Perun Swaroga: Russia-Linked Group Leaks Bila Tserkva City Council Database and Reignites Cyber Front Against Ukraine

Another Chapter in an Almost Invisible Cyberwar

While the world's attention focuses on conventional military headlines, another war continues to be waged in parallel — less visible, but no less strategic. On April 14, 2026, VECERT Analyzer detected and reported another chapter of this parallel conflict: a data leak from Bila Tserkva City Council (Белая Церковь in Russian, or Bila Tserkva in Ukrainian) — a city of approximately 200,000 residents in the Kyiv metropolitan area.

Attribution points to the Perun Swaroga group, which published the leak through channels linked to the hacker activist ecosystem and pro-Russia operators. The case, individually modest, illustrates a larger pattern: the systematic erosion of Ukrainian low and mid-level digital infrastructure by actors aligned with the Kremlin.

The Target: Why Bila Tserkva

Bila Tserkva is not an obvious target in military or strategic terms — and that is precisely the point. Mid-sized cities are attacked precisely because:

• Their cyber defenses are significantly weaker than those of national ministries or Kyiv
• They process sensitive data for hundreds of thousands of citizens (records, taxes, municipal services)
• Leaks cause diffuse but real damage to morale and local administrative capacity
• Exposure of personal data generates secondary targets — citizens begin receiving phishing, extortion, SIM swap attempts

The pattern of attacks on Bila Tserkva, Mykolaiv, Odesa, Sumy and other Ukrainian cities documented throughout 2024-2026 shows a systematic degradation campaign, not opportunistic attacks.

Perun Swaroga: What Is Known

The Name

"Perun" is the god of lightning and war in pre-Christian Slavic mythology — a central figure in Ukrainian, Russian, Polish and Belarusian pantheons. "Swaroga" (or Svarog) is another Slavic deity, associated with celestial fire and the forge. The group's name is a rhetorical appropriation of pan-Slavic cultural elements — a strategy common among nationalist groups seeking historical legitimacy.

Modus Operandi

Preliminary analyses crossing VECERT data and public reports from other firms (Mandiant, Check Point) suggest:

• Focus on Ukrainian targets of medium and low scale (city councils, universities, regional companies)
• Typical entry vectors: spear phishing, exploits in outdated software, compromised credentials
• Publication of leaked databases through Telegram channels in the pro-Russia ecosystem
• Public narrative framing actions as "reaction to war" — hacktivist veneer
• Technical indicators shared with other known groups (Killnet, NoName057, XakNet)

State Attribution

Groups like Perun Swaroga operate in a deliberately ambiguous zone. They are not formally part of Russian intelligence services (FSB, GRU, SVR), but:

• Operate with knowledge and tolerance of the Russian State
• Frequently coordinate with state operations to maximize impact
• Receive infrastructure (servers, VPNs, banking anonymity)
• Act as plausible deniability — the Russian State denies involvement, but actions advance state agenda

This model is an evolution of what analysts call "patriotic hacking" — hacktivism with patriotic veneer and tacit state support — used by Russia since at least 2014.

What Was Leaked

VECERT confirmed publication of the database but did not exhaustively detail its contents. Patterns from similar municipal leaks suggest:

• Government employee data from the council (names, positions, contacts, history)
• Citizen records that interacted with municipal services
• Internal communications (emails, minutes, documents)
• System configurations that may facilitate secondary attacks
• Potentially sensitive infrastructure information (IT contracts, vendors)

The real damage is twofold: immediate for citizens whose data is exposed, and structural for the municipal administration that must spend months in containment, communication and rebuilding trust.

The Connection To Crypto

For an audience focused on cryptoassets, the natural question is: where does crypto come into this story? There are multiple layers:

1. Laundering War-Related Resources

Groups like Perun Swaroga and their peers (Killnet, NoName057, Conti historically) frequently use crypto to:

• Receive donations from supporters in jurisdictions with banking restrictions
• Monetize ransomware (when present in their arsenal)
• Move funds to operators in difficult jurisdictions (Russia, Belarus, Transnistria)

Chainalysis and TRM Labs track associated addresses — many are already sanctioned by US OFAC.

2. Targeted Ransomware

Some of the data exposed in "leaks" like Bila Tserkva's serve as raw material for subsequent ransomware attacks: leaked credentials enable infiltration, and ransom negotiation occurs almost invariably in Monero, Bitcoin or Ethereum. There are documented cases of Ukrainian cities paying in crypto to recover critical systems.

3. Sanctioned Infrastructure

Wallets linked to groups like Perun Swaroga frequently end up on OFAC SDN lists. Good-faith crypto users who interact (via mixers, DEXs, P2P) with funds originating from these activities may have assets frozen. Tools like Chainalysis KYT, TRM Labs Wallet Screening and Elliptic Navigator become essential in OTC and exchanges.

4. Crypto Use By Ukraine

On the other side, Ukraine was a pioneer in accepting crypto donations for resistance — raising over US$ 200 million since 2022 in BTC, ETH, USDT and others. Crypto became a legitimate tool of resistance, used to purchase supplies, pay volunteers, fund equipment.

The irony is evident: the same technological rails (public blockchain) serve Ukrainian resistance and the groups attacking it. Technical neutrality is only one face of reality; whoever uses the tool defines its purpose.

The Broader Pattern: Cyberwar As State Policy

The Russian Manual

Russia has developed, over 15 years, a well-established playbook for cyber operations:

• Attacks on civilian infrastructure (energy, telecom, healthcare, administration)
• Disinformation via social networks
• Strategic data leaks to erode trust in institutions
• "Patriotic hacking" as a plausible deniable layer
• Ransomware as an economic weapon against strategic targets

The Western Response

OFAC has sanctioned dozens of groups and crypto addresses linked to this. CISA (Cybersecurity and Infrastructure Security Agency) shares IOCs with allies. NATO expanded cyber mandate. But the pace is still reactive, not preventive.

Ukraine As Laboratory

In practical terms, Ukraine has become the world's most advanced laboratory for cyber defense in real time. Lessons learned there inform global defensive practices: network segmentation, zero-trust, resilience via distribution, strategic air-gapping.

The Role of Threat Intelligence Platforms

Cases like Bila Tserkva reinforce the importance of platforms like VECERT Analyzer. Without continuous monitoring of private Telegram channels, BreachForums and related ecosystems, these leaks would go completely unnoticed until secondary damage (phishing, ransomware, scams) materialized.

For local governments in countries under cyber pressure, subscription to threat intelligence services is becoming operational baseline — equivalent to what corporate antivirus was 20 years ago.

Implications For Regular Users

If You Have Ties To Ukraine / Russia

• Assume your personal data may appear in leaked databases
• Monitor services like HaveIBeenPwned and equivalents
• Strengthen 2FA with hardware keys on critical services
• Avoid password reuse across services

If You Operate In Crypto

• If using OTC, demand KYT reports on fund origin
• Monitor updated OFAC sanctions before large P2P operations
• Use exchanges with robust compliance to reduce risk of receiving traced funds
• Watch out for "too good to be true" deals on Eastern European forums — frequently originate from ransomware funds

If You Observe Crypto Globally

• Understand that crypto is technically neutral but operationally-politically complex
• Follow analyses from Chainalysis, TRM Labs, Elliptic to understand flows
• Track SDN lists to see which addresses are sanctioned
• Don't romanticize or demonize — crypto is a tool, used by all sides

Conclusion: The Invisible Front Is Also Decisive

The Russia-Ukraine war is the most complex conflict of the 21st century — military, economic, informational, cyber. Cases like the Bila Tserkva leak, seemingly small, add up to a campaign of attrition that affects Ukraine's capacity to function at local levels. It is low-intensity, but it is systematic.

For the crypto ecosystem, there is a role to play — and a responsibility. Tools for tracking, compliance and on-chain analysis provide transparency that traditional channels cannot. The more robust the monitoring, the harder it becomes to monetize cyber attacks via crypto. The more aligned exchanges and banks are with updated threat intel, the lower the operational profit of attackers.

The work of VECERT and peers is only part of this ecosystem. But it is an essential part. And each alert — however small it may seem on the public radar — contributes to mapping a conflict that, for a long time to come, will continue to be fought simultaneously on land, air, sea, space and, increasingly, on blockchains.

Primary source: VECERT Analyzer alert published on April 14, 2026. Data contextualized with public reports from Chainalysis, TRM Labs, Elliptic, Mandiant and Check Point.

Disclaimer: This content is informational and for educational purposes. It does not constitute investment recommendation nor political positioning. ON3X monitors geopolitical events for their relevance to the global crypto ecosystem and threat intelligence.