Unmasking Unit 29155: The GRU’s Hybrid War Machine Targeting the West

For years, the name “Unit 29155” surfaced only in the margins of headlines—linked to the 2018 Novichok poisoning in Salisbury, mysterious arms depot explosions in Czechia, and an attempted coup in Montenegro. But as a new investigation by The Insider reveals, the remit of this clandestine division of Russia’s military intelligence agency, the GRU, extends far beyond physical sabotage. With meticulous detail, reporters Christo Grozev, Roman Dobrokhotov, and Michael Weiss uncover the unit’s integration of cyberwarfare, disinformation, and psychological operations—placing it at the heart of the Kremlin’s hybrid war against the West.

Unit 29155, housed within the GRU’s headquarters on Komsomolsky Prospekt in Moscow, was initially known for its kinetic operations across Europe. It was this unit that dispatched operatives to deploy Novichok nerve agent in the United Kingdom, and orchestrated sabotage missions in Bulgaria and the Czech Republic.

The Insider’s investigation confirms what intelligence agencies have long suspected: the same operatives responsible for these physical operations were also coordinating and executing disinformation campaigns and cyberattacks in parallel.

These campaigns were neither ad hoc nor improvised. They followed a recognizable doctrine of hybrid warfare — fusing traditional military techniques with cyber intrusion, financial laundering, and large-scale narrative manipulation.

As the report illustrates, the unit’s activities span from digital propaganda to deep-cover operations and asset recruitment.

Digital War Rooms: The Rise of the Stigals

One of the most striking revelations is the central role of a father-son duo: Timur Stigal (real name Danila Magomedov), a GRU officer, and his son, Amin Stigal, who played a technical and operational role in online disinformation campaigns. Amin’s activities included the creation of infrastructure for anonymous leak sites, many of which masqueraded as hacktivist fronts like “Anonymous Poland.”

Using these façades, the GRU disseminated falsified materials, including NATO documents and personal data of Ukrainian military families. A notable campaign from July 2016 saw operatives leak fabricated Polish military records via a Twitter account claiming to represent Polish hackers. The leaks included inflammatory language designed to inflame Ukrainian-Polish tensions, referencing historical massacres such as Volhynia.

The false-flag strategy was multi-layered: the GRU not only created these digital identities, but carefully timed and amplified their messaging across fringe media outlets and social platforms. These narratives were not intended to convince with credibility, but to sow doubt, confusion, and discord—hallmarks of post-Soviet information warfare.

Front Companies and Financial Camouflage

Underpinning these operations was a network of front companies established to fund and obscure GRU activities. Chief among them was Flint Group, a corporate entity with registered offices in Dubai, Cyprus, and Moscow. Flint facilitated payments to digital assets—hackers, propagandists, and logistical coordinators—often routed through cryptocurrency exchanges and offshore banking structures.

Alexey Stroganov, a former Russian banker, played a key role in managing Flint Group’s finances and maintaining the illusion of commercial legitimacy. As the report shows, Stroganov’s business connections were not simply incidental—they were integral to how the GRU enabled covert payments without attracting scrutiny.

Twitter as a Theatre of War

Perhaps most emblematic of Unit 29155’s strategic evolution is its calculated use of social media, particularly Twitter (now X), as a delivery mechanism for state-sponsored disinformation. The investigation details how GRU operatives used accounts like anonpl and anon_bg to release sensitive materials—either genuinely hacked or entirely fabricated—while posing as independent activist groups.

A campaign launched in early 2020 attempted to discredit Bellingcat, the open-source investigative outlet that had exposed GRU involvement in the Skripal poisoning and other operations.

False leaks were posted on Twitter accusing Bellingcat of targeting civilians and leaking sensitive data.

These were timed to coincide with new Bellingcat reporting, revealing the Kremlin’s fear of reputational damage in the information space.

In other instances, Twitter accounts were used to seed narratives about American-funded biological laboratories in Ukraine and Georgia. These conspiracy theories, first circulated by fringe journalists and blogs, were bolstered by GRU-linked social media posts and promoted by Russian state media.

Psychological Manipulation at Scale

The Insider’s investigation illustrates that Unit 29155’s aim was not limited to short-term sabotage. Rather, its campaigns reflect a strategy of long-term psychological warfare. By creating the appearance of organic leaks, independent whistleblowers, and grassroots dissent, the GRU engineered a self-sustaining ecosystem of doubt.

From the 2016 hack of Qatar National Bank—where leaked customer data was falsely attributed to Turkish nationalists—to the biolab conspiracies that gained traction during the pandemic, Unit 29155 deployed narrative saturation as a deliberate weapon. These operations were designed not simply to deceive, but to exhaust public attention, blur lines between truth and fiction, and erode the credibility of democratic institutions.

Global Reach, Domestic Fallout

While Unit 29155’s footprint is most visible in Europe and the post-Soviet sphere, its operations have also reached into the heart of the United States. As The Insider documents, the unit was part of the broader GRU apparatus responsible for interference in the 2016 U.S. presidential election. GRU officers used false identities, coordinated hacks on the Democratic National Committee, and timed the release of internal documents through outlets like WikiLeaks. Though these activities were primarily attributed to GRU Units 26165 and 74455, the current investigation reveals that 29155 provided support and logistical planning, making it a participant in one of the most consequential foreign interference campaigns in modern American history.

The tactics developed in Ukraine and Eastern Europe—false leaks, fake activist fronts, psychological manipulation—were repurposed and refined for the American context.

This underscores a key insight: the methods pioneered by Russia’s military intelligence are not geographically bound. They travel easily, finding application wherever democratic systems can be discredited or divided.

The Quiet Offensive

As governments across Europe and North America scramble to fortify their digital defenses and counter foreign influence, The Insider’s investigation is a timely warning. The architects of modern disinformation do not rely solely on bots or anonymous trolls. They are trained operatives, fluent in multiple languages, armed with forged passports, encrypted devices, and government backing. Unit 29155 is not an aberration—it is a model. A template for 21st-century statecraft built not on diplomacy, but on disruption.