A Ukrainian cyberwarfare unit on Thursday said it ran a network of Telegram channels and bots that posed as a Starlink registration service and harvested location and terminal data from Russian soldiers. The 256th Cyber Assault Division, working with two OSINT groups, says the operation collected 2,420 Starlink entries and $5,870 in payments while funneling precise coordinates to Ukrainian forces. The disclosure follows SpaceX’s recent geofence that restricts Starlink service in the region to terminals authorized by Ukraine’s government, a move that reportedly led Russian troops to seek registration help. Business Insider reported the unit’s statement and the associated screenshots; the authenticity of those screenshots has not been independently verified.
Key takeaways
- The 256th Cyber Assault Division claims it and partners harvested 2,420 data entries tied to Russian Starlink terminals, including terminal IDs and coordinates.
- The unit says it collected $5,870 from Russian soldiers who paid for the fake registration assistance via Telegram bots.
- InformNapalm and MILITANT, two OSINT groups, are named as collaborators; they helped promote or amplify the channels and posts that lured soldiers in.
- The operation allegedly drew 31 Ukrainians who volunteered or sought ways to assist with registering terminals for Russian troops.
- SpaceX enacted a geofencing restriction earlier in February 2026 that limited service to terminals logged with Ukraine’s government, prompting Russian efforts to circumvent the block.
- Business Insider reported the claims and screenshots on 2026-02-13; the screenshots’ authenticity remains unconfirmed by independent sources.
Background
Since the Russian full-scale invasion, satellite internet and commercial communications gear have increasingly factored into battlefield operations, used for drone guidance, reconnaissance data links and unit coordination. In early February 2026 SpaceX imposed a geofence restricting Starlink connectivity in Ukraine so that only terminals registered with the Ukrainian government could access service, after reporting that some terminals were being resold or used by Russian forces. That restriction created a demand among frontline Russian personnel seeking ways to restore satellite connectivity for targeting or comms, and reports surfaced that troops were paying civilians to register terminals on their behalf.
Open-source intelligence (OSINT) groups and Ukrainian cyber units have stepped into information and influence operations throughout the conflict, sometimes blending public reporting with active deception. InformNapalm and a group calling itself MILITANT have been active in exposing or disrupting Russian information channels; the 256th Cyber Assault Division is one of Kyiv’s formations that publicly documents cyber and electronic operations. The blurred line between journalism, OSINT reporting and active operations has become a persistent issue—raising questions about verification and operational security on both sides.
Main event
The 256th Cyber Assault Division said it, together with InformNapalm and MILITANT, ran a set of Telegram bots and channels that offered Russians a way to whitelist their Starlink terminals so they could regain service. According to the division’s published screenshots and statements, the bots prompted users to submit terminal ID numbers, satellite dish identifiers, Starlink account numbers and latitude/longitude coordinates. The unit says it amassed 2,420 such entries and also received monetary payments totaling $5,870 from soldiers seeking the fake service.
InformNapalm, in a related post, described one of the channels, ‘russian_starlink,’ as gaining popularity and noted their own public complaint about it as part of the plan to deepen Russian personnel’s engagement. MILITANT labeled the initiative “Operation Self-Liquidation” and suggested that some of the coordinate submissions were later targeted. The 256th said collected data were forwarded to Serhii Sternenko, a drone logistics advisor to Ukraine’s defense ministry; requests for comment to Sternenko’s foundation were not immediately answered outside regular hours.
The unit also said 31 Ukrainian volunteers reached out offering to help with registering terminals, highlighting how the geofence created a market for registration services. Business Insider reported the allegations on 2026-02-13 and noted it could not independently verify the screenshots the unit published. Russian authorities, according to other media reports, have downplayed the operational impact of the SpaceX restriction, while Kyiv officials highlight attempts by Russian troops to obtain the service as evidence of its tactical importance.
Analysis & implications
If the 256th’s account is accurate, the operation demonstrates how information operations and cyber deception can yield tactical intelligence in a kinetic conflict. Harvesting terminal identifiers and coordinates can directly reveal unit positions, supply routes or communication hubs, making the data immediately actionable for artillery, drone strikes or interdiction. The reported volume—2,420 entries—would create a sizable dataset for mapping troop locations if the entries are recent and correctly geolocated.
The reported $5,870 in payments is modest in absolute terms but significant for illustrating demand. Small sums can be enough to incentivize frontline troops or intermediaries to use third-party registration services, especially when official channels are blocked. The involvement of volunteers and civilians offering to register terminals for pay or other motives increases the risk of exposing sensitive information whether intentionally or not.
On a strategic level, the episode points to the limits of technical controls absent robust verification and enforcement. SpaceX’s geofence narrows access but does not eliminate schemes to circumvent it; adversaries may use social engineering, black-market intermediaries or compromised insiders. For Ukraine and partners, combining technical restrictions with public information campaigns, legal measures against illicit resales, and targeted cyber or physical actions against intermediaries may shrink the avenues for circumvention.
Comparison & data
| Metric | Reported figure |
|---|---|
| Starlink entries collected | 2,420 |
| Money collected from Russians | $5,870 |
| Ukrainians offering help | 31 |
| Reporting date | 2026-02-13 |
The table shows the specific figures the 256th published. Taken at face value, 2,420 entries could represent individual terminals, repeated submissions, or combinations of both; assessing whether entries map to unique, currently active terminals requires cross-checks against service logs and temporal metadata. The $5,870 figure indicates many transactions were low-value, consistent with micro-payments or bulk small transfers rather than large commercial purchases.
Reactions & quotes
Officials and OSINT actors framed the disclosure as both a tactical success and a warning about operational security. Below are representative statements and context.
“Understanding how desperately this mold would look for ways to restore Elon Musk’s dish network — and the threats this poses — we, together with InformNapalm and MILITANT, decided to ‘help’ them.”
256th Cyber Assault Division (statement)
The 256th used this phrasing to describe its intent to lure Russian personnel into revealing data. Its post also included screenshots that it said documented soldier interactions with the bots.
“That was already one of the stages of drawing Russian military personnel even deeper into the ‘honeypot.'”
InformNapalm (OSINT group)
InformNapalm described a public post that it said helped attract Russian users to the channels, positioning their complaint as a supporting element of the operation. MILITANT characterized the effort as “Operation Self-Liquidation,” implying a goal of inducing self-exposure.
Unconfirmed
- The authenticity and timestamp accuracy of the screenshots published by the 256th have not been independently verified.
- Claims that Ukrainian forces subsequently targeted coordinates provided by the operation (for example, with 155mm artillery) are reported by OSINT accounts but lack independent confirmation linking specific coordinates to specific strikes.
- The precise proportion of the 2,420 entries that correspond to unique, active, correctly geolocated terminals versus duplicates or test submissions is not clear from available public statements.
Bottom line
The episode illustrates how battlefield competition now includes deception and information operations that exploit commercial services. If verified, the 256th’s account shows a pragmatic exploitation of demand created by SpaceX’s geofence: soldiers seeking connectivity may inadvertently reveal sensitive data when they engage with untrusted third parties. The numbers cited—2,420 entries and nearly $6,000 in payments—underscore scale and motive rather than high monetary value.
For defenders, the case highlights the need to combine technical controls with public outreach and enforcement to reduce the likelihood that adversaries will trade away operational security for connectivity. For analysts and journalists, it reinforces the importance of rigorous verification of screenshots, metadata and follow-up evidence before attributing operational effects to any single operation.
Sources
- Business Insider — news report summarizing the 256th’s statement and screenshots (media)
- InformNapalm — Ukrainian-European OSINT group referenced in the operation (OSINT)
- SpaceX — company providing Starlink; geofencing actions and service policy are relevant background (official)