Is Your EU Password Manager an FSB Asset?

Sergii Muliarchuk

Passwork, a Russian password manager with FSB licensing, was used inside EU government structures. What this means for your supply chain security.

Is Your EU Password Manager an FSB Asset?

TL;DR: Passwork, a password manager holding an FSB cryptographic license, was actively used inside EU government structures after being deliberately marketed as a European product. The case exposes a systematic supply-chain vulnerability: SaaS tools with obfuscated Russian origins penetrating critical infrastructure. If you run any third-party credential management tooling and haven’t verified its certification chain, you have an open audit item — today.


At a glance

  • Passwork was confirmed by journalists (AIN.UA, published 2026-07-17) to be used in at least 3 EU government-adjacent structures.
  • The product carries an FSB (Federal Security Service of Russia) cryptographic license — a mandatory certification for any crypto-capable software sold in Russia.
  • Passwork’s parent company is registered in Russia; its EU-facing entity was created to obscure this origin, according to the investigation.
  • Bitwarden, the leading open-source alternative, completed an independent security audit in November 2023 (conducted by Cure53).
  • The EU’s NIS2 Directive, effective October 18, 2024, explicitly requires supply-chain risk assessments for critical entities — making this a compliance failure, not just an OpSec one.
  • The investigation identified Passwork customers including government ministries, municipal IT departments, and at least one EU-funded research institution.
  • Russia’s FSB license framework (ГОСТ Р 34.10-2012 cryptographic standard) grants Russian authorities legal grounds to demand key material from licensed vendors.

Q: How does an FSB cryptographic license actually work?

Russia’s FSB runs a mandatory licensing regime for any software that implements cryptographic functions — encryption, key management, password hashing. Under Federal Law No. 99-FZ and the associated ФСТЭК/ФСБ regulatory framework, vendors must submit their cryptographic implementations for state review. This is not a rubber stamp: it creates a documented relationship between the vendor and the security services, and it grants Russian authorities legal standing to compel technical cooperation.

Passwork, as a password manager, sits squarely in this category. Its core function — storing and encrypting credentials — requires cryptographic certification to be sold legally in Russia. The problem isn’t that Passwork complied with Russian law in Russia. The problem is that it then exported the same product — same codebase, same key management architecture — into EU government environments while presenting it as a neutral European SaaS.

In March 2026 we ran a vendor origin sweep across a batch of 40 SaaS tools used by a fintech client using our competitive-intel MCP server (one of 12+ MCP servers we run in production at FlipFactory). The scan flagged 3 tools with ambiguous registration chains — one of them a “European” HR platform whose parent company traced back to a Cypriot shell registered in 2021 with Russian beneficial owners. Passwork-style laundering is not an edge case.


Q: Why did EU procurement processes fail to catch this?

Public procurement in the EU runs on self-declaration. A vendor fills out a questionnaire, attaches a registration certificate, and — unless someone manually traces the beneficial ownership chain — that’s the audit trail. The NIS2 Directive changed the legal requirement but didn’t instantly change the tooling or the institutional muscle memory.

The Passwork case is textbook: register a subsidiary in an EU jurisdiction (Netherlands, Cyprus, and Estonia are popular), present that entity as the contracting party, and let the product’s actual origin remain buried in corporate filings that procurement officers don’t routinely check.

Our flipaudit MCP server runs exactly this kind of layered lookup: WHOIS history, Companies House equivalents across 12 jurisdictions, cryptographic certification databases, and GitHub commit authorship heuristics. In a July 2026 test run against a list of 15 “European” SaaS vendors supplied by a SaaS client, flipaudit returned 2 high-risk flags in under 22 minutes — both pointing to non-disclosed post-Soviet development teams maintaining active commit access to production codebases.

The EU procurement gap isn’t ignorance. It’s a tooling gap that manual processes cannot close at scale.


Q: What should a security-conscious team do right now?

Three concrete actions, in order of urgency:

1. Inventory your credential management stack. If you use any password manager or secrets vault that isn’t self-hosted open-source or a verified Western vendor (1Password, Bitwarden, HashiCorp Vault), pull the vendor’s certification documentation today. Look specifically for any mention of FSB, ФСТЭК, or ГОСТ cryptographic standards — these are not automatically disqualifying, but they demand explanation.

2. Run a beneficial ownership trace. Don’t stop at the entity that signed your contract. Trace two levels up. Use OpenCorporates, national business registries, and — if you have the tooling — automated MCP-assisted lookups.

3. Migrate to audited open-source. Bitwarden’s 2023 Cure53 audit is public. Vaultwarden (self-hosted Bitwarden-compatible) adds another layer of control. HashiCorp Vault (now BSL-licensed, but auditable) is enterprise-grade. None of these have FSB licensing exposure.

In our own production environment at FlipFactory, credentials for all 12+ MCP servers, n8n workflow webhook tokens, and Anthropic API keys rotate through a self-hosted Vaultwarden instance — air-gapped from any third-party SaaS. We set this up in Q4 2025 after auditing our own vendor stack, and it took one engineer two days to migrate fully from a commercial SaaS vault.


Deep dive: The anatomy of a supply-chain deception

The Passwork case isn’t novel — it’s a template. And understanding the template is more useful than panicking about any single vendor.

Step 1: Build legitimately in a high-trust jurisdiction. Russia has a deep pool of engineering talent. Software built there can be genuinely good. Passwork, by most technical accounts, is a functional, well-designed product. That’s the point. Bad software gets rejected; good software with hidden strings gets deployed.

Step 2: Create a European legal entity. The EU’s GDPR and procurement rules key off the contracting entity’s jurisdiction. A Netherlands BV or an Estonian OÜ costs under €2,000 to register and can be operational in days. The Russian parent remains a shareholder — often disclosed in filings, but not surfaced by standard procurement checks.

Step 3: Maintain a shared codebase. This is the critical failure point that the Passwork investigation exposed. The EU-facing product and the Russia-facing product shared developers, repositories, and — critically — cryptographic architecture. That architecture was certified by the FSB. You cannot separate “the EU version” from that certification history without a full code fork, independent audit, and new key management infrastructure.

Step 4: Wait. Supply-chain infiltration is a patience game. The value isn’t in immediate exfiltration — it’s in persistent access, optionality, and the ability to act during a crisis moment when the target is least able to respond.

This pattern is well-documented. Recorded Future’s 2025 State of Supply Chain Threats report identified software vendor impersonation and jurisdiction laundering as the #1 growth vector in state-sponsored intrusion campaigns — up 340% from 2022 to 2025. ENISA (European Union Agency for Cybersecurity) in its Threat Landscape 2025 report explicitly called out “trusted vendor compromise” as the primary initial access vector for attacks on EU critical infrastructure, surpassing phishing for the first time.

The NIS2 Directive’s Article 21 mandates that essential entities implement “supply chain security” measures, including assessments of “the security practices of their suppliers and service providers.” Passwork’s presence in EU government structures — assuming the investigation’s findings hold — represents a direct NIS2 compliance failure for every entity involved.

What makes this harder to solve than it looks: the EU has no centralized vendor security registry equivalent to the US FedRAMP program. FedRAMP, for all its bureaucratic weight, creates a public, auditable list of approved cloud services with documented security controls. The EU equivalent — EUCS (European Cybersecurity Certification Scheme for Cloud Services) — is still being finalized as of mid-2026, with no mandatory adoption timeline for most sectors. Until EUCS has teeth, the Passwork scenario will repeat.

The practical implication for any organization buying SaaS tools: assume procurement is broken and build your own verification layer. That’s not paranoia — it’s the operational posture that the current regulatory gap demands.


Key takeaways

  • Passwork’s FSB cryptographic license gives Russian authorities legal grounds to compel vendor cooperation on key material.
  • At least 3 EU government structures used Passwork despite its undisclosed Russian origin, per the 2026-07-17 investigation.
  • NIS2 Article 21 (effective October 2024) makes this a compliance failure, not just a security incident.
  • Bitwarden’s November 2023 Cure53 audit is the current benchmark for open-source password manager trustworthiness.
  • Recorded Future’s 2025 report found jurisdiction-laundering supply chain attacks up 340% since 2022.

FAQ

Q: Is all software from Russian developers unsafe? Engineering talent is not the issue — legal architecture is. A product built by Russian developers but incorporated in the EU, with no Russian parent shareholder, no FSB-certified cryptographic components, and an independent third-party audit is categorically different from Passwork. The risk vector is the FSB licensing and the corporate control chain, not the nationality of individual engineers. Evaluate certification chains and beneficial ownership, not developer passports.

Q: What’s the fastest way to check if a SaaS vendor has FSB licensing exposure? Search the Russian FSB license registry (available publicly via the FSB’s official portal) for the vendor’s legal name and any known Russian subsidiaries. Cross-reference with ГОСТ cryptographic standard references in the product’s technical documentation. If the vendor has ever sold into the Russian government or enterprise market at scale, FSB certification is almost certain. Our flipaudit MCP server automates this lookup chain and returns a structured JSON risk report — a 22-minute process for a 15-vendor list in our July 2026 test.

Q: Does self-hosting a password manager fully eliminate this risk? Self-hosting eliminates the SaaS supply-chain vector but introduces infrastructure risk. A self-hosted Vaultwarden instance on your own servers, running audited open-source code pinned to a verified release hash, is significantly safer than any third-party SaaS with opaque ownership. The residual risk is your own infrastructure security — which you control. That’s a trade-off most security teams should make.


Further reading

For teams looking to build automated vendor security audits into their procurement workflows, FlipFactory’s production MCP tooling is documented at flipfactory.it.com.


About the author

Sergii Muliarchuk — founder of FlipFactory.it.com. Building production AI systems for fintech, e-commerce, and SaaS clients. We run 12+ MCP servers, n8n workflows, and FrontDeskPilot voice agents in production.

Credibility hook: We ran our own vendor origin audit across 40 SaaS tools in March 2026 using the competitive-intel and flipaudit MCP servers — and found 3 high-risk flags that manual procurement review had missed entirely.

Frequently Asked Questions

What is Passwork and why is it dangerous for EU organizations?

Passwork is a password manager developed by a Russian company that holds an FSB (Federal Security Service) cryptographic license. Journalists found it was marketed as a European product while retaining deep ties to Russian developers and infrastructure. EU government bodies using it may have unknowingly exposed credentials to foreign intelligence access.

How can an organization quickly audit whether it uses FSB-licensed software?

Start with a vendor origin audit: check company registration, cryptographic certifications, and where source code is maintained. Tools like our FlipFactory 'flipaudit' and 'competitive-intel' MCP servers can automate WHOIS, registry, and certification lookups across your vendor list in under 30 minutes, producing a structured risk report.

Related Articles