product’s connections with Russia, and that it had not identified any security concerns.

“However, this press request has highlighted a new potential risk that is being treated seriously. As such, we are reviewing the product and any associated risk or concern,” the laboratory said.

Paradigm Brussels, a Belgian firm that provides IT services to Brussels’s regional government, said it was aware that Passwork’s creator was Russian, but that it appeared the company’s structures had “evolved” to the point where “this historical link has no functional impact.”

Eight other companies that were featured as clients on Passwork Europe’s website and LinkedIn denied using the software, including Italian energy giant Enel Group and German mail service Deutsche Post.

Muntyan denied any intention to mislead potential clients, saying that in some cases Passwork’s customer is a specific company within the group, rather than the parent company itself.

Bert Hubert, a former software developer who has served on a body advising Dutch intelligence services, stressed that trust is the foundation of any password management service.

“You can’t say, ‘I don’t trust the vendor, but I do trust the software.’ That’s not an option," he said.

**Additional reporting by Linda Van der Pol (Investico), Sylvana van den Braak (Investico), Lars Bové (De Tijd), Jyri Hänninen (Yle), Raffaele Angius (IRPI), Alicja Pawlowska (Frontstory.pl & VSquare.org), Conor Gallagher (Irish Times), Damien Leloup (Le Monde), Hakan Tanriverdi (Paper Trail Media). **
