Russian tech is used by institutions and governments in Europe (Mikhail Arefiev- UnSplash)

EU bubble Tech

‘Made in EU’ password manager shares codebase with Russian State-certified firm

3 minutes read

The product originated in Arkhangelsk, northwest Russia, in June 2014, founded by Russians Ilya Garakh and Andrey Pyankov.

A Spain-based password management solution marketed as a fully European product maintains technical connections to a Russian sister company certified by Russian State agencies, an investigation by the Organized Crime and Corruption Reporting Project (OCCRP) has revealed.

Passwork Europe SL, which supplies password management software to European government agencies, universities and other organisations, emphasises its EU credentials on its website with statements such as “Passwork – European company built for trust” and a “Made in EU 2017” badge.

Company guidance for artificial intelligence (AI) systems, published this year, said the firm was “bootstrapped, founder-owned, and has no affiliations with any US, Russian, or other non-European entities”.

But reporters found that the software shares a common codebase origin with a Russian counterpart, Passwork LLC, receives updates on a similar timeline and features a near-identical user manual.

The Russian firm lists clients including sanctioned Russian missile manufacturers and space technology developers, and holds certifications from the Federal Service for Technical and Export Control (FSTEC), an agency under Russia’s Defence Ministry, and the Federal Security Service (FSB).

The product originated in Arkhangelsk, northwest Russia, in June 2014, founded by Russians Ilya Garakh and Andrey Pyankov.

Updates to the European version have been supplied via an opaque firm in the United Arab Emirates (UAE), Passwork FZ-LLC, registered in July 2022 at “Shed No.23” in the Ras Al Khaimah Economic Zone and managed by one of the Russian co-founders.

Both companies use an identical logo. The Russian version advertises State certifications that require detailed source-code review.

Cybersecurity experts consulted by OCCRP described the arrangement as a potential security risk at State level.

Bart van den Berg of the Clingendael Institute, a Dutch think tank, warned that access to the source code could give the Russian State “far-reaching insight into the software and its vulnerabilities, or even deliberately add elements to it”.

He added: “If both products share the same codebase and are updated in sync, then vulnerabilities may affect both versions.”

Alessandra Chirico, an expert in EU regulation and cybersecurity policy, said trust in cybersecurity was not simply a commercial claim. She added: “The stronger the narrative of trust, the greater the corresponding duty of transparency required to sustain it.”

Alexander Muntyan, CEO and sole shareholder of the Spain-based Passwork Europe SL, told reporters no relationship existed between the Spanish-registered company and its Russian counterpart.

“We do not share clients, servers, support systems, customer records, administrative access, or customer environments,” Muntyan said.

He said clients’ data is stored on their own private servers under a “zero-knowledge architecture”, in which encryption and decryption take place on the client side.

Muntyan acknowledged a “common codebase origin” and confirmed he acquired rights to the software from the UAE entity in 2024, with full trademark rights due in August 2026.

He stated the company has never concealed the software’s origins and that its code is open for customer audits.

Shortly after Muntyan was first contacted by OCCRP, the AI instructions describing the company as having no Russian affiliation were removed from his company’s website.

No evidence of malicious code, data compromise or illegality was found by reporters.

Passwork’s European clients include three Irish Government agencies, Dresden University of Technology in eastern Germany and institutions served through Paradigm Brussels, a Belgian IT services provider to Brussels’ regional government.

Key Topics

More like this

A global tech outage appeared to be related to issues at global cybersecurity firm CrowdStrike and Microsoft was affecting operations in various sectors on July 19 including airports and airlines. EPA-EFE/SEM VAN DER WAL
News

Europe’s largest airports disrupted amid global IT outage

By Anne-Laure Dufeal

News

Microsoft blames EU for global IT outage

By Paddy Belton

EU bubble

EU to police open source software

By Claire Lemaire

EU bubble

Russia marks German-Ukrainian drone factories as ‘potential targets”

By John Rosenthal