politico.eu – POLITICO
March 25, 2026 1:48 am CET
By Zoya Sheftalovich

“Our internal reviews have found no evidence that any devices, networks or systems have been compromised,” POLITICO says in email to staff.

BRUSSELS ― POLITICO launched a security review after a private telephone conversation between one of its reporters and an EU official about issues connected to Hungary and Ukraine was apparently intercepted and the recording published online.

The nine-minute audio clip, from a call that took place on March 3, was uploaded to YouTube on March 16. It has been listened to 5,100 times, according to YouTube data.

“Our internal reviews have found no evidence that any devices, networks or systems have been compromised,” Kate Day, POLITICO’s senior executive editor in Europe, and Carrie Budoff Brown, POLITICO’s executive editor and executive vice president, said in an email to employees on Wednesday.

“We will not be intimidated by an apparent attempt to interfere with independent reporting — nor deterred from the important work we do,” they wrote. “We have always been and will remain vigilant in protecting our sources, supporting the work of our journalists, and maintaining the accuracy of our independent, nonpartisan reporting.”

The issue comes at a time when leaks of confidential EU information are in the spotlight ahead of the Hungarian general election on April 12. In a report on Saturday, the Washington Post said that Viktor Orbán’s government maintained close contacts with Moscow throughout the war in Ukraine, and Hungarian Foreign Minister Péter Szijjártó used breaks during meetings with other member countries to update his Russian counterpart.

A spokesperson for the EU institution where the official works declined to comment on “tapes produced by unknown and anonymous actors.” POLITICO is not identifying the EU official because the call wasn’t on the record.

POLITICO has not been able to determine how the recording may have been obtained and who was responsible for posting it to YouTube.

‘Chilling message’
Several Slovak and Hungarian news websites wrote articles about the recording and published partial transcripts.

“Hacking and the disclosure of journalists’ materials strike at the heart of press freedom and the protections we must be able to rely on as reporters,” said President of the International Press Association in Brussels Dafydd ab Iago. “This is illegal under Belgian law, and it sends a chilling message not only to journalists in Brussels but also to our sources here … The harder question is how to pursue those state actors, whether operating from within the EU or from a third country like Russia.”

On Monday, the Orbán-aligned Hungarian newspaper Mandiner — one of the first outlets that wrote about the conversation — published a separate exchange between independent Hungarian journalist Szabolcs Panyi and a contact. The material was received via a “mysterious email” from an individual identifying himself as “the fourth branch of power,” according to the article’s author.

“We have important stories to tell and work to do and remain focused on maintaining the rigor, independence and purpose that our audience expects from us,” Day and Budoff Brown said in their email.

Kaspersky researchers discovered previously unidentified commercial Dante spyware developed by Memento Labs (formerly Hacking Team) and linked it to the ForumTroll APT attacks.

In the summer of 2005, Tan Dailin was a 20-year-old grad student at Sichuan University of Science and Engineering when he came to the attention of the People’s Liberation Army of China.

Tan was part of a burgeoning hacker community known as the Honkers—teens and twentysomethings in late-’90s and early-’00s China who formed groups like the Green Army and Evil Octal and launched patriotic cyberattacks against Western targets they deemed disrespectful to China. The attacks were low-sophistication—mostly website defacements and denial-of-service operations targeting entities in the US, Taiwan, and Japan—but the Honkers advanced their skills over time, and Tan documented his escapades in blog posts. After publishing about hacking targets in Japan, the PLA came calling.

The subsequent timeline of events is unclear, but Tan, who went by the hacker handles Wicked Rose and Withered Rose, then launched his own hacking group—the Network Crack Program Hacker (NCPH). The group quickly gained notoriety for winning hacking contests and developing hacking tools. They created the GinWui rootkit, one of China’s first homegrown remote-access backdoors and then, experts believe, used it and dozens of zero-day exploits they wrote in a series of “unprecedented” hacks against US companies and government entities over the spring and summer of 2006. They did this on behalf of the PLA, according to Adam Kozy, who tracked Tan and other Chinese hackers for years as a former FBI analyst who now heads the SinaCyber consulting firm, focused on China.

Tan revealed online at the time that he and his team were being paid about $250 a month for their hacking, though he didn’t say who paid or what they hacked. The pay increased to $1,000 a month after their summer hacking spree, according to a 2007 report by former threat intelligence firm VeriSign iDefense.

At some point, Tan switched teams and began contracting for the Ministry of State Security (MSS), China’s civilian intelligence agency, as part of its notorious hacking group known as APT 41. And in 2020, when Tan was 36, the US Justice Department announced indictments against him and other alleged APT 41 members for hacking more than 100 targets, including US government systems, health care organizations, and telecoms.

Tan’s path to APT 41 isn’t unique. He’s just one of many former Honkers who began their careers as self-directed patriotic hackers before being absorbed by the state into its massive spying apparatus.

Not a lot has been written about the Honkers and their critical role in China’s APT operations, outside of congressional testimony Kozy gave in 2022. But a new report, published this month by Eugenio Benincasa, senior cyberdefense researcher at the Center for Security Studies at ETH Zürich university in Switzerland, expands on Kozy’s work to track the Honkers’ early days and how this group of skilled youths became some of China’s most prolific cyberspies.

“This is not just about [Honkers] creating a hacker culture that was implicitly aligned with national security goals,” Benincasa says, “but also the personal relations they created [that] we still see reflected in the APTs today.”

Early Days
The Honker community largely began when China joined the internet in 1994, and a network connecting universities and research centers across the country for knowledge-sharing put Chinese students online before the rest of the country. Like US hackers, the Honkers were self-taught tech enthusiasts who flocked to electronic bulletin boards (dial-up forums) to share programming and computer hacking tips. They soon formed groups like Xfocus, China Eagle Union, and The Honker Union of China and came to be known as Red Hackers or Honkers, a name derived from the Mandarin word “hong,” for red, and “heike,” for dark visitor—the Chinese term for hacker.

An APT hacking group known as 'Stealth Falcon' exploited a Windows WebDav RCE vulnerability in zero-day attacks since March 2025 against defense and government organizations in Turkey, Qatar, Egypt, and Yemen.

Stealth Falcon (aka 'FruityArmor') is an advanced persistent threat (APT) group known for conducting cyberespionage attacks against Middle East organizations.

The flaw, tracked under CVE-2025-33053, is a remote code execution (RCE) vulnerability that arises from the improper handling of the working directory by certain legitimate system executables.
Specifically, when a .url file sets its WorkingDirectory to a remote WebDAV path, a built-in Windows tool can be tricked into executing a malicious executable from that remote location instead of the legitimate one.

This allows attackers to force devices to execute arbitrary code remotely from WebDAV servers under their control without dropping malicious files locally, making their operations stealthy and evasive.

The vulnerability was discovered by Check Point Research, with Microsoft fixing the flaw in the latest Patch Tuesday update, released yesterday.

Microsoft Threat Intelligence has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard, who we assess with high confidence is Russia-affiliated and has been active since at least April 2024. Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to Russia, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America.

Massive ‘Typhoon’ cyberattacks on U.S. infrastructure and telecoms sought to lay groundwork for potential conflict with Beijing, as intruders gathered data and got in position to impede response and sow chaos

A suspected Chinese hacking campaign that began in November is exploiting a vulnerability in Palo Alto firewalls to install a custom malware backdoor for espionage.

Officials from EU anti-fraud office were allegedly followed, wiretapped and had their laptops hacked by Hungary’s intelligence agency.

In a first, Russia's APT28 hacking group appears to have remotely breached the Wi-Fi of an espionage target by hijacking a laptop in another building across the street.

Key findings  Proofpoint researchers identified an unusual campaign delivering malware that the threat actor named “Voldemort”.   Proofpoint assesses with moderate confidence the goal of the activi...

Devices are kept in vault during weekly gatherings, prime minister said.

Russian and Moldovan companies targeted by XDSpy phishing campaign, deploying DSDownloader malware, amid escalating cyber conflicts.

Hackers linked to Beijing’s security services targeted European politicians to gather sensitive data.

Defendants Operated as Part of the APT31 Hacking Group in Support of China’s Ministry of State Security’s Transnational Repression, Economic Espionage and Foreign Intelligence Objectives

Officials handling security and defense issues were the target of phone hacking, internal email says.

Two ongoing campaigns bear hallmarks of North Korean state-sponsored threat actors, posing in job-seeking roles to distribute malware or conduct espionage.

The U.S. Securities and Exchange Commission has charged SolarWinds and its top cybersecurity executive Timothy Brown with fraud and internal control

Ways Chinese cyber espionage activity has increasingly leveraged strategies to evade detection.

Chinese state-sponsored actor Volt Typhoon is using stealthy techniques to target US critical infrastructure, conduct espionage, and dwell in compromised environments.

The Military Counterintelligence Service and the CERT Polska team (CERT.PL) observed a widespread espionage campaign linked to Russian intelligence services