password-security-guideINFO

Passwork's Russian Ties: What the Investigation Found, and How to Pick a Password Manager You Can Trust

An OCCRP investigation found that Passwork, a password manager marketed as European, has Russian origins and ongoing ties, including a sister firm certified by the FSB. What was reported, and the trust checklist for choosing a password manager.

By Eric Gerard · Editor · PwdFortress3 min readPhoto: Pexels

Your password manager is the most sensitive app you own - it holds the keys to everything else. So a July 2026 investigation into Passwork, a manager marketed as European but reported to have deep Russian ties, is worth understanding calmly. Here is what the reporting actually says, and, more usefully, the checklist it points to for choosing a password manager you can genuinely trust.

What the investigation found

According to an investigation by the OCCRP (Organized Crime and Corruption Reporting Project), with corroborating reporting from the Irish Times, DutchNews, NL Times and Cybernews, Passwork presents itself as a European product (based in Spain, at passwork.pro) but has Russian origins that were not front and centre for its users.

The key points from the reporting:

  • The software traces back to Arkhangelsk, Russia, where the Russian-language site passwork.ru was first registered in 2014.
  • A Russian sister company is certified by the FSB security service - a certification that, per the reporting, requires the source code to be reviewed by state-approved auditors.
  • The European (passwork.pro) and Russian (passwork.ru) products reportedly shipped the same version 7.6 update a day apart, indicating a shared codebase.
  • The corporate structure spans multiple jurisdictions, and the product has been used by European government agencies and universities, including Irish State bodies and Dutch firms.

To be precise and fair: the reporting does not allege a proven backdoor. The issue it raises is one of trust, transparency and jurisdiction.

Why a password manager's trust matters so much

Most software failures are contained. A password manager is different, because it holds every credential you have. If the company behind it has undisclosed ties to a state security service - one that reviews its code - then the question is not just "is there a bug?" but "who ultimately has leverage over the thing guarding all my accounts?" That is why experts quoted in the investigation frame it as a state-level risk, and why transparency about ownership and jurisdiction is not a nice-to-have for this category. It is the whole point.

A hand holding a brass padlock. A password manager holds every credential you have, which makes who you trust to build it the most important question.
A hand holding a brass padlock. A password manager holds every credential you have, which makes who you trust to build it the most important question.

How to choose a password manager you can trust

This is the practical takeaway, and it applies far beyond one product. When you pick a password manager, look for four things:

  • Transparent ownership and jurisdiction. You should be able to find out who runs the company and under whose laws it operates, without an investigation.
  • Open-source code plus recent independent audits. Open code lets independent reviewers verify the claims; third-party audits check that the security holds up. Together they turn "trust us" into "check for yourself."
  • End-to-end, zero-knowledge encryption. Your vault should be encrypted with a key derived from your password on your device, so the provider itself cannot read it - the strongest structural protection there is.
  • A real track record. Longevity and a clean, transparent history matter for something this sensitive.

Managers such as Bitwarden (open-source and audited), Proton Pass (Swiss-based and audited) and NordPass (independently audited) are examples that meet these bars - see our look at whether password managers are safe and the best free password managers for how to compare them.

What to do if you use Passwork

Do not panic, but do review it. Read the reporting, weigh the disclosed ties against your own threat model, and if you are not comfortable, migrate to a transparent, audited, zero-knowledge alternative - rotating your most important passwords from a clean device as you go. Organisations named in the coverage are reportedly reviewing their usage; as an individual, you can make that call faster.

The bottom line: the Passwork story is less about one product being "hacked" and more about a lesson that applies to all of them. Because a password manager guards everything, choose one whose ownership is transparent, whose code is open and audited, and whose encryption means it could not read your vault even if it wanted to.

Frequently asked questions

What did the investigation into Passwork find?

According to an OCCRP investigation published in July 2026, and reporting by outlets including the Irish Times, DutchNews and Cybernews, Passwork - a password manager presented as a European, Spain-based product - has Russian origins and ongoing ties. The reporting traces the software to Arkhangelsk, Russia, where the Russian-language site passwork.ru was first registered in 2014, and states that a Russian sister company is certified by the FSB security service, a process that requires the source code to be reviewed by state-approved auditors. The European and Russian versions were also reported to have shipped the same version 7.6 update a day apart, pointing to a shared codebase.

Is Passwork unsafe to use?

The reporting does not claim a proven backdoor; the concern experts raise is about trust, transparency and jurisdiction. A password manager holds every credential you have, so undisclosed ties to a state security service that reviews the code are, in the words of the investigation, a state-level security risk worth taking seriously - especially for government agencies and businesses. Whether that risk is acceptable is a decision each user and organisation has to make, but it is exactly the kind of thing a password manager should be fully transparent about.

How do I choose a password manager I can trust?

Look for four things. Transparency about who owns the company and which jurisdiction it operates under. Open-source code plus recent independent security audits, so the claims can be verified rather than taken on faith. End-to-end, zero-knowledge encryption, so the provider itself cannot read your vault. And a solid track record. Managers like Bitwarden (open-source, audited), Proton Pass (Swiss, audited) and NordPass (independently audited) are examples that meet these bars.

What should I do if I use Passwork?

Do not panic, but do review it. Read the reporting, weigh the disclosed ties against your own threat model, and if you are not comfortable, move to a transparent, audited, zero-knowledge alternative and rotate your most important passwords from a clean device as you migrate. Organisations named in the coverage are reportedly reviewing their use; individuals can make the same call more quickly.

Does open-source make a password manager safer?

It helps, because it lets independent reviewers inspect the code rather than trusting the vendor's word - the 'don't trust, verify' principle. Open-source is strongest when paired with regular third-party audits and zero-knowledge encryption. On its own it is not a guarantee, but combined with audits and a transparent owner, it is one of the clearest signals that a password manager is worth trusting.