On July 21, 2025, the Hungarian National Investigation Bureau’s Cybercrime Investigation Unit announced the arrest of a 23-year-old suspect behind a series of coordinated DDoS attacks targeting the International Press Institute (IPI) and over 40 independent media websites in Hungary between 2023 and 2024.
The suspect, operating under the alias “Hano”, allegedly used “DDoS-for-hire” services and a variety of anonymisation techniques to orchestrate long-running disruptions that took down high-profile journalistic platforms such as Telex, HVG, and 444.hu. Forensic evidence from seized digital devices confirmed the presence of access logs, fake profiles, and operational traces linking the individual to the attacks.
Targeted DDoS Campaigns and Political Implications
The attacks began shortly after IPI published a report highlighting a surge in DDoS incidents aimed specifically at independent media outlets, with pro-government media notably unaffected. IPI’s own website was taken offline for three days starting on 1 September 2023, in what was later verified as a retaliatory action by Qurium, a non-profit security lab based in Sweden.
Interestingly, the attacker left distinct digital signatures embedded in payloads, such as the tag #HanoHatesU, suggesting a mix of personal motive and political intent. The same tag appeared in follow-up attacks against Germany’s taz after it reported on the IPI incident—demonstrating a pattern of reprisal targeting press freedom advocates.
While formal charges are still pending, Hungarian authorities are working with Austrian law enforcement due to the cross-border dimension of the attacks. The investigation also raised questions about possible external funding or coordination, which have yet to be confirmed.
DDoS-as-a-Service Still Fueling Threat Landscape
This incident underscores how DDoS-as-a-Service ecosystems continue to enable relatively young, non-state actors to carry out impactful and politically charged attacks at scale. The suspect’s use of rented botnets and commercial stresser platforms reflects broader trends seen in the threat landscape, where accessibility and automation drive attack volume.
From a technical standpoint, the attacks fit the Advanced Persistent Threat (APT) profile—long-term targeting, consistent TTPs, and a political or ideological motivation. However, it’s worth noting that experts unofficially categorised “Hano” as an APT despite lacking any confirmed state sponsorship, which blurs traditional APT definitions.
FastNetMon’s Perspective
At FastNetMon, we continuously monitor and profile DDoS activity across global networks. This case serves as a strong reminder that even low-cost, outsourced DDoS attacks can have outsized effects—especially when aimed at vulnerable civil society infrastructure.
We encourage all media organisations and NGOs to:
- Deploy network-layer DDoS mitigation tools
- Work with trusted upstream providers for real-time traffic filtering
- Monitor anomalies via flow telemetry and NetFlow/sFlow exports
- Maintain up-to-date incident response plans and backup infrastructure
Our team supports at-risk organisations with traffic profiling, early warning systems, and real-time detection models that help stop attacks before they cause major outages. Many non-profit organisations use the open-source FastNetMon Community Edition to protect against DDoS.
Final Thoughts
While the arrest marks progress in holding cyberattackers accountable, the full scope and motivation behind these attacks are still being uncovered. Law enforcement’s ability to trace operational artefacts—despite anonymisation techniques—also highlights the value of robust digital forensics and international cooperation in attribution.
We will continue tracking developments in this case as it progresses and share technical insights as new data becomes available.If you’re a media outlet or civil society organisation facing persistent DDoS threats, reach out to us for support and guidance on modern mitigation strategies. Our free and open source Community Edition is available for small-scale networks and non-profits, while FastNetMon Advanced suits larger scale commercial needs. Compare here.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.
For more information, visit https://fastnetmon.com