The European Union has officially had enough of state-adjacent hackers treating its member states like a digital playground.

On Monday, the EU Council announced a fresh wave of severe sanctions targeting three entities and two individuals from China and Iran. The charges include cyber espionage, critical infrastructure hacking, and a rather brazen digital hijacking during the 2024 Paris Olympics.

The restrictive measures, implemented under the EU’s horizontal cyber sanctions regime, represent a growing willingness in Brussels to name, shame, and financially choke the corporate entities that operate in the gray zone of state-sponsored cyber warfare.

The Chinese Connection for EU Sanctions

Two of the newly sanctioned entities are based in China, which is popularly known to harness the “hack-for-hire” ecosystems and the commercialization of offensive cyber tools.

First on the chopping block is Integrity Technology Group. According to the EU, this firm has not just been dabbling in low-level espionage but it provided the specific tooling used to compromise more than 65,000 devices across six different EU member states between 2022 and 2023. Supplying the digital lockpicks for mass device exploitation has earned the company a total freeze on any European assets.

Joining them on the blacklist is Anxun Information Technology, alongside two of its Chinese co-founders. The Council explicitly called out Anxun for providing targeted hacking services aimed directly at the critical infrastructure and core government functions of EU member states. This shows that the market for offensive cyber capabilities remains booming, and the EU is now willing to target the executive leadership behind these mercenary outfits, not just the technical operators.

Dark Web Sales and Olympic Trolling

The third sanctioned entity, Iran-based Emennet Pasargad, boasts a track record of chaotic, highly visible disruptions.

The EU attributes a laundry list of disruptive attacks to the group. Emennet Pasargad allegedly breached a French subscriber database, siphoning off private data and subsequently fencing the stolen content on the dark web.

But their most public stunt occurred during the 2024 Paris Olympics. The group managed to hack into digital billboards in the French capital, leveraging the highly visible displays to broadcast disinformation during one of the most televised events on the planet. As if that was not enough, the group is also accused of compromising a Swedish SMS service, blasting disruptive messages to a massive swath of EU citizens.

The Fallout

With Monday’s additions, the EU’s cyber sanctions list now covers a total of 19 individuals and seven corporate entities.

The penalties are not just strongly worded diplomatic letters but carry real financial weight. The listed entities and individuals are subject to strict asset freezes within the EU. Furthermore, European citizens and tech businesses are legally barred from providing any funds, financial assets, or economic resources to them. For the two Anxun co-founders, the sanctions also include a strict travel ban, locking them out of entering or even transiting through EU territory.

While sanctions alone rarely stop dedicated state-backed actors, the Council’s latest move showcases how EU is actively mapping the corporate supply chains of cyber warfare, and that they are coming after the wallets of the companies enabling it.

Also read: Cyber Resilience Act: EU Adopts New Law to Strengthen Digital Product Security