« All posts

Passwork's Hidden Russian Ties and FSTEC Certification Raise Concerns

OCCRP investigation reveals Passwork, an EU-marketed password manager, has undisclosed Russian founders and an FSTEC-certified Russian counterpart.

Passwork Europe S.L. markets itself as a fully European, founder-owned password manager with no ties to Russian or other non-European entities. An OCCRP investigation found the software was originally developed by two Russian co-founders who remain linked to an opaque UAE-based firm supplying updates to the European company.

Corporate records show the same Russian founders now own Passwork LLC in Russia, which uses an identical logo and lists sanctioned defense manufacturers among its clients. That Russian entity holds certifications from FSTEC, a Ministry of Defense body, and the FSB — a process that typically requires submitting source code to a state-accredited lab for review.

Cybersecurity experts warn that such state-level audits could expose exploitable weaknesses to Russian authorities, and that a shared codebase and synchronized update cycles suggest the European and Russian products remain closely linked. Passwork's CEO, Alexander Muntyan, denies any operational relationship between the two firms and points to the software's zero-knowledge architecture as protecting customer data.

For engineers evaluating credential-management tools, the case highlights why verifying software provenance and update-chain integrity matters, especially when marketing claims obscure a product's true corporate lineage.