Ukrainian forces say they pulled off a rare kind of battlefield ambush, one that unfolded not in a trench or a tree line but in encrypted chats and satellite internet dashboards. According to Ukrainian accounts, Russian troops desperate to keep their Starlink terminals online paid for a fake service that instead pinpointed their exact positions for Ukrainian artillery and drones. The operation underscores how a war already defined by drones and satellites is increasingly shaped by code, social engineering, and the willingness of soldiers to trust the wrong screen.
At the center of the story is a Ukrainian hacktivist unit that turned Russian reliance on Starlink connectivity into a liability, using bogus support channels to harvest geolocation data and, they say, feed it straight to the military. The sting played out against a backdrop of SpaceX moves to cut off unauthorized Russian access and mounting Russian complaints about failing communications on the front. Together, these accounts offer a glimpse of how digital deception can translate into very physical consequences.
How a fake Starlink “support desk” hooked Russian units
According to Ukrainian accounts, the scheme began with a simple insight: Russian units using Starlink in occupied areas would eventually run into connectivity problems and look for help. A Ukrainian hacktivist group known as the 256 Cyber Assault Division says it set up Telegram channels and other contact points that looked like unofficial technical support for Russian Starlink users, then waited for soldiers to reach out. In their telling, Russian troops who believed they were talking to friendly technicians were actually feeding data to Ukrainian cyber operators who could see where each terminal sat on the map.
The 256 Cyber Assault Division says the sting produced a large trove of information about Russian terminals, with the group claiming it collected thousands of records through the operation. One Facebook post attributed to the group describes how the hackers posed as helpful intermediaries and then logged every detail Russian soldiers shared about their hardware and locations, a description that aligns with Ukrainian reports that a hacktivist unit gathered extensive Starlink user data. Ukrainian reporting frames this as a deliberate attempt to turn Russian dependence on commercial satellite links into an intelligence feed.
Money, metadata, and 2,420 exposed terminals
Ukrainian sources say the trap did not just rely on curiosity or carelessness; it also took advantage of Russian troops’ willingness to pay for what they thought was a lifeline. Hackers associated with the operation claim Russian soldiers transferred funds to reactivate or extend Starlink access, treating the fake service as a gray market workaround to keep their terminals online. In reality, those payments went to Ukrainian operatives, while every registration form and troubleshooting message quietly captured coordinates and unit details that could be passed to the military.
One detailed account of the operation describes how the hackers used the sign-up process itself to extract precise locations. According to that version, the group harvested exactly 2,420 data entries that revealed Russian Starlink terminal positions and information about the soldiers operating them. Ukrainian descriptions say this data was shared with the country’s security services and armed forces, turning what looked to the Russians like a routine tech fix into a targeting database. A detailed write-up of the operation frames it as a textbook example of how a fake Starlink registration flow can become a location-harvesting tool.
From chat logs to artillery targets
Ukrainian accounts say the cyber sting did not remain a purely virtual victory. Once the 256 Cyber Assault Division had mapped Russian Starlink terminals, Ukrainian forces treated them as indicators of command posts, drone operators, and logistics hubs that depended on satellite links. Military reports describe how this information fed into targeting cycles, with artillery and drones striking coordinates associated with Russian Starlink activity. In some cases, Ukrainian units reportedly waited to see patterns of usage before launching attacks, looking for signs that a terminal belonged to a high-value node rather than a small ad hoc team.
One Ukrainian analysis of the operation describes it as a blend of social engineering and kinetic follow-through, where fake support channels led directly to destroyed equipment and casualties on the ground. A long-form account of the strategy presents it as part of a broader shift in modern conflict, where digital deception can reshape the battlefield by quietly steering firepower toward the most connected positions. That narrative portrays the Starlink sting as a clear example of how intelligence by deception can become a battlefield trap, rather than just an embarrassing hack.
Inside the 256 Cyber Assault Division’s playbook
The 256 Cyber Assault Division presents itself as a Ukrainian hacktivist formation that works alongside, but not entirely inside, the state. In public posts, the group has described how it built convincing personas that looked like Russian-friendly intermediaries capable of “fixing” Russian Starlink problems even when official channels were blocked. That required not only technical skill but also a close reading of Russian military slang, unit structures, and fears about being cut off from higher command, all of which helped the impostor channels feel authentic to frontline users.
Images and statements attributed to the group show a methodical process in which operators logged every Russian inquiry, cross-referenced terminal IDs, and compiled profiles for each contact. One account shared by Ukrainian supporters says the data went directly to Ukrainian authorities once it was cleaned and verified, and that every identified terminal was eventually disabled or targeted. A post on a pro-Ukrainian page describes how hackers set up fake channels offering to reactivate Russian Starlink terminals, then funneled the resulting data to security services. An Instagram post that echoes this story claims the same hackers created bogus channels that Russian soldiers paid for, with all registration details routed to Ukrainian authorities.
SpaceX clamps down as Russia scrambles for connectivity
The sting unfolded as SpaceX was moving to choke off unauthorized Russian access to Starlink in occupied parts of Ukraine. Ukrainian officials have said that Starlink internet terminals used by Russian units were deactivated on the battlefield, cutting into Russian ability to control drones and maintain secure communications. Video reports circulating in early February describe Ukrainian claims that Starlink used by was shut down, leaving Russian formations scrambling for alternatives.
SpaceX has publicly said it is working to counter unauthorized Russian Starlink use, stressing that it has not sold terminals to Russia and is taking steps to block illicit connections. Company statements referenced by Ukrainian media portray this as a continuing effort to tighten access controls and close loopholes that allowed Russian units to get online. One detailed report on the corporate response describes how SpaceX has tried to disrupt Russian attempts to connect by disabling suspect terminals and updating network rules, moves that align with Ukrainian claims that the company has acted to counter Russia’s unauthorized use.
