Two of the world’s most prolific state-linked cybercrime groups — Russia’s Gamaredon and North Korea’s Lazarus collective — have been spotted sharing resources, new research showed on Thursday. Experts at cybersecurity firm Gen Digital found overlapping tactics and shared infrastructure between the two groups. The discovery is “unprecedented,” said Director of Threat Intelligence at Gen Digital Michal Salat. “I don’t recall two countries working together on [Advanced Persistent Threat] attacks,” he said, referring to attacks that are sophisticated, long-term campaigns often conducted by nation-state actors. If confirmed, it would mark a new level of coordination between Moscow and Pyongyang. The Gamaredon cybercrime group is linked to Russia’s Federal Security Service and has aggressively targeted Ukrainian government networks since the start of the invasion in 2022, mostly for intelligence collection. Lazarus, a well-known North Korean threat group, conducts everything from espionage to financially motivated cybercrime. While tracking Gamaredon’s use of Telegram channels to share the servers controlling its malware, analysts discovered that one of those servers was also being used by Lazarus. One Gamaredon-run server was also found hosting a hidden version of malware linked to Lazarus. The file closely matched Lazarus’ typical tools. Nation-state hacking groups rarely host or distribute one another’s malware. Researchers believe the findings indicate the two groups are likely sharing systems, and could very well be cooperating directly. At a minimum, it shows that one group is deliberately imitating the other. Salat added that Gamaredon may be studying Lazarus’ methods, too. Lazarus is known for using fake job offers to trick victims and for stealing cryptocurrency, a key revenue source for North Korea, which is under heavy global sanctions. Moscow and Pyongyang have increased cooperation, including among their militaries, in previous years. Western security services believe Pyongyang has sent thousands of North Korean soldiers to Russia to support the war in Ukraine. Ukrainian authorities last month said North Korean troops were flying drones across the border, and Ukrainian military intelligence said last week North Korea would send thousands of workers to Russia to manufacture drones.

MILAN — Nothing about the sand-colored façade of the palazzo tucked behind Milan’s Duomo cathedral suggested that inside it a team of computer engineers were building a database to gather private and damaging information about Italy’s political elite — and use it to try to control them.   The platform, called Beyond, pulled together hundreds of thousands of records from state databases — including flagged financial transactions and criminal investigations — to create detailed profiles on politicians, business leaders and other prominent figures.  Police wiretaps recorded someone they identified as Samuele Calamucci, allegedly the technical mastermind of the group, boasting that the dossiers gave them the power to “screw over all of Italy.”  The operation collapsed in fall 2024, when a two-year investigation culminated in the arrests of four people, with a further 60 questioned. The alleged ringleaders have denied ever directly accessing state databases, while lower-level operatives maintain they only conducted open-source searches and believed their actions were legal. Police files indicate that key suspects claimed they were operating with the tacit approval of the Italian state.  After months of questioning and plea bargaining, 15 of the accused are set to enter their pleas at the first court hearing in October.   The disclosures were shocking, not only because of the confidentiality of the data but also the high-profile nature of the targets, which included former Prime Minister Matteo Renzi and Ignazio La Russa, co-founder of the ruling Brothers of Italy party and president of the Senate.  The scandal underscores a novel reality: that in the digital era, privacy is a relic. While dossiers and kompromat have long been tools of political warfare, hackers today, commanded by the highest bidder, can access information to exploit decision-makers’ weaknesses — from private indiscretions to financial vulnerabilities. The result is a political and business class highly exposed to external pressures, heightening fears about the resilience of democratic institutions in an era where data is both power and liability.  POLITICO obtained thousands of pages of police wiretap transcripts and arrest warrants and spoke with alleged perpetrators, their victims and officials investigating the scheme. Together, the documents and interviews reveal an intricate plot to build a database filled with confidential and compromising data — and a business plan to exploit it for both legal and illegal means.  On the surface, the group presented itself as a corporate intelligence firm, courting high-profile clients by claiming expertise in resolving complex risk management issues such as commercial fraud, corruption and infiltration by organized crime.   Banca Mediolanum, said it had paid “€3,000 to Equalize to gather more public information regarding a company that could have been the subject of a potential deal, managed by our investment bank.” | Diego Puletto/Getty Images Prosecutors accuse the gang of compiling damaging dossiers by illegally accessing phones, computers and state databases containing information ranging from tax records to criminal convictions. The data could be used to pressure and threaten victims or fed to journalists to discredit them.  The alleged perpetrators include a former star police investigator, the top manager of Milan’s trade fair complex and several cybersecurity experts prominent in Italy’s tech scene. All have denied wrongdoing.  SUPERCOP TURNED SUPERCROOK  When the gang first drew the attention of investigators in the summer of 2022, it was almost by accident.  Police were tracking a northern Italian gangster when he arranged a meeting with retired police inspector Carmine Gallo at a coffee bar in downtown Milan. Gallo, a veteran in the fight against organized crime, was a familiar face in Italy’s law enforcement circles. The meeting raised suspicions, and authorities put Gallo under surveillance — and inadvertently uncovered the gang’s wider operations.  Gallo, who died in March 2025, was a towering figure in Italian law enforcement. He helped solve high-profile cases such as the 1995 murder of Maurizio Gucci — carried out by the fashion mogul’s ex-wife Patrizia Reggiani and her clairvoyant — and the 1997 kidnapping of Milanese businesswoman Alessandra Sgarella by the ‘ndrangheta organized crime syndicate.  Yet Gallo’s career was not without controversy. Over four decades, he cultivated ties to organized crime networks and faced repeated investigations for overstepping legal boundaries. He ultimately received a two-year suspended sentence for sharing official secrets and assisting criminals.  When he retired from the force in 2018, Gallo illegally carted off investigative material such as transcripts of interviews with moles, mafia family trees and photofits, prosecutors’ documents show. His modus operandi was to tell municipal employees to “get a coffee and come back in half an hour” while he photographed documents, he boasted in wiretaps.  Still, Gallo’s work ethic remained relentless. In 2019, he co-founded Equalize — the IT company that hosted the Beyond database — with his business partner Enrico Pazzali, presenting the firm as a corporate risk intelligence company.  Gallo’s years as a police officer gave him a unique advantage: He could leverage relationships with former colleagues in law enforcement and intelligence to get them to carry out illegal searches on his behalf. Some of the information he obtained was then repackaged as reputational dossiers for clients, commanding fees of up to €15,000.  Gallo also cashed in his influence for favors, such as procuring passports for friends and acquaintances. Investigators recorded conversations in which he bragged of sourcing a passport for a convicted mafioso under investigation for kidnapping, who planned to flee to the United Arab Emirates.  The supercop-turned-supercriminal claimed that Equalize had a full overview of Italian criminal operations, extending even to countries like Australia and Vietnam.  When investigators raided the group’s headquarters, they found thousands of files and dossiers spanning decades of Italian criminal and political history. The hackers even claimed to have — as part of what they called their “infinite archive” — video evidence of the late Prime Minister Silvio Berlusconi’s so-called bunga bunga parties, which investigators called “a blackmail tool of the highest value.”   Enrico Pazzali cultivated close ties to right-wing politicians, including Attilio Fontana, president of the Lombardy region, and maintained a close association with high-level intelligence officials. | Alessandro Bremec/Getty Images Gallo’s sudden death of a heart attack six months into the investigation stirred unease among prosecutors. They noted that while an initial autopsy found no signs of trauma or injection, the absence of such evidence does not necessarily rule out interference. Investigators have ordered toxicology tests.  ‘HANDSOME UNCLE’  Gallo’s collaborator Pazzalli, a well-known businessman who headed Milan’s prestigious Fondazione Fiera Milano, the country’s largest exhibition center, was Equalize’s alleged frontman.  Pazzali, through his lawyer, declined to comment to POLITICO about the allegations.  The Fiera, a magnet for money and power, made Pazzali a heavy hitter in Milanese circles. Having built a successful career across IT, energy and other sectors, and boasting a full head of steely gray hair, he was known to some by the nickname “Zio Bello,” or handsome uncle.   Pazzali cultivated close ties to right-wing politicians, including Attilio Fontana, president of the Lombardy region, and maintained a close association with high-level intelligence officials. He would meet clients in a chauffeur-driven black Tesla X, complete with a blue flashing light on the roof — the kind typically reserved for high-ranking officials.  Since 2019, Pazzali held a 95 percent stake in Equalize. If Gallo’s role was sourcing confidential information, Pazzali’s was winning high-profile clients, the prosecutors allege. Leveraging his reputation and political connections, he helped secure business from banks, industrial conglomerates, multinationals, and international law firms, including pasta giant Barilla, the Italian subsidiary of Heineken, and energy powerhouse Eni.   Documents show that Eni paid Equalize €377,000. Roberto Albini, a spokesperson for the energy giant, told POLITICO that the firm had commissioned Equalize “to support its strategy and defense in the context of several criminal and civil cases.” He added that Eni was not aware of any illegal activity by the company.  Marlous den Bieman, corporate communications manager for Heineken, said the brewer had “ceased all collaboration with Equalize and is actively cooperating with authorities in their investigation of the company’s practices.”  Barilla declined to comment.  Italy’s third-largest bank, Banca Mediolanum, said it had paid “€3,000 to Equalize to gather more public information regarding a company that could have been the subject of a potential deal, managed by our investment bank.” The bank added, “Of course we were not aware that Equalize was in general conducting its business also through the adoption of illicit procedures.”  The group’s reach extended beyond Italy. In February 2023, it was hired by Israeli state intelligence agents in a €1 million operation to trace the financial flows from the accounts of wealthy individuals to the Russian mercenary network Wagner. In exchange, the Israelis promised to hand over intelligence on the illicit trafficking of Iranian gas through Italy — a commodity that, they suggested, might be of interest to Equalize’s client, the energy giant Eni.  Equalize rapidly grew into a formidable private investigation operation. Police reports noted that Pazzali recognized data as “a weapon for enormous economic and reputational gains,” adding, “Equalize’s raison d’être is to provide … Pazzali with information and dossiers to be used for the achievement of his political and economic aims.”  During the 2023 election campaign for the presidency of the Lombardy region, Pazzali ordered dossiers on close affiliates of former mayor of Milan, Letizia Moratti, who was challenging his preferred candidate, the far-right Fontana.  Prime Minister Matteo Renzi warned of a deeper political risk associated with the gang. | Vincenzo Nuzzolese/Getty Images A spokesman for Fontana called the allegation “science-fiction” and said “nothing was offered to the president of the region, he did not ask for anything, and he certainly did not pay anything.”   In 2022, Pazzali was in the running to manage Italy’s 2026 Winter Olympics as chief executive. Wiretaps suggested he ordered a dossier on his competitor, football club AC Milan’s Chairman Paolo Scaroni, but found nothing on him.  Business was booming, but Pazzali and Gallo were thinking ahead. They had become reliant on cops willing to leak information, and those officers could be spooked — or caught in the act. That was a vulnerability.  They started to envisage a more sophisticated operation: a platform that collated all the data the group had in its possession and could generate the prized dossiers with the click of a button, erasing the need for bribes and cutting manpower costs — a repository of high-level secrets that, once operational, would give Pazzali, Gallo, and their team unprecedented power in Italy.  Pazzali declined to comment on the investigation. He is due to plead before a judge at a preliminary hearing in October. ‘THE PROFESSOR’ AND THE BOYS   Enter Samuele Calamucci, the coding brain of the operation.  Calamucci is from a small town just outside Milan, and before he began his career in cybersecurity, he was involved in stonemasonry.   Unlike his partners Gallo and Pazzali, Calamucci wasn’t a known face in the city — and he had worked hard to keep it that way. He ran his own private investigation firm, Mercury Advisor, from the same offices as Equalize, handling the company’s IT operations as an outside contractor.  Calamucci knew his way around Italian government IT systems, too. In wiretapped conversations, he claimed to have helped build the digital infrastructure for Italy’s National Cybersecurity Agency and to have worked for the secret services’ Department of Information for Security.  Known within the gang as “the professor,” Calamucci’s role was to recruit and manage a team of 30 to 40 programmers he called the ragazzi — the boys.  With his best recruits he began to build Beyond in 2022, the platform designed to be the digital equivalent of an all-seeing eye.  To populate it, Calamucci and his team purchased data from the dark web, exploited access through government IT maintenance contracts and siphoned intelligence from state databases whenever they could, prosecutors said.  Beyond gave Pazzali, Gallo, and their gang a treasure trove of compromising information on political and business figures in a searchable platform. Wiretaps indicated the plan was to sell access via subscription to select clients, including international law firm Dentons and some of the Big Four consultancies like Deloitte, KPMG, and EY. | Aleksander Kalka/Getty Images In one police-recorded conversation, Calamucci boasted of a hard drive holding 800,000 dossiers. Through his lawyer, Calamucci declined to comment.  “We all thought the requested reports served the good of the country,” said one of the hackers, granted anonymity to speak freely. “Ninety percent of the reports carried out were about energy projects, which required open-source criminal records or membership in mafia syndicates, given that a large portion concerned the South.” Only 5 percent of the jobs they carried out were for individuals to conduct an analysis of enemies or competitors, he added.  The hackers were also “not allowed to know” who was coming into Equalize’s office from the outside. Meetings were held behind closed doors in Gallo’s office or in conference rooms, the hacker told POLITICO, explaining that the analysts were unaware of the company’s dynamics and the people it associated with.  Beyond gave Pazzali, Gallo, and their gang a treasure trove of compromising information on political and business figures in a searchable platform. Wiretaps indicated the plan was to sell access via subscription to select clients, including international law firm Dentons and some of the Big Four consultancies like Deloitte, KPMG, and EY.  Dentons declined to comment. Deloitte and EY did not respond to a request for comment. Audee Van Winkel, senior communication officer for KPMG in Belgium, where one of the alleged gang members worked, said the consultancy did not have any knowledge or records of KPMG in Belgium working with the platform.   ‘INTELLIGENCE MERCENARIES’  In Italy’s sprawling private investigation scene, Equalize was a relative newcomer. But Gallo, Pazzali and their associates had something going for them: They were well-connected.  One alleged member of the organization, Gabriele Pegoraro, had worked as an external cybersecurity expert for intelligence services and had previously made headlines as the IT genius who helped capture a fugitive terrorist.  Pegoraro said he “carried out only lawful operations using publicly available sources” and “was in the dark about how the information was used.”  According to wiretaps, Calamucci and Gallo had worked with several intelligence agents to provide surveillance to protect criminal informants.   On one occasion, Calamucci explained to a subordinate that the relationship with the secret services “was essential” to continue running Equalize undisturbed. “We are mercenaries for [Italian] intelligence,” he was heard saying by police listening in on a meeting with foreign agents at his office.   The services also helped with data searches for the group and created a mask of cover for the gang, prosecutors believe. A hacker proudly claimed that Equalize had even received computers handed down from Italy’s foreign intelligence agency, while law enforcement watched from bugs planted in the ceiling.  THE PROSECUTION  In October 2024, the music stopped.  Prosecutors placed four of the alleged gang members, including Gallo and Calamucci, under house arrest and another 60 people under investigation. They brought forward charges including conspiracy to hack, corruption, illegal accessing of data and the violation of official secrets.  Franco Gabrielli, a former director of Italy’s civil intelligence services, warned that even the toughest of sentences are unlikely to put an end to the practice. | Alessandro Bremec/Getty Images “Just as the Stasi destroyed the lives of so many people using a mixture of fabricated and collected information, so did these guys,” said Leonida Reitano, an Italian open-source investigator who studied the case. “They collected sensitive information, including medical reports, and used it to compromise their targets.”  News of what the gang had done dropped like a bombshell on Italy’s political class. Foreign Minister Antonio Tajani told reporters at the time that the affair was “unacceptable,” while Interior Minister Matteo Piantedosi warned the parliament that the hackers were “altering the rules of democracy.”  The Equalize scandal “is not only the most serious in the history of the Italian Republic but represents a real and actual attack on democracy,” said Angelo Bonelli, MP and member of the opposition Green Europe.  Prime Minister Renzi warned of a deeper political risk associated with the gang. “It is clear that Equalize are very close to the leaders of the right-wing parties, and intended to build a powerful organization, although it is not yet certain how deep an impact they had,” he told POLITICO. Renzi is seeking damages as a civil plaintiff in the eventual criminal trial.  Equalize was liquidated in March, and some of the alleged hackers have since taken on legitimate roles within the cybersecurity sector.  There are many unresolved questions around the case. Investigators and observers are still trying to determine the full extent of Equalize’s ties to Italian intelligence agencies, and whether any clients were aware of or complicit in the methods used to compile sensitive dossiers. Interviews with intelligence officials conducted during the investigation were never transcribed, and testimony given to a parliamentary committee remains classified. Police documents are heavily redacted, leaving the identities of key figures and the full scope of the operation unclear.  While Equalize is unprecedented in its scale, efforts to collect information on political opponents have “become an Italian tradition,” said the political historian Giovanni Orsina. Spying and political chicanery during and after the Cold War has damaged democracy and undermined trust in public institutions, made worse by a lethargic justice system that can take years if not decades to deliver justice.   “It adds to the perception that Italy is a country in which you can never find the truth,” Orsina said.  Franco Gabrielli, a former director of Italy’s civil intelligence services, warned that even the toughest of sentences are unlikely to put an end to the practice. “It just increases the costs, because if I risk more, I charge more,” he said.   “We must reduce the damage, put in place procedures, mechanisms,” he added. “But, unfortunately, all over the world, even where people earn more there are always black sheep, people who are corrupted. It’s human nature.” 

BRUSSELS — Crafty hacking groups backed by hostile states have increasingly targeted European public institutions with cyber espionage campaigns in the past year, the European Union’s cybersecurity agency said Wednesday. Public institutions were the most targeted type of organization, accounting for 38 percent of the nearly 5,000 incidents analyzed, the ENISA agency said in its yearly threat landscape report on European cyber threats. The EU itself is a regular target, it added. State-aligned hacking groups “steadily intensified their operations toward EU organizations,” ENISA said, adding that those groups carried out cyber espionage campaigns on public bodies while also attempting to sway the public through disinformation and interference.  The report looked at incidents from July 1, 2024 to June 30, 2025. Multiple European countries said in August that they had been affected by “Salt Typhoon,” a sprawling hacking and espionage campaign believed to be run by China’s Ministry of State Security. In May, the Netherlands also attributed a cyber espionage campaign to Russia, and the Czech government condemned China for carrying out a cyberattack against its foreign ministry exposing thousands of unclassified emails. These incidents underlined how European governments and organizations are increasingly plagued by cyber intrusions and disruption. Though state-backed cyber espionage is on the rise, ENISA said the most “impactful” threat in the EU is ransomware, a type of hack where criminals infiltrate a system, shut it down and demand payment to allow victims to regain control over their IT. Another type of attack, known as distributed denial-of-service (DDoS), was the most common type of incident, ENISA said. DDoS attacks are most commonly deployed by cyber activists. ENISA said different types of hacking groups are increasingly using each others’ tactics, most notably when state-aligned groups use cyber-activist techniques to hide their provenance. The agency also highlighted the threat to supply chains posed by cyberattacks, saying the interconnected nature of modern services can amplify the effect of a cyberattack.   Passengers at Brussels, Berlin and London Heathrow airports recently experienced severe delays due to a cyberattack on supplier Collins Aerospace, which provides check-in and boarding systems. “Everyone needs to take his or her responsibilities seriously,” Hans de Vries, the agency’s chief operations officer, told POLITICO. “Any company could have a ripple effect … We are so dependent on IT. That’s not a nice story but it’s the truth.”

LONDON — The U.K. has laid a raft of sanctions against Russian military intelligence officers involved in targeting Ukrainian civilians and carrying out cyber attacks against Britain.  The Foreign, Commonwealth and Development Office (FCDO) named three units of Russia’s GRU military intelligence service and 18 individual spies it said had been acting on behalf of Vladimir Putin. The units were involved in the bombing of the Mariupol Theatre in 2022 as well as efforts to support the war in Ukraine and destabilize Western allies, according to the FCDO. The U.K. is placing further sanctions against “African Initiative,” a Russian social media content mill accused of conducting misinformation campaigns in West Africa and undermining public health initiatives with conspiracy theories. Those singled out for sanctions will have their assets frozen and be banned from traveling to Britain. Foreign Secretary David Lammy said it would send a message from the U.K. that “we see what they are trying to do in the shadows and we won’t tolerate it.” One of the units sanctioned, Unit 26165, carried out online reconnaissance to help target missile strikes against Mariupol in 2022, including the bombing of the Mariupol Theatre. Civilians had been using the building as a refuge and placed a large sign spelling “children” in Russian in front of the theatre. Ukrainian authorities estimated 300 people were killed in the attack, while the Associated Press put the number closer to 600. The same unit is believed to be responsible for high-profile cyber attacks dating back a decade, including data hacks on the German Bundestag in 2015, the U.S. Democratic National Committee (DNC) in 2016, and Emmanuel Macron’s 2017 presidential campaign. Unit 26165 also interfered with foreign assistance to Ukraine through targeting ports and transport hubs, according to the British government, while the French government has blamed the unit for cyber attacks during the 2024 Olympic and Paralympic Games in Paris. Another group, Unit 29155, has been accused of deploying wiper malware known as “WhisperGate” on more than Ukrainian government systems in the build-up to Russia’s invasion of Ukraine.  Sanctions announced Friday were also directed at spies who infected a phone belonging to Yulia Skripal, the daughter of former Russian spy Sergei Skripal, with malware five years before the failed attempt to murder the pair with nerve agent Novichok in Salisbury, England in 2018.   The FCDO said Russia has targeted media outlets, telecoms providers, political institutions and energy infrastructure in the U.K. NATO allies issued a statement in support, saying: “We strongly condemn Russia’s malicious cyber activities, which constitute a threat to Allied security” and “we stand in solidarity” with the U.K.’s actions.

Russian basketball player Daniil Kasatkin was arrested in France on a hacking charge at the request of the United States. U.S. authorities believe Kasatkin negotiated payoffs for a ransomware ring that hacked around 900 companies and two federal government entities in the U.S., demanding money to end their attacks, according to a report from AFP. Kasatkin, who was arrested on June 21, denies the allegations. His lawyer, Frédéric Bélot, told POLITICO that Kasatkin is a “collateral victim of that crime” because he bought a second-hand computer with malware.  “He’s not a computer guy,” Bélot said. “He didn’t notice any strange behavior on the computer because he doesn’t know how computers work.” A French court denied Kasatkin bail on Wednesday, and he remains in jail awaiting formal extradition notification from U.S. authorities, according to Bélot. Kasatkin had traveled to France to visit Paris with his fiancée and was detained shortly after arriving at the airport. He played collegiate basketball briefly at Penn State, then four seasons for the Moscow-based MBA-MAI team. Bélot said Kasatkin’s physical condition has deteriorated in jail, which he argued is harming his athletic career. Joshua Berlinger contributed to this report.