1. How File Metadata Works
FORENSIC ANALYSIS 821 FILES EXAMINED
When you save a file in Microsoft Office -- an Excel spreadsheet, a Word document -- Windows stamps it with metadata. One of those fields is "Company". It records the registered company name of the Windows installation on the computer that created the file.
If your organization bought legitimate Windows licenses and registered them to "Central Election Commission," every file created on those computers will carry that company name in the metadata. This is automatic. The user does not choose it. It is embedded by the operating system.
If, however, your computer runs a pirated copy of Windows -- one cracked and redistributed by a piracy group -- the company field will carry the piracy group's name instead. The piracy group is the one that "registered" the software during the cracking process. Their name becomes the digital fingerprint on every document the computer produces.
Think of the Company metadata field as a rubber stamp that Windows automatically presses onto every document. A legitimate installation stamps the organization's name. A pirated installation stamps the piracy group's name. The CEC's official election files carry the piracy group's stamp.
2. What We Found
CEC OFFICIAL FILES WAYBACK MACHINE ARCHIVED
OWL recovered 821 official election files from elections.am -- the official website of the Central Election Commission of the Republic of Armenia -- through the Wayback Machine. These are the CEC's own files: voter lists, election results, precinct data, procedural documents. We extracted and analyzed the metadata from every single file.
Here is what the Company metadata field contains across all 821 files:
| Company Field | Files | What It Is |
|---|---|---|
| CEC | 313 | Official Central Election Commission |
| SPecialiST RePack | 98 | Russian Windows piracy repackager |
| Grizli777 | 17 | Another pirated/unofficial Windows build |
| Compass | 9 | Unknown origin |
| Hewlett-Packard Company | 3 | HP scanner software |
| cec | 2 | Same as CEC, lowercase variant |
Three hundred and thirteen files were created on properly registered CEC computers. That is what the metadata should look like. But 98 files carry the company name "SPecialiST RePack", and 17 files carry "Grizli777".
Those are not department names. Those are not vendor names. Those are Russian-language piracy groups.
3. Who Are "SPecialiST RePack" and "Grizli777"?
PUBLICLY DOCUMENTED SECURITY RISK
SPecialiST RePack
SPecialiST RePack is a well-known Russian-language piracy operation that repackages Microsoft Windows and Microsoft Office with cracked activation. They have been active for years across Russian piracy forums and torrent sites. Their "repacks" are modified installations of Windows where the license activation has been bypassed -- the software functions without a legitimate license key.
When SPecialiST RePack cracks and repackages Windows or Office, they register it with their own name as the "Company." This name then gets embedded in the metadata of every file created on that installation. It is the digital equivalent of finding "downloaded from a piracy website" stamped on an official government document.
Search "SPecialiST RePack" on any search engine. The results are piracy forums, torrent listings, and malware warnings. This is not ambiguous.
Grizli777
Grizli777 is another pirated Windows build circulated on Russian-language piracy channels. The same principle applies: the cracked installation registers with this name, and it appears in the Company metadata of every file created on computers running it.
Between the two groups, 115 official CEC election files carry the fingerprints of pirated Russian software.
98 official election files from elections.am carry the metadata stamp of SPecialiST RePack, a documented Russian piracy group. 17 more carry the stamp of Grizli777, another pirated Russian build. Both names appear in the Company metadata field -- a field automatically set by the operating system, not by the user. The CEC's computers are running pirated Russian software.
4. The Software on CEC Computers
METADATA EXTRACTED
File metadata also records which application created each file. Here is what the CEC's computers are running:
| Software | Files | Note |
|---|---|---|
| Microsoft Excel 2010 | 56 | End of support: October 2020 |
| Microsoft Excel 2016 | 7 | End of mainstream support: October 2020 |
| Microsoft Word 2010 | 4 | End of support: October 2020 |
| Microsoft Word 2016 | 2 | End of mainstream support: October 2020 |
| Canon scanner software | 15 | Document scanning |
| HP Smart Document Scan 2.70 | 2 | Document scanning |
The majority of files were created in Microsoft Office 2010 -- a product that Microsoft stopped supporting with security updates in October 2020. On top of being pirated, the software is obsolete. Even if it were legitimate, it would receive no security patches.
But it is not legitimate. It is pirated. Which means it never received proper security updates -- not when it was current, and not now.
5. Why This Matters
NATIONAL SECURITY SYSTEMIC FAILURE
This is not a story about software licensing fees. The CEC could owe Microsoft money for years of unlicensed use, and that would be the least important part. The real issues are about what pirated software means for election security.
No Security Updates
Pirated Windows installations typically cannot receive official Microsoft security updates. Windows Update either refuses to install patches on unactivated copies, or the piracy group's cracked activation breaks when updates are applied. The result: the CEC's computers that process voter data have been running unpatched for years.
Every vulnerability discovered in Windows since 2010 -- every publicly disclosed exploit, every zero-day -- remains open on these machines. These are the computers that process voter lists, tabulate election results, and store the personal data of Armenian citizens.
Supply Chain Compromise
When a piracy group "repacks" Windows, they modify the installation. They remove the license check. They add their activation crack. They may add other things.
Pirated software repacks are a documented vector for malware distribution. Security researchers have repeatedly found backdoors, keyloggers, cryptocurrency miners, and remote access trojans bundled into pirated Windows and Office installations. When the CEC installed SPecialiST RePack's version of Windows, they installed whatever SPecialiST RePack put inside it. There is no way to know what that includes without a forensic audit of the machines themselves.
The CEC did not download Windows from Microsoft. They downloaded it from a Russian piracy group. Everything on those computers -- every voter list, every election result, every piece of personal data -- has been processed on software that an unknown third party modified before the CEC ever touched it.
The Russian Vector
Both SPecialiST RePack and Grizli777 are Russian-language operations. Their repacks are distributed through Russian piracy forums and torrent sites.
This matters because of who Armenia's documented threat actors are. Russian intelligence services -- FSB, GRU -- are not theoretical adversaries for Armenia. They are documented ones. In a country where Russian influence operations are an active concern, the institution responsible for administering elections is running its computers on software sourced from Russian piracy channels.
To be clear: there is no evidence that SPecialiST RePack or Grizli777 are connected to Russian intelligence. The point is narrower and more damning. The CEC chose to obtain its software from unverified Russian sources rather than from Microsoft. Whether those sources inserted anything malicious is unknown -- but the CEC made it possible by choosing pirated software over legitimate software.
Legal Hypocrisy
Armenia's Criminal Code (Article 158) criminalizes software piracy. The government has prosecuted individuals and businesses for using unlicensed software. Yet the government's own Central Election Commission -- the body that administers the democratic process -- runs on pirated software.
The institution that organizes elections cannot even organize a legitimate software license.
What Else Are They Cutting Corners On?
If the CEC uses pirated software to save on licensing costs, what other corners are they cutting? The answer, based on our other investigations, is: many.
- The same CEC published an official file showing 98% turnout on one sheet and 53% on the other -- a 2.2 million vote discrepancy.
- The same CEC's election files were overwhelmingly created by one person -- 591 out of 821 files -- with no separation of duties.
- The same CEC's voter data has been exposed through security failures.
Pirated software is not an isolated lapse. It is part of a pattern. An institution that does not invest in basic software licensing does not invest in data integrity, audit trails, access controls, or any of the other infrastructure that makes elections trustworthy.
Pirated software. Unpatched systems. No separation of duties. Contradictory data in official files. Exposed voter data. Each finding is damaging on its own. Together, they describe an election administration system that fails at every level of basic institutional hygiene.
6. Imagine Your Bank
Imagine finding out that your bank processes your financial data on a computer running software downloaded from a piracy website. Not bought from Microsoft. Not licensed through a vendor. Downloaded from a Russian torrent site, cracked by an anonymous group, and installed on the machine that handles your account numbers, your transactions, your personal information.
You would close your account immediately. You would file a complaint with the regulator. You would assume -- correctly -- that a bank willing to run pirated software is willing to cut corners everywhere else.
Now replace "your bank" with "the institution that administers your country's elections." Replace "your account" with "your vote." The CEC is that bank. Your vote is the account they manage. And they are running it on pirated Russian software.
7. International Standards
DEMOCRATIC NORMS
No serious democracy runs its elections on pirated software. This is not a high bar. It is the absolute minimum.
The OSCE/ODIHR (the Organization for Security and Co-operation in Europe's election observation arm) regularly assesses the technical infrastructure of member states' election systems. Their recommendations consistently emphasize the importance of secure, auditable, properly maintained IT infrastructure for electoral processes.
Running pirated software violates every one of these principles:
- Secure: Pirated software cannot receive security updates and may contain embedded malware.
- Auditable: A pirated installation has an unknown modification history. It cannot be verified against a known baseline.
- Properly maintained: An institution that uses pirated software has, by definition, opted out of the vendor's maintenance and support ecosystem.
If OSCE/ODIHR election observers knew that the CEC was processing election data on computers running SPecialiST RePack's cracked Windows, it would be in the opening paragraphs of their assessment report.
8. The Question for June 7, 2026
ONGOING RISK
Armenia's next parliamentary election is scheduled for June 7, 2026. It will be administered by the same Central Election Commission.
The metadata in the CEC's files tells us what their computers were running when those files were created. It does not tell us what they are running today. It is possible -- in theory -- that the CEC has since upgraded to legitimate, properly licensed, fully patched software.
But there has been no public announcement of such an upgrade. No audit results have been published. No transparency report has been issued about the CEC's IT infrastructure. The files we analyzed were the most recent files available from elections.am.
Has the Central Election Commission upgraded to legitimate, licensed, properly patched software ahead of the June 7, 2026 election? If so, when? Has an independent IT audit been conducted? Have the machines that carried the SPecialiST RePack and Grizli777 fingerprints been forensically examined for malware?
If the answer to any of these questions is "no" -- then Armenia's next election will be administered on the same pirated Russian software documented in this investigation.
9. Methodology
REPRODUCIBLE
This investigation is based entirely on publicly available data. Every step can be reproduced independently.
- File recovery: 821 files were recovered from elections.am through the Wayback Machine (web.archive.org). These are unaltered copies of files that were publicly hosted on the CEC's official website.
- Metadata extraction: The Company metadata field was extracted from each file using standard document analysis tools. This field is set automatically by the Windows operating system and cannot be easily altered by end users.
- Identification: The Company values "SPecialiST RePack" and "Grizli777" were identified as piracy groups through public documentation -- they are widely discussed on security forums, piracy databases, and malware analysis sites.
No files were modified. No systems were accessed. No hacking was involved. The CEC published these files with piracy group names embedded in their metadata. We read them.