Open source software used by hobbyist drones powered an attack that wiped out a third of Russia’s strategic long range bombers on Sunday afternoon, in one of the most daring and technically coordinated attacks in the war.
In broad daylight on Sunday, explosions rocked air bases in Belaya, Olenya, and Ivanovo in Russia, which are hundreds of miles from Ukraine. The Security Services of Ukraine’s (SBU) Operation Spider Web was a coordinated assault on Russian targets it claimed was more than a year in the making, which was carried out using a nearly 20-year-old piece of open source drone autopilot software called ArduPilot.
ArduPilot’s original creators were in awe of the attack. “That's ArduPilot, launched from my basement 18 years ago. Crazy,” Chris Anderson said in a comment on LinkedIn below footage of the attack.
On X, he tagged his the co-creators Jordi Muñoz and Jason Short in a post about the attack. “Not in a million years would I have predicted this outcome. I just wanted to make flying robots,” Short said in a reply to Anderson. “Ardupilot powered drones just took out half the Russian strategic bomber fleet.”
ArduPilot is an open source software system that takes its name from the Arduino hardware systems it was originally designed to work with. It began in 2007 when Anderson launched the website DIYdrones.com and cobbled together a UAV autopilot system out of a Lego Mindstorms set (Anderson is also the former editor-in-chief of WIRED.)
DIYdrones became a gathering place for UAV enthusiasts and two years after Anderson’s Lego UAV took flight, a drone pilot named Jordi Muñoz won an autonomous vehicle competition with a small helicopter that flew on autopilot. Muñoz and Anderson founded 3DR, an early consumer drone company, and released the earliest versions of the ArduPilot software in 2009.
ArduPilot evolved over the next decade, being refined by Muñoz, Anderson, Jaron Short, and a world of hobbyist and professional drone pilots. Like many pieces of open-source software, it is free to use and can be modified for all sorts of purposes. In this case, the software assisted in one of the most complex series of small drone strikes in the history of the world.
“ArduPilot is a trusted, versatile, and open source autopilot system supporting many vehicle types: multi-copters, traditional helicopters, fixed wing aircraft, boats, submarines, rovers and more,” the project’s website reads. “The source code is developed by a large community of professionals and enthusiasts. New developers are always welcome!” The project’s website notes that “ArduPilot enables the creation and use of trusted, autonomous, unmanned vehicle systems for the peaceful benefit of all” and that some of its use cases are “search and rescue, submersible ROV, 3D mapping, first person view [flying], and autonomous mowers and tractors.” It does not highlight that it has been repurposed by Ukraine for war. Website analytics from 2023 showed that the project was very popular in both Ukraine and Russia, however.
The software can connect to a DIY drone, pull up a map of the area they’re in that’s connected to GPS, and tell the drone to take off, fly around, and land. A drone pilot can use ArduFlight to create a series of waypoints that a drone will fly along, charting its path as best it can. But even when it is not flying on autopilot (which requires GPS; Russia jams GPS and runs its own proprietary system called GLONASS), it has assistive features that are useful.
ArduPilot can handle tasks like stabilizing a drone in the air while the pilot focuses on moving to their next objective. Pilots can switch them into loitering mode, for example, if they need to step away or perform another task, and it has failsafe modes that keep a drone aloft if signal is lost.
Wow. Ardupilot powered drones just took out half the Russian strategic bomber fleet. https://t.co/5juA1UXrv4
— Jason Short (@jason4short) June 1, 2025
According to Ukrainian president Volodymyr Zelensky, the preparation for the attack took a year and a half. He also claimed that the Ukraine’s office for the operation in Russia was across the street from a Russian intelligence headquarters.
“In total, 117 drones were used in the operation--with a corresponding number of drone operators involved,” he said in a post about the attack. “34 percent of the strategic cruise missile carriers stationed at air bases were hit. Our personnel operated across multiple Russian regions – in three different time zones. And the people who assisted us were withdrawn from Russian territory before the operation, they are now safe.”
SBU was quick to claim responsibility for the attack and then explain how it accomplished it. It snuck sheds and trucks filled with quadcopters loaded down with explosives into the country in trucks and shipping containers over the past 18 months. The sheds had false roofs lined with quadcopters. When signalled, the trucks and roofs opened and the drones took flight. Multiple video clips shared across the internet showed that the flights were conducted using ArduPilot.
Ukraine’s raid on Russia may seem like a hinge point in the history of modern war: a moment when the small quadcopter drone proved its worth. The truth is Operation Spider Web conducted by a military that’s been using DIY and consumer-level drones to fight Russia for a decade. Both sides have proved capable of destroying expensive weapons systems with simple drones. Now Ukraine has proved it can use all that knowledge as part of a logistically complicated attack on Russia’s strategic military assets deep within its homeland.
ArduPilots’s current devs didn’t respond to 404 Media’s request for comment, but one of them talked about the attack on /r/ArduPilot. “ArduPilot project is aware of those usage not the first time, probably not the last,” the developer said. “We won't discuss or debate our stance, we [focus] on giving you the best tools to move your [vehicles] safely. That is our mission. The rest is for UN or any organisms that can deal with ethical questions.”
The developer also linked to ArduPilot’s code of conduct. The code of conduct contains a pledge from developers that states they will try to “not knowingly support or facilitate the weaponization of systems using ArduPilot.” But ArduPilot isn’t a product for sale and the code of conduct isn’t an end user license agreement. It’s open source software and anyone can download it, tweak it, and use it however they wish, and Ukraine’s drone pilots seem to have found it to be very useful.
For a few years, massive industrial hexacopter and quadcopter drones the Russians call Baba Yaga have terrorized their soldiers and armor. The Russians have downed a few of these drones and discovered they run off a Starlink terminal attached to the top. In a Baba Yaga seizure reported in February on Russian Telegram channels, soldiers said they found traces of ArduPilot in the drone’s hardware.
The drones used in Sunday’s attack didn’t run on Starlinks and were much smaller than the Baba Yaga. Early analysis from Russian military bloggers on Telegram indicates that the drones communicated back to their Ukrainian handlers via Russian mobile networks using a simple modem that’s connected to a Raspberry Pi-style board.
This method hints at another reason Ukraine might be using ArduPilot for this kind of operation: latency. A basic PC on a quadcopter in Russia that’s sending a signal back and forth to an operator in Ukraine isn’t going to have a low ping. Latency will be an issue and ArduPilot can handle basic loitering and stabilization as the pilot’s signal moves across vast distances on a spotty network.
The use of free, open source software to pull off a military mission like this also highlights the asymmetric nature of the Russia-Ukraine war. Cheap quadcopters and DIY drones running completely free software are regularly destroying tanks and bombers that cost millions of dollars and can’t be easily replaced.
Ukraine’s success with drones has rejuvenated the market for smaller drones in the United States. The American company AeroVironment produces the Switchblade 300 and 600. Switchblades are a kind of loitering munition that can accomplish the mission of a quadcopter, but at tens of thousands dollars more per drone than what Ukraine paid for Operation Spider Web.
Palmer Luckey’s Anduril is also selling quadcopter drones that run on autopilot. He’s even got a quadcopter, called the Anvil, that runs on proprietary software packages. While we don’t know the per unit cost of the system, it did sell the U.S. Marines a $200 million system that includes the Anvil and its suite of software in 2024.
In modern war, the battlefield belongs to those who can innovate while keeping costs down. “I think the single biggest innovation in drone-use warfare is the scale allowed by cheap drones with good-enough software,” Kelsey Atherton, a drone expert and the chief editor at Center for International Policy told 404 Media.
Atherton said that cheap drones and open source software offer resilience through redundancy. The cheaper something is, the less it hurts if it's lost or destroyed. “Open source code is likely both cheaper and more reliable, as bugs can be found and fixed in development and deployment,” he said. “At a minimum if a contractor sells a bespoke system you're stuck relying on them for verification of code or doing it in-house; if you're working open-source and the contractor balks at verifying code, you can bring someone else in to do it and it's not then a legal battle over proprietary code.”
He pointed to Luckey’s plans as a great way to make money. “Luckey is designing a profit system sold as an effective weapon that would lock Anduril into the closed defense ecosystem the way legacy players sell bespoke products.”
Atherton also stressed that Ukraine's success using ArduPilot and cheap drones is something that no fancy future weapons system could have defended against. Ukraine succeeded because it was able to place its weapons close to the enemy without the enemy realizing it. Those air bases had kept the same bombers in a line on the tarmac in the open for 30 years. Everyone knew where they were.
“The biggest fix would have been hangers with doors that close,” Atherton said. “It's an intelligence failure and a parking failure.”
Anderson, Short, and Muñoz did not respond to 404 Media’s request for comment.
