EU Cyber Sanctions Hit Chinese and Iranian Hacking Firms

The European Union has imposed cyber sanctions on two Chinese companies, one Iranian company, and two Chinese nationals for conducting cyberattacks against member states and their partners. The Council of the European Union announced the measures on March 16, 2026, citing the specific role each entity played in compromising devices, attacking critical infrastructure, and running influence operations across the continent.

The designations bring the EU's total cyber sanctions list to 19 individuals and seven entities since the regime was established in 2019.

The Companies Named

Integrity Technology Group

Integrity Technology Group provided technical and material support between 2022 and 2023 that contributed to the hacking of more than 65,000 devices across six EU member states. The firm's reach extended well beyond Europe. The FBI had previously linked it to the Raptor Train botnet, a large network of compromised routers, network-attached storage devices, and IP cameras operated by the Chinese state-sponsored threat actor Flax Typhoon. At its peak, the botnet had pulled in an estimated 260,000 devices across North America, Europe, Asia, and Africa.

The US Treasury Department sanctioned Integrity Technology Group in January 2025 for its role in those operations. The EU's action extends those consequences into European jurisdiction.

Anxun Information Technology

The second sanctioned Chinese firm, Anxun Information Technology, provided hacking-for-hire services targeting critical infrastructure and key functions in EU member states and third countries. Anxun, also known as i-Soon, drew wider attention after an internal data leak in 2024 exposed its tools and internal operations. The US had sanctioned the company in early 2025 for cyberattack activity stretching back to at least 2011.

The two individuals added to the EU list are Anxun's co-founders, both assessed to have played a direct role in attacks against EU member states. They face asset freezes and travel bans across EU territory.

Iran's Role: Disinformation and Data Theft

The sanctioned Iranian firm, Emennet Pasargad, was responsible for a different but equally deliberate set of operations. The company accessed a French subscriber database without authorisation and put the stolen data up for sale on the dark web. It also compromised advertising billboards to spread disinformation during the 2024 Paris Olympic Games and targeted a Swedish SMS service, affecting a large number of EU citizens.

Emennet Pasargad has a documented history with Western governments. The US Department of Justice linked the company to Iranian state cyber operations and in 2021 offered a $10 million reward for information on two Iranian nationals who worked as contractors for the firm.

What the Sanctions Mean in Practice

The measures carry real consequences. Those listed face an asset freeze, and EU citizens and companies are prohibited from providing them with funds or economic resources. The individuals named also face travel bans barring entry into or transit through EU territory.

The legal basis is the EU's cyber diplomacy toolbox, established in 2017, which gives the bloc and its member states the authority to apply restrictive measures against malicious cyber activity targeting EU security. A dedicated sanctions framework was added to that toolbox in 2019, and this week's action is one of its most substantive uses to date.

A Coordinated Western Response

The EU's move fits a broader pattern of coordinated action. The US and UK had already sanctioned several of the same entities before Brussels acted. When multiple jurisdictions act together, the financial and operational restrictions become harder to circumvent. Isolated sanctions against state-linked actors have limited reach. Coordinated ones are more difficult to absorb.

China's foreign ministry rejected the EU designations and called on Brussels to correct what it described as an erroneous approach. Beijing has consistently denied Western attributions of state involvement in cyberattacks, even where the evidence points to firms operating with state backing.

Critical Infrastructure Remains the Primary Target

The operations described in the EU's designations follow a well-established pattern. State-linked actors build persistent access to foreign networks over extended periods, prioritising long-term presence over immediate disruption. The Raptor Train network, for example, concentrated its targeting on military, government, telecommunications, and defence sectors. The 65,000 devices compromised across six EU states represent confirmed exposure. Actual reach is likely broader, given that intrusions of this kind often go undetected for months.

The EU's Expanding Cyber Sanctions Regime

The EU cyber sanctions regime has grown steadily since 2019. With this round of designations, the list stands at 19 individuals and seven entities. Each addition reflects a deliberate decision to treat cyberattacks as a foreign policy matter, not just a law enforcement one. That shift in framing has practical implications. It means the EU is prepared to name state-linked actors publicly, absorb the diplomatic friction that follows, and maintain pressure over time.

For organisations operating across Europe, the picture these designations paint is worth taking seriously. The threat actors named here were active for years before sanctions were applied. Their methods relied on compromised consumer devices, weak entry points, and persistent low-visibility access. The exposure was real long before it was officially acknowledged.