Hungarian media conglomerate Mediaworks has confirmed a major ransomware incident after the World Leaks extortion group dumped roughly 8.5 terabytes of allegedly stolen data on its dark web leak site. The breach exposes payroll records, contracts, financial statements, and internal editorial communications from a publisher widely considered the backbone of Hungary's pro-Orbán media ecosystem.

What Happened

World Leaks claimed responsibility for the intrusion last week, publishing the full cache of stolen files on its onion-based leak portal. Mediaworks confirmed the incident on Friday, acknowledging that "a significant amount of illegally obtained data may have come into the possession of unauthorized persons" and stating it had opened an investigation.

The company moved quickly to suppress reporting on the leaked contents, warning journalists that using the data could constitute a criminal offense and threatening legal action against Hungarian outlet Media1 after it published material from the cache. Media1 refused to retract its coverage, citing public interest given Hungary's political alignment under Prime Minister Viktor Orbán and the country's posture toward Russia during the war in Ukraine.

What Was Taken

Local journalists who reviewed the leaked archive report it contains:

• Approximately 8.5 TB of internal documents
• Payroll records and employee compensation data
• Vendor and talent contracts
• Financial statements and accounting files
• Internal communications and editorial materials
• Notes from a January 2025 editorial meeting reportedly suggesting staff would "contact Moscow for help" regarding articles discrediting Ukrainian President Volodymyr Zelensky

Recorded Future News could not independently verify the authenticity of the documents or the editorial memo, but multiple independent Hungarian outlets have reported on materials drawn from the dump.

Why It Matters

Mediaworks operates dozens of newspapers, regional dailies, magazines, and online outlets, making it one of the most influential media properties in Hungary and a central node in the pro-government information environment. The breach lands at a politically sensitive moment, immediately following Orbán's loss in the national election to the opposition party, and the leaked editorial notes have become evidence in an ongoing public debate about foreign influence in Hungarian media.

For threat intelligence teams, the incident also marks a notable expansion of World Leaks' geographic footprint. The group, which emerged in early 2025 as a rebrand of the Hunters International ransomware operation, has historically focused on victims in the United States, Western Europe, India, and Canada. Mediaworks appears to be its first known Hungarian victim, signaling that Central and Eastern European media organizations are now firmly in scope.

The Attack Technique

World Leaks operates a pure data-theft and extortion model, unlike traditional ransomware crews that encrypt victim environments. The group exfiltrates large volumes of data, then pressures victims with the threat of publication on its leak site if a ransom is not paid. The successful exfiltration of 8.5 TB from Mediaworks indicates extended dwell time and unrestricted access to file shares, document management systems, and likely email or collaboration platforms.

Specific initial access vectors used in the Mediaworks intrusion have not been disclosed publicly. Hunters International, the predecessor operation, has historically relied on phishing, exposed remote access services, and exploitation of unpatched perimeter appliances, with Cobalt Strike and living-off-the-land binaries used for lateral movement. Mediaworks has also faced prior cyber incidents, including a 2022 defacement attributed to the Anonymous hacktivist collective, suggesting longstanding exposure that may have offered familiar footholds to subsequent actors.

What Organizations Should Do

1. Hunt for World Leaks and Hunters International TTPs. Review EDR telemetry for known indicators tied to the rebranded operation, including suspicious use of Rclone, MEGA, and other bulk exfiltration tooling targeting file servers and SharePoint repositories.
2. Audit east-west traffic and data egress. A 8.5 TB exfiltration is not subtle. Implement DLP and netflow alerting for unusual outbound volumes and connections to cloud storage providers from non-business systems.
3. Harden perimeter and identity infrastructure. Patch externally facing VPN, RDP, and edge appliances, enforce phishing-resistant MFA, and aggressively monitor for unusual privileged authentications.
4. Segment editorial and finance environments. Media organizations should isolate newsroom systems, HR/payroll, and financial platforms so a single foothold cannot reach all three crown-jewel datasets.
5. Pre-stage legal and crisis communications. The Mediaworks response, attempting to legally suppress journalism on leaked material, has drawn criticism. Plan disclosure language and counsel engagement before an incident, not during.
6. Run a tabletop exercise covering data-extortion scenarios. Encryption-free extortion changes the recovery calculus. Ensure leadership has rehearsed decisions about ransom payment, regulator notification, and victim communications when there is no ciphertext to restore.

Sources: Ransomware group claims breach of pro-Orbán Hungarian media firm | The Record from Recorded Future News