The reported findings on FancyBear, a Russian Advanced Persistent Threat (APT), detail a significant operational security lapse in a campaign known as Operation Roundish. This analysis stemmed from an open directory exposed in January 2026, revealing extensive data including over 2,800 emails and 240 sets of stolen credentials. The exfiltration methods used by FancyBear included creating forwarding rules in victims’ email accounts, enabling silent capture and redirection of emails to attacker-controlled mailboxes.