Dancing with Cyfluence – Travolta, Telegram & the Moldovan Leak 

In this week’s follow-up, we return to Moldova, where the recent parliamentary elections once again underscored the country’s vulnerability in its political information space.  As noted in our previous coverage on influence attempts surrounding the Moldovan vote (more information can be found [here]), competing narratives and external actors shaped much of the pre-election atmosphere.

Against this backdrop, a remarkable incident occurred — one that appears, with high probability, linked to a suspected Russian influence campaign: a likely cyfluence-counteroperation targeting the pro-Russian network of oligarch Ilan Shor and its affiliated organization, the Victorie Bloc. On 3 September, internal data from these structures appeared online, triggering a chain reaction that severely disrupted Shor’s political machinery and exposed the operational mechanics behind what is assessed to have been a foreign-directed influence apparatus.  The leak represented one of the clearest intersections of cyber intrusion and influence strategy observed during this election cycle.ⁱ 

Who is Ilan Shor? 

Ilan Shor, a Moldovan businessman and politician, fled to Russia several years ago after facing extensive corruption charges.  From exile, he remained politically active and established the Victorie Bloc in Moscow, a distinctly pro-Russian political platform aimed at regaining influence in Moldova through affiliated candidates. Shor is widely regarded as a symbolic figure of Moldova’s pro-Russian current: financially well-connected, politically ambitious, and closely tied to Kremlin-linked networks. 

The Data Leak 

On 3 September, reports surfaced that data from two Shor-affiliated companies, A7 and Anykey LLC, had been published.ⁱⁱ 

Figure 1 – Screenshot of the Folders of the Leaked Data 

The files first appeared on the encrypted cloud service ProtonDriveⁱⁱⁱ and were later disseminated via Telegram channels. They contained internal communications, confidential financial records, and expenditure summaries for campaign activities. Particularly notable were chat logs in which Shor, using the codename “Travolta,” commented on operational issues. 

The materials also included lists of names, phone numbers, and addresses of individuals allegedly paid to organize protests or promote pro-Russian messaging. The documents revealed that the Victorie Bloc functioned not merely as a political organization, but as a structured, financed^iv, and centrally coordinated influence network. 

 Figure – 2 Leaked data: paid individuals, including names, tasks, and monthly payments^v 

Indicators of a Cyfluence Counteroperation 

The following phase-based analysis outlines the structure and sequencing of the operation to illustrate how cyber-technical and influence-oriented components were combined. Breaking the event into three phases, intrusion, exposure, and amplification, allows for a clear understanding of how technical compromise evolved into a coordinated perception operation. At this point, we use this analytical framework to identify hybrid operations that merge cyber capabilities with psychological and narrative objectives. The incident occurred only days before Moldova’s parliamentary elections and displays key indicators of a coordinated cyber and information activity. Data from entities linked to Ilan Shor and the Victorie Bloc were exfiltrated, publicly released, and then used to directly engage individuals named in the dataset. The timing and sequencing suggest the operation’s intent was not financial gain or espionage, but the disruption and delegitimization of a Russian-backed influence network. 

Cyber Intrusion and Data Exfiltration 

The first phase likely involved unauthorized access to internal systems of the Shor-affiliated companies A7 and Anykey LLC. Significant volumes of data, including financial ledgers, payment records, and personally identifiable information, were exfiltrated and uploaded to ProtonDrive, an encrypted cloud-sharing platform. The material was subsequently distributed via Telegram channels and closed online groups, ensuring rapid dissemination while maintaining anonymity and non-attribution for the perpetrators. This stage established the technical foundation for the influence component that followed. 

Exposure and Doxxing Component 

In the second phase, the attackers deliberately released personal information, names, contact details, and payment histories of individuals associated with the Victorie Bloc.  This elevated the incident from a typical hack-and-leak to a hybrid operation with doxxing characteristics. Immediately after publication, numerous individuals listed in the leak received direct messages stating:  “The Victory Bloc is broken. You will no longer be paid. Your data is public. Russia has betrayed you.”^vi 

The messages were designed to have a psychological impact. They combined exposure and intimidation to pressure individual supporters of the Victorie Bloc, undermine their trust in the organization’s leadership, and weaken the internal cohesion between coordinators, financiers, and field operatives. This targeted approach effectively amplified the disruptive impact of the data release. 

Narrative Amplification and Public Signaling 

The third phase focused on narrative shaping and institutional signaling. The leaked documents appeared to show direct financial and organizational connections to Russian actors, framing the Victorie Bloc as a foreign-directed influence structure. Media outlets and social channels picked up these narratives, turning a data breach into a strategic reputational and operational collapse. Authorities, including the Central Electoral Commission and CERT-GOV-MD, Moldova’s national cybersecurity agency, launched preliminary reviews to verify the authenticity of the materials and assess potential election interference. This official response further amplified the visibility and perceived legitimacy of the operation’s outcomes. 

Analytical Assessment 

The coordination of cyber intrusion, targeted disclosure, and psychological messaging aligns with the structure of a Cyfluence Counteroperation, an integrated activity designed to weaken or neutralize a hostile influence campaign through synchronized cyber and perception mechanisms. In this case, the campaign can be assessed with high confidence as successful, given the rapid breakdown of internal communications, loss of financial control, and subsequent reputational collapse of the targeted network. Together, these components placed significant pressure on participants, disrupted internal communication processes, and eroded the organization’s stability. Moreover, the operation publicly reframed the Victorie Bloc as a foreign-directed entity, sharply reducing its domestic legitimacy and public support, a decisive influence effect extending beyond the technical breach itself.  

Attribution and Context 

Attribution remains undetermined. The operation could plausibly have been conducted by regional hacktivist collectives seeking to counter Russian interference, or by a state-affiliated actor executing a preemptive countermeasure. Regardless of origin, the case illustrates a mature application of Cyfluence methodology, the deliberate integration of cyber intrusion, information exposure, and psychological leverage to disrupt an active influence campaign in real-time. 

Outcome 

In the aftermath, communication within the Victorie Bloc collapsed, financial flows were interrupted, and several key figures publicly distanced themselves from the organization.  Public debate shifted away from the Bloc’s messaging and toward its exposure as a mechanism of Russian influence. The operation achieved dual objectives: operational neutralization and narrative delegitimization, significantly reducing the reach of a foreign-backed political campaign on the eve of the vote. 

[Footnotes:]

[i] WhereIsRussia Today, n.d. Collapsing from the inside: Ilan Shor’s network crumbles amid data leak. [online] Published 24 September 2025. Available at: https://whereisrussia.today/feed/politics/ilan_shors_network_crumbles_amid_data_leak

[ii] Moldova1, R. Lozinschi‑Hadei, 2025. Telegram leaks: Șor’s firms used to undermine Moldova’s democracy. [online] Published 3 September 2025. Available at: https://moldova1.md/p/56415/telegram-leaks-sor-s-firms-used-to-undermine-moldova-s-democracy 

[iii] Publicly accessible ProtonDrive link associated with the leak: https://drive.proton.me/urls/PAEYV2N61R#rxaNKy4NtPNL

[iv] Elliptic, 2025. The A7 leaks: The role of crypto in Russian sanctions evasion and election interference. [online] Published 26 September 2025. Available at: https://www.elliptic.co/blog/the-a7-leaks-the-role-of-crypto-in-russian-sanctions-evasion-and-election-interference#

[v] Source of the picture: WhereIsRussia Today, n.d. Collapsing from the inside: Ilan Shor’s network crumbles amid data leak. [online] Published 24 September 2025. Available at: https://whereisrussia.today/feed/politics/ilan_shors_network_crumbles_amid_data_leak

[vi] Moldova1, R. Lozinschi‑Hadei, 2025. Telegram leaks: Șor’s firms used to undermine Moldova’s democracy. [online] Published 3 September 2025. Available at: https://moldova1.md/p/56415/telegram-leaks-sor-s-firms-used-to-undermine-moldova-s-democracy

[vii] WhereIsRussia Today, n.d. Collapsing from the inside: Ilan Shor’s network crumbles amid data leak. [online] Published 24 September 2025. Available at: https://whereisrussia.today/feed/politics/ilan_shors_network_crumbles_amid_data_leak