The European Union on Monday imposed sanctions against three companies and two individuals for conducting cyber attacks against EU member states — marking the most significant expansion of the EU’s cyber sanctions regime since its creation in 2019.
The EU Council announcement names:
- Integrity Technology Group (China) — linked to the Flax Typhoon botnet operations
- Anxun Information Technology (China) — better known as i-Soon, the notorious hacking-for-hire contractor whose internal documents were leaked in 2024
- Emennet Pasargad (Iran) — an IRGC-affiliated cyber operations firm that breached a French subscriber database and advertised the stolen data on the dark web
Two Chinese individuals — identified as co-founders of Anxun/i-Soon — were also sanctioned for their roles in cyber attacks affecting EU member states.
The sanctions regime now covers 17 individuals and four entities, and was recently extended until May 18, 2026.
Let’s examine what makes each of these entities significant — because these aren’t random names pulled from a hat. Each represents a distinct model of state-sponsored cyber warfare that’s been escalating for years.
Integrity Technology Group: The Publicly-Traded Botnet Operator
Integrity Technology Group is, on paper, a cybersecurity company. It’s listed on the Shanghai Stock Exchange. It has a public-facing website. It employs hundreds of people. It’s also the company that the FBI identified in September 2024 as the entity behind the Flax Typhoon botnet.
The Flax Typhoon Connection
FBI Director Christopher Wray publicly revealed at the Aspen Cyber Summit in September 2024 that Integrity Technology Group was the real identity behind Flax Typhoon — a Chinese state-sponsored hacking group that had been building and operating a massive botnet compromising hundreds of thousands of IoT devices, routers, and cameras worldwide.
According to the U.S. Treasury, which sanctioned Integrity Tech in January 2025, between summer 2022 and fall 2023, Integrity Tech infrastructure was used by Flax Typhoon to conduct cyber attacks against multiple victims including:
- U.S. and European government agencies
- Defense contractors
- Telecommunications companies
- Academic institutions
- Media organizations
The FBI’s disruption operation forced Flax Typhoon to temporarily abandon its botnet, but the infrastructure represented years of patient, methodical compromise — exactly the kind of persistent access that China’s cyber operations are increasingly designed to establish.
Why Integrity Tech Matters
Integrity Technology Group represents a model that’s becoming increasingly common in China’s cyber ecosystem: a legitimate commercial cybersecurity company that simultaneously operates as a hacking arm of the state.
This dual-use model gives the Chinese government several advantages:
- Plausible deniability. The company can claim its cybersecurity research tools were misused or independently deployed
- Commercial cover. Employees can attend international conferences, conduct open-source intelligence gathering, and maintain legitimate business relationships
- Talent pipeline. The company can recruit skilled hackers through normal commercial channels without exposing them to the intelligence services directly
- Infrastructure laundering. Commercial internet infrastructure is harder to attribute to state operations than military or intelligence networks
Flax Typhoon operates as part of China’s broader “Typhoon” family of APT groups — alongside Salt Typhoon (targeting telecommunications), Volt Typhoon (pre-positioning in critical infrastructure), and others. Together, these groups represent what security researchers describe as the most formidable state cyber apparatus in the world.
The EU’s decision to sanction Integrity Tech alongside the U.S. Treasury designation signals growing transatlantic coordination on attributing and punishing Chinese cyber operations — a development Beijing will not welcome.
Anxun Information Technology (i-Soon): The Hacking Contractor Whose Dirty Laundry Got Aired
If Integrity Technology Group represents the sophisticated end of China’s hacker-for-hire ecosystem, Anxun Information Technology — known internationally as i-Soon — represents its chaotic, sprawling, and remarkably well-documented underbelly.
The i-Soon Leak
In February 2024, an unknown person dumped a massive cache of internal i-Soon documents on GitHub — spreadsheets, chat logs, marketing materials, client lists, and capability demonstrations. Two i-Soon employees confirmed the documents’ authenticity to the Associated Press.
The leak revealed that i-Soon operated as a private-sector hacking contractor serving China’s Ministry of Public Security, Ministry of State Security, and military intelligence. The company’s services included:
- Custom hacking tools for targeting specific platforms (Twitter/X, Gmail, Microsoft Exchange, Android, iOS)
- Network penetration services sold to regional Chinese police departments
- Data theft operations targeting foreign governments, including NATO members, the United Kingdom, and multiple Asian governments
- Surveillance tools for monitoring dissidents, ethnic minorities, and political activists
The company’s chat logs, as reported by the AP, revealed a “sordid culture fueled by influence, alcohol and sex” — a far cry from the image of elite state hackers. Employees complained about low pay, discussed the quality of their hacking tools compared to competitors, and haggled with government clients over pricing for stolen data.
What i-Soon Did to EU Member States
The EU Council’s statement specifies that Anxun “provided hacking services aimed at the critical infrastructure and critical functions of member states and third countries.” While the specific operations haven’t been detailed publicly, the leaked documents showed i-Soon campaigns targeting:
- Government email systems across multiple European countries
- Telecommunications infrastructure
- Academic research institutions
- Defense and foreign affairs ministries
The two co-founders sanctioned alongside the company were reportedly identified through the leaked documents and subsequent investigations by intelligence agencies in multiple countries.
The Ecosystem Problem
i-Soon wasn’t unique — it was part of a broader ecosystem of private Chinese hacking contractors that Google’s Mandiant unit described as having “links to the Chinese patriotic hacking scene.” These companies fill the space between China’s formal intelligence agencies and the targets they want to compromise.
As John Hultquist of Mandiant told the AP: i-Soon is “part of an ecosystem of contractors.” That ecosystem means China can scale its cyber operations without expanding its official intelligence workforce — outsourcing hacking the same way governments outsource defense manufacturing.
This is a model that the West has been slow to understand and slower to counter. The EU sanctions represent an attempt to impose costs on this contractor ecosystem, but with dozens of similar firms operating across China, sanctioning individual companies is a game of whack-a-mole.
Emennet Pasargad: Iran’s Multi-Threat Cyber Operator
The third sanctioned entity, Emennet Pasargad, is an Iranian company affiliated with the Islamic Revolutionary Guard Corps (IRGC) that has been operating under various names for years — including Aria Sepehr Ayandehsazan, Cotton Sandstorm, MarnanBridge, and Haywire Kitten.
A History of Diverse Operations
Emennet Pasargad has one of the most varied operational portfolios of any state-affiliated cyber group:
U.S. Election Interference (2020). In October 2021, a federal grand jury in New York indicted two Iranian nationals linked to Emennet Pasargad for hacking, voter intimidation, and conspiracy stemming from a scheme to disrupt the 2020 U.S. presidential election. The operatives accessed voter registration data and sent threatening emails to voters.
Media and Broadcasting Attacks. The group has targeted Israeli broadcasting infrastructure and conducted hack-and-leak operations against media organizations, as documented in Check Point’s analysis of the group’s evolving malware capabilities.
Critical Infrastructure Targeting. Operating as CyberAv3ngers (a front persona), the group targeted U.S. water treatment facilities and other critical infrastructure — leading to IRGC officer sanctions by the U.S. Treasury.
The French Database Breach. According to the EU Council, Emennet Pasargad “unlawfully gained access to a French subscriber database and advertised its contents for sale on the dark web.” This specific operation — stealing European data and monetizing it through dark web sales — is what triggered the EU sanctions.
Iran’s Evolving Cyber Posture
Emennet Pasargad’s sanctioning comes at a moment when Iran’s cyber operations are simultaneously expanding and being exposed. The ongoing cyber proxy war with Israel has pushed Iranian groups to operate more aggressively, while intelligence agencies and security researchers have gotten better at attributing their operations.
Dark Reading reported just two weeks ago that Emennet Pasargad/Cotton Sandstorm had revived its Altoufan Team persona for new attacks, including operations targeting Bahrain and other Gulf states. The group’s ability to maintain multiple operational personas simultaneously — each with different targets, tools, and objectives — makes it one of Iran’s most dangerous cyber actors.
The EU’s inclusion of Emennet Pasargad alongside the Chinese entities sends a message that European patience with Iranian cyber operations is wearing thin — particularly when those operations directly compromise European citizens’ data for dark web profit.
What the Sanctions Actually Do
EU cyber sanctions impose:
- Asset freezes on sanctioned entities and individuals
- Travel bans preventing sanctioned individuals from entering or transiting through EU member states
- Prohibition on making funds available to sanctioned entities — meaning European companies and citizens cannot do business with them
In practical terms, the impact on Chinese and Iranian companies operating primarily within their own countries is limited. Integrity Technology Group and i-Soon don’t have significant European assets to freeze. Emennet Pasargad, as an IRGC-affiliated entity, was already subject to extensive sanctions under other regimes.
The Real Impact Is Diplomatic and Normative
The significance of EU cyber sanctions is less about their immediate financial impact and more about:
Attribution as deterrence. Publicly naming companies and individuals involved in state-sponsored hacking imposes reputational costs and creates a permanent public record. Integrity Tech employees may find it harder to attend international conferences or collaborate with Western researchers.
Coalition building. The EU sanctions align with existing U.S. Treasury OFAC designations against the same entities. This transatlantic coordination creates a unified front that makes it harder for sanctioned entities to operate in the international financial system.
Norm establishment. Each round of cyber sanctions reinforces the principle that state-sponsored cyber attacks against civilian infrastructure are unacceptable — building a body of international practice that could eventually inform more binding international law.
Signaling resolve. The expansion from 14 to 17 sanctioned individuals and from one to four sanctioned entities demonstrates that the EU’s cyber sanctions regime is active and growing, not a one-time gesture.
The Bigger Picture: State-Sponsored Hacking Is an Industry
The three entities sanctioned today represent three different models of state-sponsored cyber operations:
- Integrity Technology Group: A commercial cybersecurity company secretly operating state botnet infrastructure
- i-Soon/Anxun: A private hacking contractor selling services to government intelligence agencies
- Emennet Pasargad: A quasi-governmental entity directly affiliated with military/intelligence services
All three models are growing. China’s hacker-for-hire ecosystem is expanding, with Operation Roaring Lion demonstrating how Chinese state hackers are even weaponizing Western AI systems. Iran’s cyber operations are escalating alongside the physical conflict in the Middle East.
The EU’s sanctions are a step — but they’re a step in a race where the adversaries are sprinting. With Salt Typhoon now operating globally, i-Soon’s leaked documents revealing the breadth of China’s contractor ecosystem, and Iran’s cyber proxies multiplying by the month, the question isn’t whether sanctions are the right tool. It’s whether any tool, short of equivalent cyber capabilities and willingness to use them, is sufficient.
For background on China’s cyber operations, see our coverage of Salt Typhoon’s global expansion, China’s MSS cyber power, and the Salt & Volt Typhoon deep dive. For Iran’s cyber warfare, see the cyber proxy war, Lemon Sandstorm’s infrastructure attack, and Iran’s cyber warfare paradox.
