The spying on Serbian citizens by Russian intelligence structures

The case involving the Russian security apparatus goes beyond mere narrative

The cyber-espionage directed against the Belgrade Centre for Security Policy (BCBP) is much more than an ordinary security incident; it is a threat with direct consequences for the security of Serbia and its citizens. The price is the loss of autonomy, the normalization of surveillance as a political tool, and strategic submission to a foreign power.

On August 27, 2025, a message arrived on Signal from an account claiming to belong to Sergei Tikhanovsky, a Belarusian opposition politician and husband of Svetlana Tikhanovskaya, the exiled Belarusian opposition leader.

The message did not seem suspicious. On the contrary, it was professional, calm, and written in the language of people accustomed to international cooperation. The topic of conversation mentioned cooperation in the field of anti-corruption activities in Eastern Europe. The contact details had been obtained through a European organization with which BCBP regularly cooperates. A short video call was proposed. Nothing in the message required additional verification. A link arrived. The call was never realized. There was no error message. No one had shared the phone number with the so-called Tikhanovsky.

It then became clear that the message was not an invitation for cooperation, but an entry point for espionage.

Later, it was discovered that the message was not an isolated incident, but part of a much broader operation that had begun earlier. Forensic analysis by a major IT company showed that the compromise of the BCBP system had not started that year, but during the summer and autumn of 2024, with confirmed traces of unauthorized access dating back to September 2024.

The first phase of the attack was entry into the internal network using compromised VPN accounts, i.e., legitimate entry points to the BCBP server used for remote work. This enabled the attackers to log into the system as “regular users,” without triggering alarms or raising any suspicion.

One group ensured long-term, quiet espionage: the invisible reading of emails and documents. The other used more aggressive techniques, including seizing administrative accounts and gaining broader control over the digital infrastructure.

In the second phase, administrative accounts over the entire system were seized. In practice, this meant full control over servers, workstations, internal documents, archives, and communications. Tools characteristic of serious espionage operations were installed, tools for extracting passwords, remote command execution, and long-term, hidden presence in the system.

Only then did the third, most sensitive phase begin: the systematic surveillance of all BCBP communications.

In the period from November 11 to December 8, 2025, more than 28,000 individual accesses to BCBP employees’ emails were recorded. These accesses were not the result of automated processes, security scans, or technical errors. They involved the actual opening of messages, including archives. Access to emails was not limited to current communication; it also included older correspondence, as well as internal documents and communications with domestic and international partners. Accesses to several user accounts were recorded at different time intervals throughout the mentioned period. In parallel with the email accesses, attempts to establish communication with BCBP employees through various channels were also recorded, including email and messaging applications, using fake or unverified identities.

The analysis showed that this was not the work of a single actor, but of two different hacker groups known by the names Midnight Blizzard and Forest Blizzard. These groups are linked to Russian intelligence and security structures: the former to the Foreign Intelligence Service (SVR), and the latter to the Military Intelligence Service (GRU), which security experts believe is even part of the GRU’s command structure.

The operation did not stop at internal systems. A special fake website for the Belgrade Security Conference was created, presented as the official platform for registration. At the same time, emails with supposed registration links were sent to guests and conference participants, with the aim of expanding the infiltration to international participants, including representatives of governments, international organizations, the academic community, and civil society. On the fake conference website used for espionage, journalists from the regime-aligned televisions Pink and Kurir were also “accredited” to cover the conference’s work.

Official Serbia has been openly cooperating with Russian security services for years, not only through formal agreements, but also through direct cooperation between the two authoritarian regimes. As early as 2021, the existence of a joint body for combating the so-called “color revolutions” was confirmed. That same year, Russian opposition politicians were monitored in Belgrade, including Vladimir Kara-Murza and Andrey Pivovarov. Both were later arrested and sentenced in Moscow. After their prisoner exchange with the United States, they publicly accused Serbian security services of handing over to Russian authorities the material collected from surveillance in Serbia. These accusations were never seriously investigated.

More than a year has passed since the collapse of the reconstructed canopy at the railway station in Novi Sad, which triggered massive citizen protests demanding accountability from the government. As public pressure grew and the protests became increasingly large-scale, efforts to delegitimize them also intensified. In this context, a statement from the Russian SVR this summer was noteworthy: it accused a number of independent local media in Serbia of promoting the “Ukrainian Euromaidan scenario” in Serbia. No Serbian state body commented on this unusual interference in the country’s internal affairs. On the contrary, the only reaction was a statement from the President of Serbia thanking the Russian SVR for providing information about the alleged plot to overthrow the government, fabricated accusations that were never proven.

Hacker attacks in Europe are part of Russia’s broader hybrid warfare since the start of the war in Ukraine. The question is whether Serbia, by using external forces to monitor, map influence, and neutralize pressure for political change, is becoming part of this strategy. This practice helps the regime stay in power, but the price is clear: external dependence and deep submission.

At the same time, cases across Europe have revealed networks of contacts linked to Russia that use Serbia’s territory for subversive activities. One such case, from September this year, involved training camps in western Serbia where individuals, according to Moldova’s official statement, were preparing to cause unrest and disrupt the electoral process during elections in that country. In this context, the case of the illegal weapon used in the attack on demonstrators in Belgrade (the so-called sound cannon) should also be viewed. Instead of an independent domestic investigation, the government relied on a report from the Russian Federal Security Service (FSB). Thus, a foreign security service and its supposed report became the sole source of truth for an event that still sparks controversy in public opinion regarding what really happened on March 15 in Belgrade.

This particular type of authoritarian “offshoring” does not come exclusively from the East. The criminalization of USAID in American political discourse earlier this year served as a pretext for police raids on the premises of civil society organizations in Serbia. However, the case involving the Russian security apparatus goes beyond mere narrative: it involves an actor that undoubtedly has completely free rein to operate on Serbian territory, either in cooperation with or with the silent complicity of Serbian services. /Nova/