World Leaks Just Dumped 8.5 Terabytes From Hungary's Pro-Orbán Media Empire—Including a Note About Contacting Moscow

On May 4, 2026, The Record by Recorded Future confirmed what Hungarian outlets had been carefully hinting at for several days. The cyber extortion crew that calls itself World Leaks had breached Mediaworks Kft, one of the largest media holdings in Hungary, and had dumped roughly 8.5 terabytes of internal files onto its dark web leak site. The earliest victim listing on the World Leaks platform appeared on April 28.

Mediaworks is not a marginal target. The company runs dozens of regional dailies, magazines, and online news properties, and is widely considered the operational center of the press ecosystem aligned with Prime Minister Viktor Orbán. Its newspapers carry the Orbán government's preferred framing on Ukraine, on the European Union, and on the political opposition. The breach delivers something the Hungarian government has spent years trying to keep out of the public record: the editorial conversations behind that framing.

The size of the dump and the fact that several Hungarian journalists have already reviewed and reported on the contents make this the most consequential extortion leak of a media organization in Europe this year.

What Was in the 8.5 Terabytes

Independent Hungarian outlets that have begun reviewing the dump report a mix that goes well beyond standard corporate paperwork. According to reporting from szeged.hu and other regional sites, the trove contains roughly 15 million files including:

• Payroll records for Mediaworks employees across its publication portfolio
• Vendor and advertising contracts, including agreements with state owned enterprises
• Internal financial statements not previously public
• Email archives and editorial communications covering multiple years
• Source contacts and journalist correspondence with confidential informants

The single document drawing the most attention is described as notes from a January 2025 editorial planning meeting. Hungarian outlets reporting on the document say the notes contain a passage suggesting that Mediaworks staff would "contact Moscow for help" with articles framed to discredit Ukrainian President Volodymyr Zelensky. Mediaworks has not authenticated or denied the document. Several outlets that reviewed the file say its formatting is consistent with internal Mediaworks editorial templates from the same period.

Mediaworks Is Threatening the Press

Mediaworks confirmed the incident on May 1, with a statement warning that "a significant amount of illegally obtained data may have come into the possession of unauthorized persons" and that the company had launched an internal investigation. Within days, the company sent legal notices to several Hungarian outlets that had reported on the leaked materials, demanding takedowns and warning that any use of leaked data "is also considered a crime."

Media1, an independent Hungarian outlet, refused. The site published a statement reading: "Despite the threat, we will not comply with the censorship attempt, as in our opinion the request is unfounded." Media1 argued that the editorial decisions of the country's largest pro government media operation are a matter of clear public interest, particularly given Hungary's contested foreign policy stance during the ongoing war in Ukraine.

The broader civil society response has been similar. Press freedom advocates in Hungary, where independent media has been steadily squeezed for over a decade, characterize Mediaworks's takedown demands as an attempt to use breach response procedures to suppress legitimate journalism about its own newsrooms.

Who Is World Leaks

World Leaks emerged in early 2025 as a rebrand of Hunters International, a ransomware affiliate program that had been active since 2023. The rebrand came with a strategic pivot. Where Hunters International had operated as a traditional encrypt and extort model, World Leaks announced that its operators were dropping encryption and focusing exclusively on data theft and public dumping when victims refused to pay.

That model has spread rapidly across the ransomware ecosystem. Everest used a similar approach against Citizens Bank and Frost Bank's vendor. World Leaks itself was previously linked to the leak of LAPD records. The pattern is consistent. Steal data, threaten publication, watch the victim's choice between paying a ransom and seeing internal documents on the open internet.

Mediaworks appears to be World Leaks's first known operation against a Hungarian target. The group did not disclose its initial access vector. Its public posts on the leak site warned only that "the full leak will be published soon, unless a company representative contacts us via the channels provided." The group has now followed through.

Why This Matters Beyond Hungary

Three threads make this incident relevant well outside the Hungarian press dispute.

Source protection collapses when a media company gets breached. Most ransomware victim organizations are companies whose customers expect privacy. A media company is something different. Its internal records contain the contact details of confidential sources, often political dissidents, whistleblowers, or government insiders, who agreed to talk only on the condition that the journalist would protect their identity. When 8.5 terabytes of editorial email gets dumped onto the dark web, those agreements are unilaterally voided.

For sources who corresponded with Mediaworks reporters by email, that is a serious operational threat. Anyone whose name, email address, or phone number appears in the leak is now exposed to anyone who downloads the dump, including foreign intelligence services and rival domestic political operations. The IFJ's 2026 mapping report warned that hostile state actors are now actively cataloging journalist source networks pulled from breaches like this one.

Editorial transparency arrives by extortion, not by reform. Hungary has had no legal mechanism to compel transparency from its dominant pro government media in over a decade. The result is that the public is now learning more about Mediaworks's editorial process from a Russian speaking ransomware crew than from any legitimate institution. That is a depressing comment on press accountability in Europe, but it is also a precedent. Other media empires aligned to specific governments, in Russia, in Turkey, in India, are watching what World Leaks just did and what it has cost Mediaworks.

Legal threats against reporters are becoming standard breach response. Mediaworks's choice to send takedown notices to journalists who report on the leak is part of a growing pattern. BePrime did the same in April, threatening journalists who reported on its breach. The chilling effect is the point. Even when the underlying coverage is legally protected, the cost of mounting a defense is itself a deterrent for smaller outlets.

What Sources and Journalists Should Do Now

For anyone who has corresponded with a Mediaworks publication in recent years, particularly anyone who provided sensitive information under a confidentiality agreement, the practical steps are familiar but worth restating:

• Assume your details are in the dump. Email addresses, phone numbers, and internal source codenames in editorial systems are typically caught up in archives like this. Do not wait for a formal notification before acting.
• Rotate any credentials shared in the past with a Mediaworks contact, especially if you reused them anywhere else.
• Move sensitive future communications off email. Use Signal with disappearing messages, Session, or another end to end encrypted channel that does not store metadata server side.
• Watch for targeted phishing referencing details only someone with access to the leak would know. Operators looking to identify confidential sources will use exactly that kind of cue.

For working journalists, the lesson is harder. The threat model has to assume that the editorial systems used inside any major newsroom can and will eventually be breached. Email tracking pixels in particular are a well documented exfiltration vector that lets a third party correlate which journalist read which message at what time, even before any breach occurs. Blocking those at the inbox layer is one of the few easily deployable controls that does not depend on the rest of the newsroom's hygiene.

The Election Backdrop

The timing of the leak is impossible to separate from Hungarian politics. Viktor Orbán's Fidesz party recently lost the national election to the opposition, ending nearly 14 years of consecutive Fidesz government. Mediaworks's editorial role in that political ecosystem is directly relevant to any post election accounting of the previous administration's relationship with state media.

Whatever the technical motive of the World Leaks operators, the political effect of the dump is to turn over rocks that Hungarian institutions had no power to flip. The contents will be picked through by opposition researchers, by independent journalists, by historians, and by intelligence services for years.

This is not the first time a ransomware crew has unintentionally rewritten the public record of a country's recent politics, and it will not be the last. When Russian ransomware hit Germany's Die Linke, the result was a similar mix of legitimate political accountability and deeply problematic source exposure. The democratic upside is real. The cost to the people whose names and contacts ended up in the dump is also real, and falls overwhelmingly on people who never agreed to be part of the story.